Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Pi648je050.exe

Overview

General Information

Sample name:Pi648je050.exe
renamed because original name is a hash value
Original sample name:22c46eed2c96ab6e83aa4e917bc36fb76ff4abc83e01fcceaef07fcc7e8d9265.exe
Analysis ID:1550182
MD5:b47427b1a08950c5d561d65b664f0100
SHA1:2c45c83042460e904ce6d0607b67472b505637ad
SHA256:22c46eed2c96ab6e83aa4e917bc36fb76ff4abc83e01fcceaef07fcc7e8d9265
Tags:AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses FTP
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Pi648je050.exe (PID: 5348 cmdline: "C:\Users\user\Desktop\Pi648je050.exe" MD5: B47427B1A08950C5D561D65B664F0100)
    • RegSvcs.exe (PID: 5960 cmdline: "C:\Users\user\Desktop\Pi648je050.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • Pi648je050.exe (PID: 5716 cmdline: "C:\Users\user\Desktop\Pi648je050.exe" MD5: B47427B1A08950C5D561D65B664F0100)
      • RegSvcs.exe (PID: 6484 cmdline: "C:\Users\user\Desktop\Pi648je050.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • sgxIb.exe (PID: 5724 cmdline: "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • conhost.exe (PID: 2448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • sgxIb.exe (PID: 6508 cmdline: "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • conhost.exe (PID: 1016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.haliza.com.my", "Username": "origin@haliza.com.my", "Password": "JesusChrist007$"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.4603760711.00000000050F0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000004.00000002.4603760711.00000000050F0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000004.00000002.4603760711.00000000050F0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        00000004.00000002.4603760711.00000000050F0000.00000004.08000000.00040000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
        • 0x41068:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
        • 0x410da:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
        • 0x41164:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
        • 0x411f6:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
        • 0x41260:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
        • 0x412d2:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
        • 0x41368:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
        • 0x413f8:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
        00000004.00000002.4603760711.00000000050F0000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
        • 0x3ae3e:$s2: GetPrivateProfileString
        • 0x3e316:$s3: get_OSFullName
        • 0x3b56c:$s5: remove_Key
        • 0x3b58c:$s5: remove_Key
        • 0x3e773:$s6: FtpWebRequest
        • 0x4104a:$s7: logins
        • 0x415bc:$s7: logins
        • 0x44313:$s7: logins
        • 0x4437f:$s7: logins
        • 0x47558:$s7: logins
        • 0x44f19:$s9: 1.85 (Hash, version 2, native byte-order)
        Click to see the 16 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.RegSvcs.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
        • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
        • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
        • 0x700:$s3: 83 EC 38 53 B0 44 88 44 24 2B 88 44 24 2F B0 01 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
        • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
        • 0x1e9d0:$s5: delete[]
        • 0x1de88:$s6: constructor or from DllMain.
        4.2.RegSvcs.exe.276fcbe.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          4.2.RegSvcs.exe.276fcbe.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            4.2.RegSvcs.exe.276fcbe.2.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              4.2.RegSvcs.exe.276fcbe.2.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
              • 0x40150:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
              • 0x401c2:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
              • 0x4024c:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
              • 0x402de:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
              • 0x40348:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
              • 0x403ba:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
              • 0x40450:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
              • 0x404e0:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
              Click to see the 49 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6484, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sgxIb

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-06T15:08:14.496660+010020229301A Network Trojan was detected52.149.20.212443192.168.2.649754TCP
              2024-11-06T15:08:53.390109+010020229301A Network Trojan was detected52.149.20.212443192.168.2.649954TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 4.2.RegSvcs.exe.2770ba6.1.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.haliza.com.my", "Username": "origin@haliza.com.my", "Password": "JesusChrist007$"}
              Multi AV Scanner detection for submitted file
              Source: Pi648je050.exeReversingLabs: Detection: 60%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: Pi648je050.exeJoe Sandbox ML: detected
              Source: Pi648je050.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.6:49712 version: TLS 1.2
              Source: Binary string: _.pdb source: RegSvcs.exe, 00000004.00000002.4599985690.000000000272F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4603326550.0000000004F50000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: RegSvcs.pdb, source: sgxIb.exe, 00000006.00000000.2290173873.00000000001A2000.00000002.00000001.01000000.00000007.sdmp, sgxIb.exe.4.dr
              Source: Binary string: wntdll.pdbUGP source: Pi648je050.exe, 00000000.00000003.2133263464.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, Pi648je050.exe, 00000000.00000003.2139357941.0000000004640000.00000004.00001000.00020000.00000000.sdmp, Pi648je050.exe, 00000003.00000003.2157970396.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, Pi648je050.exe, 00000003.00000003.2160401388.0000000004690000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: Pi648je050.exe, 00000000.00000003.2133263464.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, Pi648je050.exe, 00000000.00000003.2139357941.0000000004640000.00000004.00001000.00020000.00000000.sdmp, Pi648je050.exe, 00000003.00000003.2157970396.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, Pi648je050.exe, 00000003.00000003.2160401388.0000000004690000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: RegSvcs.pdb source: sgxIb.exe, 00000006.00000000.2290173873.00000000001A2000.00000002.00000001.01000000.00000007.sdmp, sgxIb.exe.4.dr
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452126
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,0_2_0045C999
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,0_2_00436ADE
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00434BEE
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0045DD7C FindFirstFileW,FindClose,0_2_0045DD7C
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD29
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,0_2_00436D2D
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442E1F
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00475FE5
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8D
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,3_2_00452126
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,3_2_0045C999
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,3_2_00436ADE
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_00434BEE
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_0045DD7C FindFirstFileW,FindClose,3_2_0045DD7C
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,3_2_0044BD29
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,3_2_00436D2D
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_00442E1F
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,3_2_00475FE5
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,3_2_0044BF8D

              Networking

              barindex
              Connects to many ports of the same IP (likely port scanning)
              Source: global trafficTCP traffic: 110.4.45.197 ports 62480,64330,64682,65008,59023,63314,59550,56341,51380,58262,1,2,56986,60753,50443,57947,21
              Source: global trafficTCP traffic: 192.168.2.6:49731 -> 110.4.45.197:56341
              Source: Joe Sandbox ViewIP Address: 110.4.45.197 110.4.45.197
              Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
              Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.6:49754
              Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.6:49954
              Source: unknownFTP traffic detected: 110.4.45.197:21 -> 192.168.2.6:49715 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 22:08. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 22:08. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 22:08. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 22:08. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0044289D InternetQueryDataAvailable,InternetReadFile,0_2_0044289D
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: api.ipify.org
              Source: global trafficDNS traffic detected: DNS query: ftp.haliza.com.my
              Source: RegSvcs.exe, 00000004.00000002.4600489744.0000000002C28000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4600489744.0000000002D95000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4600489744.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4600489744.0000000002B8F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4600489744.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.haliza.com.my
              Source: RegSvcs.exe, 00000004.00000002.4600489744.0000000002B11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: RegSvcs.exe, 00000004.00000002.4603760711.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4599985690.000000000272F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4603326550.0000000004F50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
              Source: RegSvcs.exe, 00000004.00000002.4600489744.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4603760711.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4599985690.000000000272F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4603326550.0000000004F50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://api.ipify.org
              Source: RegSvcs.exe, 00000004.00000002.4600489744.0000000002B11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
              Source: RegSvcs.exe, 00000004.00000002.4600489744.0000000002B11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
              Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
              Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.6:49712 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to log keystrokes (.Net Source)
              Source: 4.2.RegSvcs.exe.50f0000.5.raw.unpack, SKTzxzsJw.cs.Net Code: _71ZRqC1D
              Installs a global keyboard hook
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046C5D0
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00459FFF
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,3_2_00459FFF
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046C5D0
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,0_2_00456354
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0047C08E
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,3_2_0047C08E

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 4.2.RegSvcs.exe.276fcbe.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 4.2.RegSvcs.exe.276fcbe.2.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 4.2.RegSvcs.exe.4f50ee8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 4.2.RegSvcs.exe.4f50ee8.3.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 4.2.RegSvcs.exe.4f50000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 4.2.RegSvcs.exe.4f50000.4.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 4.2.RegSvcs.exe.276fcbe.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 4.2.RegSvcs.exe.276fcbe.2.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 4.2.RegSvcs.exe.2770ba6.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 4.2.RegSvcs.exe.2770ba6.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 4.2.RegSvcs.exe.4f50ee8.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 4.2.RegSvcs.exe.4f50ee8.3.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 0.2.Pi648je050.exe.3b80000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 3.2.Pi648je050.exe.3750000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 4.2.RegSvcs.exe.50f0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 4.2.RegSvcs.exe.50f0000.5.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 4.2.RegSvcs.exe.50f0000.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 4.2.RegSvcs.exe.50f0000.5.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 4.2.RegSvcs.exe.2770ba6.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 4.2.RegSvcs.exe.2770ba6.1.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 4.2.RegSvcs.exe.4f50000.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 4.2.RegSvcs.exe.4f50000.4.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 00000004.00000002.4603760711.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 00000004.00000002.4603760711.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 00000000.00000002.2143641913.0000000003B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 00000004.00000002.4598852140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 00000003.00000002.2162568735.0000000003750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 00000004.00000002.4603326550.0000000004F50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 00000004.00000002.4603326550.0000000004F50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_00434D50: GetFullPathNameW,__swprintf,_wcslen,_wcslen,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcslen,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00434D50
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_004461ED _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_004461ED
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004364AA
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,3_2_004364AA
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_00409A400_2_00409A40
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_004120380_2_00412038
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_004271610_2_00427161
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0047E1FA0_2_0047E1FA
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_004212BE0_2_004212BE
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_004433900_2_00443390
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_004433910_2_00443391
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0041A46B0_2_0041A46B
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0041240C0_2_0041240C
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_004465660_2_00446566
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_004045E00_2_004045E0
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0041D7500_2_0041D750
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_004037E00_2_004037E0
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_004278590_2_00427859
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_004128180_2_00412818
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0040F8900_2_0040F890
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0042397B0_2_0042397B
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_00411B630_2_00411B63
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0047CBF00_2_0047CBF0
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0044EBBC0_2_0044EBBC
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_00412C380_2_00412C38
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0044ED9A0_2_0044ED9A
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_00423EBF0_2_00423EBF
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_00424F700_2_00424F70
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0041AF0D0_2_0041AF0D
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_03F50A380_2_03F50A38
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_00409A403_2_00409A40
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_004120383_2_00412038
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_004271613_2_00427161
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_0047E1FA3_2_0047E1FA
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_004212BE3_2_004212BE
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_004433903_2_00443390
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_004433913_2_00443391
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_0041A46B3_2_0041A46B
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_0041240C3_2_0041240C
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_004465663_2_00446566
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_004045E03_2_004045E0
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_0041D7503_2_0041D750
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_004037E03_2_004037E0
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_004278593_2_00427859
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_004128183_2_00412818
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_0040F8903_2_0040F890
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_0042397B3_2_0042397B
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_00411B633_2_00411B63
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_0047CBF03_2_0047CBF0
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_0044EBBC3_2_0044EBBC
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_00412C383_2_00412C38
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_0044ED9A3_2_0044ED9A
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_00423EBF3_2_00423EBF
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_00424F703_2_00424F70
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_0041AF0D3_2_0041AF0D
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_03F9FA383_2_03F9FA38
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00408C604_2_00408C60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0040DC114_2_0040DC11
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00407C3F4_2_00407C3F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00418CCC4_2_00418CCC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00406CA04_2_00406CA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004028B04_2_004028B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041A4BE4_2_0041A4BE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004182444_2_00418244
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004016504_2_00401650
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00402F204_2_00402F20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004193C44_2_004193C4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004187884_2_00418788
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00402F894_2_00402F89
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00402B904_2_00402B90
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004073A04_2_004073A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_026ED8B04_2_026ED8B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_026ECC984_2_026ECC98
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_026ECFE04_2_026ECFE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_026E0FD04_2_026E0FD0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_026E10304_2_026E1030
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_060B67484_2_060B6748
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_060BCFC84_2_060BCFC8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_060BF2784_2_060BF278
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_060B9A884_2_060B9A88
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_060B857C4_2_060B857C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_060B00064_2_060B0006
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_060B00404_2_060B0040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_060BC0E84_2_060BC0E8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_060BF9C74_2_060BF9C7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_064B07404_2_064B0740
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_064B552A4_2_064B552A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_064BA8104_2_064BA810
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_064B86E04_2_064B86E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_064BDAE84_2_064BDAE8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_064B18384_2_064B1838
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0040E1D8 appears 44 times
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: String function: 00425210 appears 58 times
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: String function: 00445975 appears 130 times
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: String function: 0041171A appears 74 times
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: String function: 0041832D appears 52 times
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: String function: 004136BC appears 36 times
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: String function: 004092C0 appears 50 times
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: String function: 0041718C appears 90 times
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: String function: 00401B70 appears 46 times
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: String function: 0040E6D0 appears 70 times
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: String function: 0043362D appears 38 times
              Source: Pi648je050.exe, 00000000.00000003.2139357941.000000000476D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Pi648je050.exe
              Source: Pi648je050.exe, 00000000.00000003.2135168507.00000000045C3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Pi648je050.exe
              Source: Pi648je050.exe, 00000000.00000002.2143641913.0000000003B80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename472d0e4f-32a4-4ea2-b137-597340264f0d.exe4 vs Pi648je050.exe
              Source: Pi648je050.exe, 00000003.00000003.2159784180.0000000004613000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Pi648je050.exe
              Source: Pi648je050.exe, 00000003.00000003.2160401388.00000000047BD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Pi648je050.exe
              Source: Pi648je050.exe, 00000003.00000002.2162568735.0000000003750000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename472d0e4f-32a4-4ea2-b137-597340264f0d.exe4 vs Pi648je050.exe
              Source: Pi648je050.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 4.2.RegSvcs.exe.276fcbe.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 4.2.RegSvcs.exe.276fcbe.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 4.2.RegSvcs.exe.4f50ee8.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 4.2.RegSvcs.exe.4f50ee8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 4.2.RegSvcs.exe.4f50000.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 4.2.RegSvcs.exe.4f50000.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 4.2.RegSvcs.exe.276fcbe.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 4.2.RegSvcs.exe.276fcbe.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 4.2.RegSvcs.exe.2770ba6.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 4.2.RegSvcs.exe.2770ba6.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 4.2.RegSvcs.exe.4f50ee8.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 4.2.RegSvcs.exe.4f50ee8.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 0.2.Pi648je050.exe.3b80000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 3.2.Pi648je050.exe.3750000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 4.2.RegSvcs.exe.50f0000.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 4.2.RegSvcs.exe.50f0000.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 4.2.RegSvcs.exe.50f0000.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 4.2.RegSvcs.exe.50f0000.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 4.2.RegSvcs.exe.2770ba6.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 4.2.RegSvcs.exe.2770ba6.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 4.2.RegSvcs.exe.4f50000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 4.2.RegSvcs.exe.4f50000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 00000004.00000002.4603760711.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 00000004.00000002.4603760711.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 00000000.00000002.2143641913.0000000003B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 00000004.00000002.4598852140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 00000003.00000002.2162568735.0000000003750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 00000004.00000002.4603326550.0000000004F50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 00000004.00000002.4603326550.0000000004F50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 4.2.RegSvcs.exe.2770ba6.1.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
              Source: 4.2.RegSvcs.exe.2770ba6.1.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
              Source: 4.2.RegSvcs.exe.4f50ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
              Source: 4.2.RegSvcs.exe.4f50ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
              Source: 4.2.RegSvcs.exe.50f0000.5.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
              Source: 4.2.RegSvcs.exe.50f0000.5.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
              Source: 4.2.RegSvcs.exe.50f0000.5.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
              Source: 4.2.RegSvcs.exe.50f0000.5.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
              Source: 4.2.RegSvcs.exe.50f0000.5.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
              Source: 4.2.RegSvcs.exe.50f0000.5.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
              Source: 4.2.RegSvcs.exe.50f0000.5.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
              Source: 4.2.RegSvcs.exe.50f0000.5.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/5@2/2
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0044AF5C GetLastError,FormatMessageW,0_2_0044AF5C
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464422
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004364AA
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,3_2_00464422
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,3_2_004364AA
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D517
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle,0_2_0043701F
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,_memset,_wcslen,_memset,CoCreateInstanceEx,CoSetProxyBlanket,0_2_0047A999
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0043614F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043614F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\sgxIbJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2448:120:WilError_03
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1016:120:WilError_03
              Source: C:\Users\user\Desktop\Pi648je050.exeFile created: C:\Users\user\AppData\Local\Temp\IdonnaJump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeCommand line argument: #v0_2_0040D7F0
              Source: C:\Users\user\Desktop\Pi648je050.exeCommand line argument: #v3_2_0040D7F0
              Source: Pi648je050.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\Pi648je050.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: Pi648je050.exeReversingLabs: Detection: 60%
              Source: C:\Users\user\Desktop\Pi648je050.exeFile read: C:\Users\user\Desktop\Pi648je050.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\Pi648je050.exe "C:\Users\user\Desktop\Pi648je050.exe"
              Source: C:\Users\user\Desktop\Pi648je050.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Pi648je050.exe"
              Source: C:\Users\user\Desktop\Pi648je050.exeProcess created: C:\Users\user\Desktop\Pi648je050.exe "C:\Users\user\Desktop\Pi648je050.exe"
              Source: C:\Users\user\Desktop\Pi648je050.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Pi648je050.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\Pi648je050.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Pi648je050.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeProcess created: C:\Users\user\Desktop\Pi648je050.exe "C:\Users\user\Desktop\Pi648je050.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Pi648je050.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
              Source: Pi648je050.exeStatic file information: File size 1267163 > 1048576
              Source: Binary string: _.pdb source: RegSvcs.exe, 00000004.00000002.4599985690.000000000272F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4603326550.0000000004F50000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: RegSvcs.pdb, source: sgxIb.exe, 00000006.00000000.2290173873.00000000001A2000.00000002.00000001.01000000.00000007.sdmp, sgxIb.exe.4.dr
              Source: Binary string: wntdll.pdbUGP source: Pi648je050.exe, 00000000.00000003.2133263464.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, Pi648je050.exe, 00000000.00000003.2139357941.0000000004640000.00000004.00001000.00020000.00000000.sdmp, Pi648je050.exe, 00000003.00000003.2157970396.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, Pi648je050.exe, 00000003.00000003.2160401388.0000000004690000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: Pi648je050.exe, 00000000.00000003.2133263464.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, Pi648je050.exe, 00000000.00000003.2139357941.0000000004640000.00000004.00001000.00020000.00000000.sdmp, Pi648je050.exe, 00000003.00000003.2157970396.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, Pi648je050.exe, 00000003.00000003.2160401388.0000000004690000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: RegSvcs.pdb source: sgxIb.exe, 00000006.00000000.2290173873.00000000001A2000.00000002.00000001.01000000.00000007.sdmp, sgxIb.exe.4.dr

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: 4.2.RegSvcs.exe.2770ba6.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
              Source: 4.2.RegSvcs.exe.4f50ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
              Source: 4.2.RegSvcs.exe.50f0000.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,0_2_0040EB70
              Source: Pi648je050.exeStatic PE information: real checksum: 0xa2135 should be: 0x13de14
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_004171D1 push ecx; ret 0_2_004171E4
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_004171D1 push ecx; ret 3_2_004171E4
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_00490860 push A80B330Ah; ret 3_2_00490CD5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041C40C push cs; iretd 4_2_0041C4E2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00423149 push eax; ret 4_2_00423179
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041C50E push cs; iretd 4_2_0041C4E2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004231C8 push eax; ret 4_2_00423179
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0040E21D push ecx; ret 4_2_0040E230
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041C6BE push ebx; ret 4_2_0041C6BF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_026E4746 push ebp; retf 4_2_026E4760
              Source: 4.2.RegSvcs.exe.2770ba6.1.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'pKl9bAGZFF55M', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
              Source: 4.2.RegSvcs.exe.4f50ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'pKl9bAGZFF55M', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
              Source: 4.2.RegSvcs.exe.50f0000.5.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'pKl9bAGZFF55M', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sgxIbJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sgxIbJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe:Zone.Identifier read attributes | deleteJump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_004772DE
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004375B0
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,3_2_004772DE
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,3_2_004375B0
              Source: C:\Users\user\Desktop\Pi648je050.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Contains functionality to detect sleep reduction / modifications
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_004440780_2_00444078
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_004440783_2_00444078
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Switches to a custom stack to bypass stack traces
              Source: C:\Users\user\Desktop\Pi648je050.exeAPI/Special instruction interceptor: Address: 3F5065C
              Source: C:\Users\user\Desktop\Pi648je050.exeAPI/Special instruction interceptor: Address: 3F9F65C
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: B80000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 23A0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 21C0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: BA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 28F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 48F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,4_2_004019F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599890Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599671Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599562Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599087Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598718Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598583Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598437Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598326Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598216Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598109Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597999Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597890Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597781Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597672Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597547Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597437Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597328Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597219Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597094Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596984Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596875Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596765Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596656Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596547Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596437Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596328Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596218Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596109Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595681Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595577Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595466Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595359Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595250Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595140Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595031Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594922Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594812Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594703Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594594Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594484Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594375Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594265Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594156Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594046Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593937Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593828Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593719Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593560Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593451Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593343Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593227Jump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2503Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7343Jump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeAPI coverage: 3.3 %
              Source: C:\Users\user\Desktop\Pi648je050.exeAPI coverage: 3.3 %
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 6776Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5268Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452126
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,0_2_0045C999
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,0_2_00436ADE
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00434BEE
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0045DD7C FindFirstFileW,FindClose,0_2_0045DD7C
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD29
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,0_2_00436D2D
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442E1F
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00475FE5
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8D
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,3_2_00452126
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,3_2_0045C999
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,3_2_00436ADE
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_00434BEE
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_0045DD7C FindFirstFileW,FindClose,3_2_0045DD7C
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,3_2_0044BD29
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,3_2_00436D2D
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_00442E1F
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,3_2_00475FE5
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,3_2_0044BF8D
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0040E470
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599890Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599671Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599562Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599087Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598718Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598583Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598437Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598326Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598216Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598109Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597999Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597890Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597781Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597672Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597547Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597437Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597328Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597219Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597094Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596984Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596875Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596765Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596656Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596547Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596437Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596328Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596218Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596109Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595681Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595577Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595466Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595359Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595250Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595140Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595031Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594922Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594812Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594703Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594594Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594484Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594375Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594265Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594156Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594046Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593937Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593828Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593719Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593560Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593451Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593343Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593227Jump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: RegSvcs.exe, 00000004.00000002.4604135310.0000000005522000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI call chain: ExitProcess graph end node
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0045A259 BlockInput,0_2_0045A259
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D6D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,4_2_004019F0
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,0_2_0040EB70
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_03F4F2C8 mov eax, dword ptr fs:[00000030h]0_2_03F4F2C8
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_03F50928 mov eax, dword ptr fs:[00000030h]0_2_03F50928
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_03F508C8 mov eax, dword ptr fs:[00000030h]0_2_03F508C8
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_03F9E2C8 mov eax, dword ptr fs:[00000030h]3_2_03F9E2C8
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_03F9F928 mov eax, dword ptr fs:[00000030h]3_2_03F9F928
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_03F9F8C8 mov eax, dword ptr fs:[00000030h]3_2_03F9F8C8
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_00426DA1 CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_00426DA1
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0042202E SetUnhandledExceptionFilter,0_2_0042202E
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004230F5
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00417D93
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00421FA7
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_0042202E SetUnhandledExceptionFilter,3_2_0042202E
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_004230F5
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00417D93
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00421FA7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0040CE09
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0040E61C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00416F6A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004123F1 SetUnhandledExceptionFilter,4_2_004123F1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Maps a DLL or memory area into another process
              Source: C:\Users\user\Desktop\Pi648je050.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
              Sample uses process hollowing technique
              Source: C:\Users\user\Desktop\Pi648je050.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base address: 410000Jump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\Pi648je050.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 6B7008Jump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0043916A LogonUserW,0_2_0043916A
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D6D0
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004375B0
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_00436431 __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_00436431
              Source: C:\Users\user\Desktop\Pi648je050.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Pi648je050.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Pi648je050.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00445DD3
              Source: Pi648je050.exeBinary or memory string: Shell_TrayWnd
              Source: Pi648je050.exeBinary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_00410D10 cpuid 0_2_00410D10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetLocaleInfoA,4_2_00417A20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_004223BC
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_004711D2 GetUserNameW,0_2_004711D2
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0042039F __invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,0_2_0042039F
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0040E470
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected AgentTesla
              Source: Yara matchFile source: 4.2.RegSvcs.exe.276fcbe.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.4f50ee8.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.4f50000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.276fcbe.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.2770ba6.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.4f50ee8.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.50f0000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.50f0000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.2770ba6.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.4f50000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.4603760711.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4599985690.000000000272F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4600489744.0000000002B8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4600489744.0000000002B64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4603326550.0000000004F50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6484, type: MEMORYSTR
              Yara detected PureLog Stealer
              Source: Yara matchFile source: 4.2.RegSvcs.exe.276fcbe.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.4f50ee8.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.4f50000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.276fcbe.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.2770ba6.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.4f50ee8.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.50f0000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.50f0000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.2770ba6.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.4f50000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.4603760711.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4599985690.000000000272F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4603326550.0000000004F50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: Pi648je050.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
              Source: Pi648je050.exeBinary or memory string: WIN_XP
              Source: Pi648je050.exeBinary or memory string: WIN_XPe
              Source: Pi648je050.exeBinary or memory string: WIN_VISTA
              Source: Pi648je050.exeBinary or memory string: WIN_7
              Source: Yara matchFile source: 4.2.RegSvcs.exe.276fcbe.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.4f50ee8.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.4f50000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.276fcbe.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.2770ba6.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.4f50ee8.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.50f0000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.50f0000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.2770ba6.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.4f50000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.4603760711.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4599985690.000000000272F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4600489744.0000000002B64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4603326550.0000000004F50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6484, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected AgentTesla
              Source: Yara matchFile source: 4.2.RegSvcs.exe.276fcbe.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.4f50ee8.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.4f50000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.276fcbe.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.2770ba6.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.4f50ee8.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.50f0000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.50f0000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.2770ba6.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.4f50000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.4603760711.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4599985690.000000000272F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4600489744.0000000002B8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4600489744.0000000002B64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4603326550.0000000004F50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6484, type: MEMORYSTR
              Yara detected PureLog Stealer
              Source: Yara matchFile source: 4.2.RegSvcs.exe.276fcbe.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.4f50ee8.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.4f50000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.276fcbe.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.2770ba6.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.4f50ee8.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.50f0000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.50f0000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.2770ba6.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.4f50000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.4603760711.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4599985690.000000000272F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4603326550.0000000004F50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_004741BB
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,0_2_0046483C
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 0_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0047AD92
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,3_2_004741BB
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,3_2_0046483C
              Source: C:\Users\user\Desktop\Pi648je050.exeCode function: 3_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,3_2_0047AD92

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire Infrastructure2
              Valid Accounts              		121
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              Exploitation for Privilege Escalation              		11
              Disable or Modify Tools              		2
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		2
              Ingress Tool Transfer              		1
              Exfiltration Over Alternative Protocol              		1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts1
              Native API              		2
              Valid Accounts              		1
              DLL Side-Loading              		11
              Deobfuscate/Decode Files or Information              		221
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol2
              Data from Local System              		11
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Shared Modules              		1
              Registry Run Keys / Startup Folder              		2
              Valid Accounts              		2
              Obfuscated Files or Information              		1
              Credentials in Registry              		2
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Email Collection              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              Command and Scripting Interpreter              		Login Hook21
              Access Token Manipulation              		1
              Software Packing              		NTDS148
              System Information Discovery              		Distributed Component Object Model221
              Input Capture              		2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script312
              Process Injection              		1
              DLL Side-Loading              		LSA Secrets341
              Security Software Discovery              		SSH4
              Clipboard Data              		23
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
              Registry Run Keys / Startup Folder              		1
              Masquerading              		Cached Domain Credentials141
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
              Valid Accounts              		DCSync2
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
              Virtualization/Sandbox Evasion              		Proc Filesystem11
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
              Access Token Manipulation              		/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron312
              Process Injection              		Network Sniffing1
              System Network Configuration Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
              Hidden Files and Directories              		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1550182 Sample: Pi648je050.exe Startdate: 06/11/2024 Architecture: WINDOWS Score: 100 31 ftp.haliza.com.my 2->31 33 api.ipify.org 2->33 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 7 other signatures 2->45 8 Pi648je050.exe 1 2->8         started        11 sgxIb.exe 2 2->11         started        13 sgxIb.exe 1 2->13         started        signatures3 process4 signatures5 47 Sample uses process hollowing technique 8->47 49 Switches to a custom stack to bypass stack traces 8->49 51 Contains functionality to detect sleep reduction / modifications 8->51 15 Pi648je050.exe 8->15         started        18 RegSvcs.exe 8->18         started        20 conhost.exe 11->20         started        22 conhost.exe 13->22         started        process6 signatures7 61 Writes to foreign memory regions 15->61 63 Maps a DLL or memory area into another process 15->63 24 RegSvcs.exe 16 4 15->24         started        65 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->65 process8 dnsIp9 35 ftp.haliza.com.my 110.4.45.197, 21, 49714, 49715 EXABYTES-AS-APExaBytesNetworkSdnBhdMY Malaysia 24->35 37 api.ipify.org 172.67.74.152, 443, 49712 CLOUDFLARENETUS United States 24->37 29 C:\Users\user\AppData\Roaming\...\sgxIb.exe, PE32 24->29 dropped 53 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->53 55 Tries to steal Mail credentials (via file / registry access) 24->55 57 Tries to harvest and steal ftp login credentials 24->57 59 3 other signatures 24->59 file10 signatures11

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Pi648je050.exe61%ReversingLabsWin32.Trojan.AutoitInject
              Pi648je050.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe0%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              api.ipify.org
              		172.67.74.152
              		truefalse
                		high
                ftp.haliza.com.my
                		110.4.45.197
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://api.ipify.org/false
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://api.ipify.orgRegSvcs.exe, 00000004.00000002.4600489744.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4603760711.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4599985690.000000000272F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4603326550.0000000004F50000.00000004.08000000.00040000.00000000.sdmpfalse
                      		high
                      https://account.dyn.com/RegSvcs.exe, 00000004.00000002.4603760711.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4599985690.000000000272F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4603326550.0000000004F50000.00000004.08000000.00040000.00000000.sdmpfalse
                        		high
                        http://ftp.haliza.com.myRegSvcs.exe, 00000004.00000002.4600489744.0000000002C28000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4600489744.0000000002D95000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4600489744.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4600489744.0000000002B8F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4600489744.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://api.ipify.org/tRegSvcs.exe, 00000004.00000002.4600489744.0000000002B11000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000004.00000002.4600489744.0000000002B11000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              110.4.45.197
                              		ftp.haliza.com.myMalaysia
                              		46015EXABYTES-AS-APExaBytesNetworkSdnBhdMYfalse
                              172.67.74.152
                              		api.ipify.orgUnited States
                              		13335CLOUDFLARENETUSfalse

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1550182
                              Start date and time:2024-11-06 15:07:06 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 9m 42s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:11
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:Pi648je050.exe
                              renamed because original name is a hash value
                              Original Sample Name:22c46eed2c96ab6e83aa4e917bc36fb76ff4abc83e01fcceaef07fcc7e8d9265.exe
                              Detection:MAL
                              Classification:mal100.troj.spyw.evad.winEXE@11/5@2/2
                              EGA Information:
                              • Successful, ratio: 60%
                              HCA Information:
                              • Successful, ratio: 97%
                              • Number of executed functions: 43
                              • Number of non-executed functions: 310
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                              Warnings

                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                              • Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Execution Graph export aborted for target sgxIb.exe, PID 5724 because it is empty
                              • Execution Graph export aborted for target sgxIb.exe, PID 6508 because it is empty
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size exceeded maximum capacity and may have missing disassembly code.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • VT rate limit hit for: Pi648je050.exe

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              09:08:03API Interceptor9200849x Sleep call for process: RegSvcs.exe modified
                              15:08:05AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run sgxIb C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                              15:08:13AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run sgxIb C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              110.4.45.197Termination_List_November_2024_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                Payment_Advice_USD_48,054.40_.exeGet hashmaliciousAgentTeslaBrowse
                                  Payslip_October_2024.exeGet hashmaliciousAgentTeslaBrowse
                                    Payslip_October_2024_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                      Payslip_October_2024_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                        Payslip_October_2024.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                          rMT103_126021720924.exeGet hashmaliciousAgentTeslaBrowse
                                            z1Transaction_ID_REF2418_cmd.batGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                              z20SWIFT_MT103_Payment_552016_pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                Order Specifications for Materials.docx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                  172.67.74.1522b7cu0KwZl.exeGet hashmaliciousUnknownBrowse
                                                  • api.ipify.org/
                                                  Zc9eO57fgF.elfGet hashmaliciousUnknownBrowse
                                                  • api.ipify.org/
                                                  67065b4c84713_Javiles.exeGet hashmaliciousRDPWrap ToolBrowse
                                                  • api.ipify.org/
                                                  Yc9hcFC1ux.exeGet hashmaliciousUnknownBrowse
                                                  • api.ipify.org/
                                                  4F08j2Rmd9.binGet hashmaliciousXmrigBrowse
                                                  • api.ipify.org/
                                                  y8tCHz7CwC.binGet hashmaliciousXmrigBrowse
                                                  • api.ipify.org/
                                                  file.exeGet hashmaliciousUnknownBrowse
                                                  • api.ipify.org/
                                                  file.exeGet hashmaliciousUnknownBrowse
                                                  • api.ipify.org/
                                                  file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                  • api.ipify.org/
                                                  file.exeGet hashmaliciousRDPWrap ToolBrowse
                                                  • api.ipify.org/

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  ftp.haliza.com.myTermination_List_November_2024_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 110.4.45.197
                                                  Payment_Advice_USD_48,054.40_.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 110.4.45.197
                                                  Payslip_October_2024.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 110.4.45.197
                                                  Payslip_October_2024_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 110.4.45.197
                                                  Payslip_October_2024_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 110.4.45.197
                                                  Payslip_October_2024.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 110.4.45.197
                                                  rMT103_126021720924.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 110.4.45.197
                                                  z1Transaction_ID_REF2418_cmd.batGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                  • 110.4.45.197
                                                  z20SWIFT_MT103_Payment_552016_pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                  • 110.4.45.197
                                                  Order Specifications for Materials.docx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                  • 110.4.45.197
                                                  api.ipify.org3Pd480eWHA.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 104.26.13.205
                                                  6ehOuQ8ifL.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 104.26.13.205
                                                  New_Order_PO_GM5637H93.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                  • 104.26.13.205
                                                  JkYvyHHOr8.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                  • 104.26.12.205
                                                  y4jxkrdxZr.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                  • 104.26.13.205
                                                  Termination_List_November_2024_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 104.26.12.205
                                                  https://averellharriman.sharefile.com/public/share/web-sab7e0a816d3e4e0ca3a0899254901a6dGet hashmaliciousUnknownBrowse
                                                  • 172.67.74.152
                                                  https://averellharriman.sharefile.com/public/share/web-s3b96c17360cd43e7bdcaf25a23709fd0Get hashmaliciousUnknownBrowse
                                                  • 104.26.13.205
                                                  https://www.canva.com/design/DAGVnZ3mr_Y/4CQQbX1-EKRcha16TVbYxQ/view?utm_content=DAGVnZ3mr_Y&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousMamba2FABrowse
                                                  • 104.26.12.205
                                                  Payment_Advice_USD_48,054.40_.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 104.26.13.205

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  EXABYTES-AS-APExaBytesNetworkSdnBhdMYTermination_List_November_2024_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 110.4.45.197
                                                  https://www.canva.com/design/DAGVnZ3mr_Y/4CQQbX1-EKRcha16TVbYxQ/view?utm_content=DAGVnZ3mr_Y&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousMamba2FABrowse
                                                  • 103.6.199.200
                                                  Payment_Advice_USD_48,054.40_.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 110.4.45.197
                                                  Payslip_October_2024.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 110.4.45.197
                                                  Payslip_October_2024_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 110.4.45.197
                                                  Payslip_October_2024_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 110.4.45.197
                                                  Txwd 4063517991 djxjdlxmbk.pdfGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                  • 103.6.199.200
                                                  Payslip_October_2024.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 110.4.45.197
                                                  rMT103_126021720924.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 110.4.45.197
                                                  z1Transaction_ID_REF2418_cmd.batGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                  • 110.4.45.197
                                                  CLOUDFLARENETUS3Pd480eWHA.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 104.26.13.205
                                                  6ehOuQ8ifL.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 104.26.13.205
                                                  173090160965f4af6053e0cc550b1580793735ec4c6bd2a63005d1f358aeab4a3375f6790f876.dat-decoded.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 188.114.97.3
                                                  SecuriteInfo.com.FileRepMalware.29777.16321.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                  • 188.114.96.3
                                                  file.exeGet hashmaliciousLummaCBrowse
                                                  • 104.21.5.155
                                                  Iamgold_Docs_Access3aecd483-6211-46f6-ad1d-bba6268615a6_OFZCB.pdfGet hashmaliciousHTMLPhisherBrowse
                                                  • 188.114.96.3
                                                  Report_7526.htmlGet hashmaliciousUnknownBrowse
                                                  • 104.17.245.203
                                                  https://booking.com@slongre.com/vrmcoabuGet hashmaliciousUnknownBrowse
                                                  • 104.17.25.14
                                                  SecuriteInfo.com.W32.MSIL_Kryptik.KHA.gen.Eldorado.19300.19769.exeGet hashmaliciousLummaCBrowse
                                                  • 104.21.16.142
                                                  file.exeGet hashmaliciousAmadey, LummaC Stealer, StealcBrowse
                                                  • 172.67.133.135

                                                  JA3 Fingerprints

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  3b5074b1b5d032e5620f69f9f700ff0e3Pd480eWHA.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 172.67.74.152
                                                  6ehOuQ8ifL.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 172.67.74.152
                                                  2tKeEoCCCw.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                  • 172.67.74.152
                                                  173090160965f4af6053e0cc550b1580793735ec4c6bd2a63005d1f358aeab4a3375f6790f876.dat-decoded.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 172.67.74.152
                                                  pagamento.Intesa.anpaolo.pdf.exeGet hashmaliciousUnknownBrowse
                                                  • 172.67.74.152
                                                  pagamento.Intesa.anpaolo.pdf.exeGet hashmaliciousUnknownBrowse
                                                  • 172.67.74.152
                                                  SecuriteInfo.com.FileRepMalware.29777.16321.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                  • 172.67.74.152
                                                  Iamgold_Docs_Access3aecd483-6211-46f6-ad1d-bba6268615a6_OFZCB.pdfGet hashmaliciousHTMLPhisherBrowse
                                                  • 172.67.74.152
                                                  tvfF5APmrC.lnkGet hashmaliciousMalLnkBrowse
                                                  • 172.67.74.152
                                                  aAmetcdeXM.lnkGet hashmaliciousMalLnkBrowse
                                                  • 172.67.74.152

                                                  Dropped Files

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeshipping documents.exeGet hashmaliciousAgentTeslaBrowse
                                                    Termination_List_November_2024_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                      Payment_Advice_USD_48,054.40_.exeGet hashmaliciousAgentTeslaBrowse
                                                        M1Y6kc9FpE.exeGet hashmaliciousFormBookBrowse
                                                          mJIvCBk5vF.exeGet hashmaliciousFormBookBrowse
                                                            1aG5DoOsAW.exeGet hashmaliciousFormBookBrowse
                                                              copto de pago.exeGet hashmaliciousAgentTeslaBrowse
                                                                purchase order P857248 dated 04112024.exeGet hashmaliciousXWormBrowse
                                                                  dJpo3HPctv.exeGet hashmaliciousXWormBrowse
                                                                    Payslip_October_2024_pdf.exeGet hashmaliciousAgentTeslaBrowse

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sgxIb.exe.log

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:modified
                                                                      Size (bytes):142
                                                                      Entropy (8bit):5.090621108356562
                                                                      Encrypted:false
                                                                      SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                                      MD5:8C0458BB9EA02D50565175E38D577E35
                                                                      SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                                      SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                                      SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                                      Malicious:false
                                                                      Reputation:high, very likely benign file
                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                                      C:\Users\user\AppData\Local\Temp\Idonna

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\Pi648je050.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):271360
                                                                      Entropy (8bit):7.889620923018979
                                                                      Encrypted:false
                                                                      SSDEEP:6144:9RhHrVPOIjoME5wTZ6/w7x4zCJBUd9KOWdotR2:VLVPOIj9E5wmwkEe9KOWdoK
                                                                      MD5:8C70AA14440FAEFC27AF2CE3157BD0BB
                                                                      SHA1:1F6EE61FF797DD800D4D9319BCEF026997EE8DC4
                                                                      SHA-256:0B5960093B0253747B31AAFDB541A6688D386ADB9E3E4FC769E713E4FBAAEC50
                                                                      SHA-512:EEFE6A46DE54F693F21339605F63FAC3019A78FF035D143D84652D354A1BB330CDE5C8887197CB8C4533CD9DE05F9EAD5C856C75556AE2E1C10F59D9659728A0
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:...6ICTUAZAV.TW.L6JCTUE.AV4STWEL6JCTUEZAV4STWEL6JCTUEZAV4ST.EL6D\.[E.H...U..mb"*'u5(.1F29w&-X$, u'?a$A=t>+lr..t8*>$x9^^sEL6JCTU-J.{.".)i=.4o%.;hb)Jl%.;G..=.$.$m'.-.&.2.i-*I4.?d.:*.4.Hx`/+h+.(f:7?i=.4CTUEZAV4STWEL6JCk_-<AV4S..ELzKGT!.Z.V4STWEL6.CwTN[HV4.UWE.4JCTUEu.V4SDWEL.KCTU.ZAF4STUEL3JCTUEZAS4STWEL6J3PUE^AV.hVWGL6.CTEEZQV4STGEL&JCTUEZQV4STWEL6JCT.PXA.4STW%N6RAVUEZAV4STWEL6JCTUEZAV4STWE..KCHUEZAV4STWEL6JCTUEZAV4STWEL6.NVU.ZAV4STWEL6JC.TE.@V4STWEL6JCTUEZAV4STWEL6JCT{1?9"4STO.M6JSTUE.@V4WTWEL6JCTUEZAV4sTW%bD." 4EZ.;4ST.DL6$CTU.[AV4STWEL6JCTU.ZA..75#$L6J.dUEZaT4SBWEL<HCTUEZAV4STWELvJC.{7)354STOGN6J#VUE^CV4sVWEL6JCTUEZAV4.TW.L6JCTUEZAV4STWEL6JCTUEZAV4STWEL6JCTUEZAV4STWEL6JCTUEZAV4STWEL6JCTUEZAV4STWEL6JCTUEZAV4STWEL6JCTUEZAV4STWEL6JCTUEZAV4STWEL6JCTUEZAV4STWEL6JCTUEZAV4STWEL6JCTUEZAV4STWEL6JCTUEZAV4STWEL6JCTUEZAV4STWEL6JCTUEZAV4STWEL6JCTUEZAV4STWEL6JCTUEZAV4STWEL6JCTUEZAV4STWEL6JCTUEZAV4STWEL6JCTUEZAV4STWEL6JCTUEZAV4STWEL6JCTUEZAV4STWEL6JCTUEZAV4STWEL6JCTUEZAV4STWEL6JCTUEZAV4STWEL6JCTUEZ

                                                                      C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

                                                                      Download File
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Category:modified
                                                                      Size (bytes):45984
                                                                      Entropy (8bit):6.16795797263964
                                                                      Encrypted:false
                                                                      SSDEEP:768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
                                                                      MD5:9D352BC46709F0CB5EC974633A0C3C94
                                                                      SHA1:1969771B2F022F9A86D77AC4D4D239BECDF08D07
                                                                      SHA-256:2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
                                                                      SHA-512:13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
                                                                      Malicious:false
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      Joe Sandbox View:
                                                                      • Filename: shipping documents.exe, Detection: malicious, Browse
                                                                      • Filename: Termination_List_November_2024_pdf.exe, Detection: malicious, Browse
                                                                      • Filename: Payment_Advice_USD_48,054.40_.exe, Detection: malicious, Browse
                                                                      • Filename: M1Y6kc9FpE.exe, Detection: malicious, Browse
                                                                      • Filename: mJIvCBk5vF.exe, Detection: malicious, Browse
                                                                      • Filename: 1aG5DoOsAW.exe, Detection: malicious, Browse
                                                                      • Filename: copto de pago.exe, Detection: malicious, Browse
                                                                      • Filename: purchase order P857248 dated 04112024.exe, Detection: malicious, Browse
                                                                      • Filename: dJpo3HPctv.exe, Detection: malicious, Browse
                                                                      • Filename: Payslip_October_2024_pdf.exe, Detection: malicious, Browse
                                                                      Reputation:moderate, very likely benign file
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

                                                                      \Device\ConDrv

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):1141
                                                                      Entropy (8bit):4.442398121585593
                                                                      Encrypted:false
                                                                      SSDEEP:24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
                                                                      MD5:6FB4D27A716A8851BC0505666E7C7A10
                                                                      SHA1:AD2A232C6E709223532C4D1AB892303273D8C814
                                                                      SHA-256:1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE
                                                                      SHA-512:3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB
                                                                      Malicious:false
                                                                      Preview:Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Entropy (8bit):7.47493858374487
                                                                      TrID:
                                                                      • Win32 Executable (generic) a (10002005/4) 95.11%
                                                                      • AutoIt3 compiled script executable (510682/80) 4.86%
                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                      File name:Pi648je050.exe
                                                                      File size:1'267'163 bytes
                                                                      MD5:b47427b1a08950c5d561d65b664f0100
                                                                      SHA1:2c45c83042460e904ce6d0607b67472b505637ad
                                                                      SHA256:22c46eed2c96ab6e83aa4e917bc36fb76ff4abc83e01fcceaef07fcc7e8d9265
                                                                      SHA512:dd9436a72a69f125c7770642c7d69ddcc926fdbc10103637c669a07572c72266673db010fdecd275b0b0d4f951b3a53bf41f6a407113f058616ef09204021457
                                                                      SSDEEP:24576:ffmMv6Ckr7Mny5QLX11+BXqBsBAl/36BqsV:f3v+7/5QLXcqy+36BqsV
                                                                      TLSH:4645E112B3D680B6D9A339B02D7BE31BEB3575194323C58BA7E02E778E111419B37762
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

                                                                      File Icon

                                                                      Icon Hash:1733312925935517

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x416310
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                      Time Stamp:0x4B93CF87 [Sun Mar 7 16:08:39 2010 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:5
                                                                      OS Version Minor:0
                                                                      File Version Major:5
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:5
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:aaaa8913c89c8aa4a5d93f06853894da

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      call 00007F6A2CEB829Ch
                                                                      jmp 00007F6A2CEAC06Eh
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      push ebp
                                                                      mov ebp, esp
                                                                      push edi
                                                                      push esi
                                                                      mov esi, dword ptr [ebp+0Ch]
                                                                      mov ecx, dword ptr [ebp+10h]
                                                                      mov edi, dword ptr [ebp+08h]
                                                                      mov eax, ecx
                                                                      mov edx, ecx
                                                                      add eax, esi
                                                                      cmp edi, esi
                                                                      jbe 00007F6A2CEAC1FAh
                                                                      cmp edi, eax
                                                                      jc 00007F6A2CEAC39Ah
                                                                      cmp ecx, 00000100h
                                                                      jc 00007F6A2CEAC211h
                                                                      cmp dword ptr [004A94E0h], 00000000h
                                                                      je 00007F6A2CEAC208h
                                                                      push edi
                                                                      push esi
                                                                      and edi, 0Fh
                                                                      and esi, 0Fh
                                                                      cmp edi, esi
                                                                      pop esi
                                                                      pop edi
                                                                      jne 00007F6A2CEAC1FAh
                                                                      pop esi
                                                                      pop edi
                                                                      pop ebp
                                                                      jmp 00007F6A2CEAC65Ah
                                                                      test edi, 00000003h
                                                                      jne 00007F6A2CEAC207h
                                                                      shr ecx, 02h
                                                                      and edx, 03h
                                                                      cmp ecx, 08h
                                                                      jc 00007F6A2CEAC21Ch
                                                                      rep movsd
                                                                      jmp dword ptr [00416494h+edx*4]
                                                                      nop
                                                                      mov eax, edi
                                                                      mov edx, 00000003h
                                                                      sub ecx, 04h
                                                                      jc 00007F6A2CEAC1FEh
                                                                      and eax, 03h
                                                                      add ecx, eax
                                                                      jmp dword ptr [004163A8h+eax*4]
                                                                      jmp dword ptr [004164A4h+ecx*4]
                                                                      nop
                                                                      jmp dword ptr [00416428h+ecx*4]
                                                                      nop
                                                                      mov eax, E4004163h
                                                                      arpl word ptr [ecx+00h], ax
                                                                      or byte ptr [ecx+eax*2+00h], ah
                                                                      and edx, ecx
                                                                      mov al, byte ptr [esi]
                                                                      mov byte ptr [edi], al
                                                                      mov al, byte ptr [esi+01h]
                                                                      mov byte ptr [edi+01h], al
                                                                      mov al, byte ptr [esi+02h]
                                                                      shr ecx, 02h
                                                                      mov byte ptr [edi+02h], al
                                                                      add esi, 03h
                                                                      add edi, 03h
                                                                      cmp ecx, 08h
                                                                      jc 00007F6A2CEAC1BEh

                                                                      Rich Headers

                                                                      Programming Language:
                                                                      • [ASM] VS2008 SP1 build 30729
                                                                      • [ C ] VS2008 SP1 build 30729
                                                                      • [C++] VS2008 SP1 build 30729
                                                                      • [ C ] VS2005 build 50727
                                                                      • [IMP] VS2005 build 50727
                                                                      • [ASM] VS2008 build 21022
                                                                      • [RES] VS2008 build 21022
                                                                      • [LNK] VS2008 SP1 build 30729

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x8cd3c0x154.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x9298.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x820000x840.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x10000x800170x802006c20c6bf686768b6f134f5bd508171bcFalse0.5602991615853659data6.634688230255595IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                      .rdata0x820000xd95c0xda00f979966509a93083729d23cdfd2a6f2dFalse0.36256450688073394data4.880040824124099IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .data0x900000x1a5180x6800e5d77411f751d28c6eee48a743606795False0.1600060096153846data2.2017649896261107IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      .rsrc0xab0000x92980x9400f6be76de0ef2c68f397158bf01bdef3eFalse0.4896801097972973data5.530303089784181IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                      RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                      RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                      RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                      RT_ICON0xab9400x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
                                                                      RT_ICON0xabfa80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
                                                                      RT_ICON0xac2900x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
                                                                      RT_ICON0xac3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
                                                                      RT_ICON0xad2600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
                                                                      RT_ICON0xadb080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
                                                                      RT_ICON0xae0700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
                                                                      RT_ICON0xb06180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
                                                                      RT_ICON0xb16c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
                                                                      RT_MENU0xb1b280x50dataEnglishGreat Britain0.9
                                                                      RT_DIALOG0xb1b780xfcdataEnglishGreat Britain0.6507936507936508
                                                                      RT_STRING0xb1c780x530dataEnglishGreat Britain0.33960843373493976
                                                                      RT_STRING0xb21a80x690dataEnglishGreat Britain0.26964285714285713
                                                                      RT_STRING0xb28380x43adataEnglishGreat Britain0.3733826247689464
                                                                      RT_STRING0xb2c780x5fcdataEnglishGreat Britain0.3087467362924282
                                                                      RT_STRING0xb32780x65cdataEnglishGreat Britain0.34336609336609336
                                                                      RT_STRING0xb38d80x388dataEnglishGreat Britain0.377212389380531
                                                                      RT_STRING0xb3c600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                                                                      RT_GROUP_ICON0xb3db80x84dataEnglishGreat Britain0.6439393939393939
                                                                      RT_GROUP_ICON0xb3e400x14dataEnglishGreat Britain1.15
                                                                      RT_GROUP_ICON0xb3e580x14dataEnglishGreat Britain1.25
                                                                      RT_GROUP_ICON0xb3e700x14dataEnglishGreat Britain1.25
                                                                      RT_VERSION0xb3e880x19cdataEnglishGreat Britain0.5339805825242718
                                                                      RT_MANIFEST0xb40280x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                                                      Imports

                                                                      DLLImport
                                                                      WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                                                                      VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                                                      WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                      COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                                                                      MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                                                                      WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                                                                      PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                                                                      USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                                                                      KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, lstrcmpiW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, GetProcessHeap, OutputDebugStringW, GetLocalTime, CompareStringW, CompareStringA, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetComputerNameW, GetWindowsDirectoryW, GetSystemDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ResumeThread, GetStartupInfoW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameA, HeapReAlloc, HeapCreate, SetHandleCount, GetFileType, GetStartupInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, LCMapStringA, RtlUnwind, SetFilePointer, GetTimeZoneInformation, GetTimeFormatA, GetDateFormatA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetTickCount, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetModuleHandleA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEndOfFile, EnumResourceNamesW, SetEnvironmentVariableA
                                                                      USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, CopyImage, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, PeekMessageW, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, MoveWindow, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, GetMenuItemID, TranslateMessage, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, keybd_event, LoadImageW, GetWindowLongW
                                                                      GDI32.dllDeleteObject, GetObjectW, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, PolyDraw, BeginPath, Rectangle, GetDeviceCaps, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, SetViewportOrgEx
                                                                      COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                      ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, RegEnumKeyExW, CloseServiceHandle, UnlockServiceDatabase, LockServiceDatabase, OpenSCManagerW, InitiateSystemShutdownExW, AdjustTokenPrivileges, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, SetSecurityDescriptorDacl, CopySid, LogonUserW, GetTokenInformation, GetAclInformation, GetAce, AddAce, GetSecurityDescriptorDacl
                                                                      SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                      ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, StringFromCLSID, IIDFromString, StringFromIID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize
                                                                      OLEAUT32.dllSafeArrayAllocData, SafeArrayAllocDescriptorEx, SysAllocString, OleLoadPicture, SafeArrayGetVartype, SafeArrayDestroyData, SafeArrayAccessData, VarR8FromDec, VariantTimeToSystemTime, VariantClear, VariantCopy, VariantInit, SafeArrayDestroyDescriptor, LoadRegTypeLib, GetActiveObject, SafeArrayUnaccessData

                                                                      Possible Origin

                                                                      Language of compilation systemCountry where language is spokenMap
                                                                      EnglishGreat Britain
                                                                      EnglishUnited States

                                                                      Network Behavior

                                                                      Suricata IDS Alerts

                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                      2024-11-06T15:08:14.496660+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow152.149.20.212443192.168.2.649754TCP
                                                                      2024-11-06T15:08:53.390109+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow152.149.20.212443192.168.2.649954TCP

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Nov 6, 2024 15:08:03.647478104 CET49712443192.168.2.6172.67.74.152
                                                                      Nov 6, 2024 15:08:03.647540092 CET44349712172.67.74.152192.168.2.6
                                                                      Nov 6, 2024 15:08:03.647605896 CET49712443192.168.2.6172.67.74.152
                                                                      Nov 6, 2024 15:08:03.657243013 CET49712443192.168.2.6172.67.74.152
                                                                      Nov 6, 2024 15:08:03.657272100 CET44349712172.67.74.152192.168.2.6
                                                                      Nov 6, 2024 15:08:04.267769098 CET44349712172.67.74.152192.168.2.6
                                                                      Nov 6, 2024 15:08:04.267913103 CET49712443192.168.2.6172.67.74.152
                                                                      Nov 6, 2024 15:08:04.281003952 CET49712443192.168.2.6172.67.74.152
                                                                      Nov 6, 2024 15:08:04.281039953 CET44349712172.67.74.152192.168.2.6
                                                                      Nov 6, 2024 15:08:04.281388998 CET44349712172.67.74.152192.168.2.6
                                                                      Nov 6, 2024 15:08:04.325659990 CET49712443192.168.2.6172.67.74.152
                                                                      Nov 6, 2024 15:08:04.334899902 CET49712443192.168.2.6172.67.74.152
                                                                      Nov 6, 2024 15:08:04.375339031 CET44349712172.67.74.152192.168.2.6
                                                                      Nov 6, 2024 15:08:04.505425930 CET44349712172.67.74.152192.168.2.6
                                                                      Nov 6, 2024 15:08:04.505495071 CET44349712172.67.74.152192.168.2.6
                                                                      Nov 6, 2024 15:08:04.505582094 CET49712443192.168.2.6172.67.74.152
                                                                      Nov 6, 2024 15:08:04.511969090 CET49712443192.168.2.6172.67.74.152
                                                                      Nov 6, 2024 15:08:05.436608076 CET4971421192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:08:05.442445993 CET2149714110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:05.442595005 CET4971421192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:08:05.447175980 CET4971421192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:08:05.452166080 CET2149714110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:05.452234983 CET4971421192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:08:05.486974955 CET4971521192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:08:05.492058992 CET2149715110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:05.492178917 CET4971521192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:08:06.386138916 CET2149715110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:06.386460066 CET4971521192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:08:06.391324043 CET2149715110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:06.716487885 CET2149715110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:06.716634035 CET4971521192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:08:06.721704960 CET2149715110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:07.061952114 CET2149715110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:07.062114000 CET4971521192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:08:07.067410946 CET2149715110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:07.391413927 CET2149715110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:07.392249107 CET4971521192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:08:07.397027969 CET2149715110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:07.720525980 CET2149715110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:07.721949100 CET4971521192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:08:07.727175951 CET2149715110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:08.051364899 CET2149715110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:08.057339907 CET4971521192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:08:08.062163115 CET2149715110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:08.388428926 CET2149715110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:08.389157057 CET4973156341192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:08:08.394421101 CET5634149731110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:08.395306110 CET4973156341192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:08:08.395306110 CET4971521192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:08:08.400320053 CET2149715110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:09.347238064 CET2149715110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:09.351016998 CET4973156341192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:08:09.355912924 CET5634149731110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:09.369950056 CET4973156341192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:08:09.385286093 CET5634149731110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:09.385987997 CET4973156341192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:08:09.403779984 CET4971521192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:08:09.723651886 CET2149715110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:09.724426985 CET4971521192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:08:09.729347944 CET2149715110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:10.053410053 CET2149715110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:10.054320097 CET4973756986192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:08:10.059283972 CET5698649737110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:10.059376955 CET4973756986192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:08:10.059528112 CET4971521192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:08:10.065210104 CET2149715110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:10.967376947 CET2149715110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:10.967716932 CET4973756986192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:08:10.972803116 CET5698649737110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:10.973177910 CET5698649737110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:10.973236084 CET4973756986192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:08:11.013931990 CET4971521192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:08:11.311857939 CET2149715110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:11.312459946 CET4971521192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:08:11.317497969 CET2149715110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:11.642340899 CET2149715110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:11.642863989 CET4974860753192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:08:11.647949934 CET6075349748110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:11.648053885 CET4974860753192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:08:11.649931908 CET4971521192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:08:11.655045033 CET2149715110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:12.564027071 CET2149715110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:12.585619926 CET4974860753192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:08:12.591089010 CET6075349748110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:12.591145992 CET4974860753192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:08:12.607187986 CET4971521192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:08:12.918576002 CET2149715110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:08:12.968033075 CET4971521192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:54.151441097 CET4998921192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:54.156459093 CET2149989110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:54.156527042 CET4998921192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:54.207977057 CET4999021192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:54.212977886 CET2149990110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:54.213041067 CET4999021192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:55.064202070 CET2149989110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:55.065488100 CET4998921192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:55.070391893 CET2149989110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:55.113933086 CET2149990110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:55.114808083 CET4999021192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:55.122304916 CET2149990110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:55.400418997 CET2149989110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:55.400553942 CET4998921192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:55.406913042 CET2149989110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:55.450510979 CET2149990110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:55.450664997 CET4999021192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:55.455481052 CET2149990110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:55.785609007 CET2149989110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:55.785794020 CET4998921192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:55.790790081 CET2149989110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:55.812012911 CET2149990110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:55.812402010 CET4999021192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:55.817325115 CET2149990110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:56.120951891 CET2149989110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:56.121135950 CET4998921192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:56.126050949 CET2149989110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:56.145541906 CET2149990110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:56.145706892 CET4999021192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:56.150676966 CET2149990110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:56.456497908 CET2149989110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:56.457571030 CET4998921192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:56.462487936 CET2149989110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:56.478585005 CET2149990110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:56.481615067 CET4999021192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:56.486593962 CET2149990110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:56.794536114 CET2149989110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:56.794990063 CET4998921192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:56.800299883 CET2149989110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:56.816080093 CET2149990110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:56.816236019 CET4999021192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:56.821073055 CET2149990110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:57.131975889 CET2149989110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:57.133917093 CET4999157947192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:57.139971972 CET5794749991110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:57.141660929 CET4999157947192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:57.141813993 CET4998921192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:57.146898031 CET2149989110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:57.149430990 CET2149990110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:57.149807930 CET4999265008192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:57.154680014 CET6500849992110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:57.154771090 CET4999265008192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:57.154934883 CET4999021192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:57.159950972 CET2149990110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.042538881 CET2149990110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.042891979 CET4999265008192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:58.047872066 CET6500849992110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.047903061 CET6500849992110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.047915936 CET6500849992110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.047928095 CET4999265008192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:58.047957897 CET6500849992110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.047981977 CET4999265008192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:58.048001051 CET4999265008192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:58.048002005 CET6500849992110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.048015118 CET6500849992110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.048068047 CET4999265008192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:58.048075914 CET6500849992110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.048088074 CET4999265008192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:58.048090935 CET6500849992110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.048110008 CET6500849992110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.048119068 CET4999265008192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:58.048130989 CET4999265008192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:58.048154116 CET4999265008192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:58.048382044 CET6500849992110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.048429966 CET4999265008192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:58.052870035 CET6500849992110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.052881956 CET6500849992110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.052894115 CET6500849992110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.052902937 CET6500849992110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.052920103 CET4999265008192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:58.052942038 CET6500849992110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.052953005 CET6500849992110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.052953959 CET4999265008192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:58.053003073 CET6500849992110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.053020000 CET4999265008192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:58.053047895 CET6500849992110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.053057909 CET6500849992110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.053061008 CET4999265008192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:58.053098917 CET6500849992110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.053112984 CET4999265008192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:58.053152084 CET4999265008192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:58.053183079 CET6500849992110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.053235054 CET4999265008192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:58.053533077 CET6500849992110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.057804108 CET6500849992110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.057869911 CET6500849992110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.058341026 CET6500849992110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.058351040 CET6500849992110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.058362961 CET6500849992110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.058372974 CET6500849992110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.058929920 CET6500849992110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.058974981 CET4999265008192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:58.095956087 CET2149989110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.096102953 CET4999157947192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:58.096232891 CET4999157947192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:58.100949049 CET5794749991110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.101564884 CET5794749991110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.101607084 CET4999157947192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:58.137610912 CET4998921192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:58.176913977 CET4999021192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:58.446115971 CET2149989110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.497472048 CET4998921192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:09:58.775192976 CET2149990110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:09:58.889456034 CET4999021192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:09.354366064 CET4999021192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:09.359255075 CET2149990110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:09.687819004 CET2149990110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:09.711165905 CET4999350443192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:09.716072083 CET5044349993110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:09.716144085 CET4999350443192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:09.723207951 CET4999021192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:09.728064060 CET2149990110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:10.625885010 CET2149990110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:10.633223057 CET4999350443192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:10.639072895 CET5044349993110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:10.639178991 CET5044349993110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:10.639188051 CET5044349993110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:10.639205933 CET4999350443192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:10.639230013 CET5044349993110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:10.639244080 CET5044349993110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:10.639259100 CET4999350443192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:10.639278889 CET5044349993110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:10.639287949 CET5044349993110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:10.639309883 CET4999350443192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:10.639329910 CET5044349993110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:10.639338970 CET5044349993110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:10.639348984 CET5044349993110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:10.639360905 CET4999350443192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:10.639381886 CET4999350443192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:10.639503002 CET4999350443192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:10.644171000 CET5044349993110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:10.644311905 CET4999350443192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:10.644337893 CET5044349993110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:10.644346952 CET5044349993110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:10.644354105 CET5044349993110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:10.644357920 CET5044349993110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:10.644366980 CET5044349993110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:10.644377947 CET4999350443192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:10.644433975 CET4999350443192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:10.644433975 CET4999350443192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:10.644474030 CET5044349993110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:10.644505024 CET5044349993110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:10.644546032 CET4999350443192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:10.644612074 CET4999350443192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:10.649187088 CET5044349993110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:10.649270058 CET4999350443192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:10.649713039 CET5044349993110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:10.649775028 CET4999350443192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:10.654390097 CET5044349993110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:10.654556990 CET5044349993110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:10.654567957 CET5044349993110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:10.654633045 CET5044349993110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:10.654640913 CET5044349993110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:10.654675961 CET5044349993110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:10.654684067 CET5044349993110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:10.654736996 CET5044349993110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:10.655534983 CET5044349993110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:10.657536983 CET4999350443192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:10.781394958 CET4999021192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:11.417869091 CET2149990110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:11.481296062 CET4999021192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:22.688045979 CET4999021192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:22.693099022 CET2149990110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.021492958 CET2149990110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.021991014 CET4999559023192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:23.026760101 CET5902349995110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.026844978 CET4999559023192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:23.026897907 CET4999021192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:23.031696081 CET2149990110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.940109968 CET2149990110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.940407991 CET4999559023192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:23.945604086 CET5902349995110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.945637941 CET5902349995110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.945687056 CET4999559023192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:23.945736885 CET4999559023192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:23.945775986 CET5902349995110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.945804119 CET5902349995110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.945825100 CET4999559023192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:23.945856094 CET4999559023192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:23.945899963 CET5902349995110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.945929050 CET5902349995110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.945956945 CET4999559023192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:23.945986032 CET4999559023192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:23.946013927 CET5902349995110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.946043015 CET5902349995110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.946063995 CET4999559023192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:23.946088076 CET4999559023192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:23.946120977 CET5902349995110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.946175098 CET4999559023192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:23.946208000 CET5902349995110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.946295023 CET4999559023192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:23.951103926 CET5902349995110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.951157093 CET4999559023192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:23.951220036 CET5902349995110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.951248884 CET5902349995110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.951272011 CET4999559023192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:23.951334000 CET4999559023192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:23.951386929 CET5902349995110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.951416969 CET5902349995110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.951453924 CET5902349995110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.951474905 CET4999559023192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:23.951500893 CET4999559023192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:23.951555967 CET5902349995110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.951584101 CET5902349995110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.951656103 CET4999559023192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:23.956645966 CET5902349995110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.956780910 CET5902349995110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.956813097 CET5902349995110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.956918955 CET5902349995110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.957088947 CET5902349995110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.957142115 CET5902349995110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.957175970 CET5902349995110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.957225084 CET5902349995110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.957252979 CET5902349995110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.957279921 CET5902349995110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.957328081 CET5902349995110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.957356930 CET5902349995110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.957386017 CET5902349995110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.957614899 CET5902349995110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:23.957686901 CET4999559023192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:24.007955074 CET4999021192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:24.704694033 CET2149990110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:24.889337063 CET4999021192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:33.362147093 CET4999021192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:33.367042065 CET2149990110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:33.695883989 CET2149990110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:33.696419954 CET4999651380192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:33.701304913 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:33.701368093 CET4999651380192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:33.701457024 CET4999021192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:33.706633091 CET2149990110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.607419968 CET2149990110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.607666969 CET4999651380192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:34.612792969 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.612812996 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.612863064 CET4999651380192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:34.612911940 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.612922907 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.612941027 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.612968922 CET4999651380192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:34.612991095 CET4999651380192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:34.613013029 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.613019943 CET4999651380192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:34.613099098 CET4999651380192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:34.613102913 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.613117933 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.613135099 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.613245010 CET4999651380192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:34.613266945 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.613317013 CET4999651380192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:34.617744923 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.617805004 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.617830038 CET4999651380192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:34.617842913 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.617873907 CET4999651380192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:34.617893934 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.617903948 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.617908001 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.617933989 CET4999651380192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:34.617958069 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.617974997 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.618002892 CET4999651380192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:34.618022919 CET4999651380192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:34.618110895 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.618129015 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.618161917 CET4999651380192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:34.618231058 CET4999651380192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:34.618275881 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.618398905 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.618416071 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.618427992 CET4999651380192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:34.622668982 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.622704983 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.622859955 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.622912884 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.622967958 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.623018980 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.623070002 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.623080015 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.623126984 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.623148918 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.623352051 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.623426914 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.623436928 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.623446941 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.623502016 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.623953104 CET5138049996110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:34.624058008 CET4999651380192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:34.778358936 CET4999021192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:35.407906055 CET2149990110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:35.481215000 CET4999021192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:52.640809059 CET4999721192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:52.645953894 CET2149997110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:52.649341106 CET4999721192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:52.653223991 CET4999721192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:52.658289909 CET2149997110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:52.661319017 CET4999721192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:59.146872044 CET4999821192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:10:59.153333902 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:10:59.153398991 CET4999821192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:00.051328897 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:00.051539898 CET4999821192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:00.057657003 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:00.406196117 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:00.409353971 CET4999821192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:00.414402008 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:00.763201952 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:00.763329983 CET4999821192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:00.768449068 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:01.092736959 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:01.092880964 CET4999821192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:01.097759008 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:01.422888994 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:01.429200888 CET4999821192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:01.434097052 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:01.758826017 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:01.762841940 CET4999821192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:01.767779112 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:02.092914104 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:02.093723059 CET4999962480192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:02.098555088 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:02.099216938 CET4999962480192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:02.099225044 CET4999821192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:02.104206085 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:02.993196011 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:02.995759964 CET4999962480192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:03.001100063 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.001113892 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.001133919 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.001144886 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.001163006 CET4999962480192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:03.001189947 CET4999962480192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:03.001204967 CET4999962480192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:03.001215935 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.001225948 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.001238108 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.001266956 CET4999962480192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:03.001281977 CET4999962480192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:03.001292944 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.001331091 CET4999962480192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:03.001370907 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.001380920 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.001411915 CET4999962480192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:03.001422882 CET4999962480192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:03.006149054 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.006175041 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.006184101 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.006208897 CET4999962480192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:03.006232023 CET4999962480192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:03.006242990 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.006253004 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.006263971 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.006279945 CET4999962480192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:03.006290913 CET4999962480192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:03.006313086 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.006320953 CET4999962480192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:03.006334066 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.006359100 CET4999962480192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:03.006371975 CET4999962480192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:03.006536007 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.006577969 CET4999962480192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:03.006604910 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.006616116 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.006642103 CET4999962480192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:03.006654024 CET4999962480192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:03.006664991 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.006701946 CET4999962480192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:03.011179924 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.011229038 CET4999962480192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:03.011255980 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.011266947 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.011320114 CET4999962480192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:03.011343956 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.011353970 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.011456013 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.011466026 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.011483908 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.011739016 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.016180992 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.016218901 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.016230106 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.016309977 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.016321898 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.016331911 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.016343117 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.016355991 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.016752958 CET6248049999110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.016881943 CET4999962480192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:03.123059988 CET5000021192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:03.123624086 CET4999821192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:03.312352896 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.312462091 CET4999821192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:03.313888073 CET2150000110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.313952923 CET5000021192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:03.314858913 CET5000021192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:03.319899082 CET2150000110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.319952011 CET5000021192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:03.750379086 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:03.887409925 CET4999821192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:04.269177914 CET4999821192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:04.274905920 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:04.600888968 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:04.601433992 CET5000164330192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:04.606544018 CET6433050001110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:04.606611967 CET5000164330192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:04.606942892 CET4999821192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:04.612507105 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:05.511127949 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:05.513142109 CET5000164330192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:05.518253088 CET6433050001110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:05.518270969 CET6433050001110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:05.518280983 CET6433050001110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:05.518290997 CET6433050001110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:05.518326998 CET6433050001110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:05.518337011 CET6433050001110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:05.518347025 CET6433050001110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:05.518388033 CET5000164330192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:05.518399000 CET6433050001110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:05.518429995 CET5000164330192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:05.518487930 CET5000164330192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:05.518487930 CET6433050001110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:05.518596888 CET6433050001110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:05.518699884 CET5000164330192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:05.523377895 CET6433050001110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:05.523396015 CET6433050001110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:05.523410082 CET6433050001110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:05.523418903 CET6433050001110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:05.523495913 CET6433050001110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:05.523557901 CET5000164330192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:05.523591042 CET6433050001110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:05.523602009 CET6433050001110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:05.523610115 CET6433050001110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:05.523627996 CET5000164330192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:05.523667097 CET6433050001110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:05.523737907 CET5000164330192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:05.523792982 CET6433050001110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:05.523837090 CET5000164330192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:05.523912907 CET6433050001110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:05.523924112 CET6433050001110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:05.523942947 CET6433050001110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:05.523984909 CET5000164330192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:05.528522015 CET6433050001110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:05.528690100 CET6433050001110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:05.528703928 CET6433050001110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:05.528815985 CET6433050001110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:05.529162884 CET6433050001110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:05.529602051 CET6433050001110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:05.533293962 CET5000164330192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:05.577172995 CET4999821192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:06.276916981 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:06.354357958 CET4999821192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:08.081168890 CET4999821192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:08.086354017 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:08.411665916 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:08.417392969 CET5000258262192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:08.422820091 CET5826250002110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:08.425277948 CET5000258262192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:08.425318956 CET4999821192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:08.430248976 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:09.336128950 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:09.336373091 CET5000258262192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:09.341403961 CET5826250002110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:09.341453075 CET5826250002110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:09.341455936 CET5000258262192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:09.341463089 CET5826250002110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:09.341470957 CET5826250002110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:09.341506958 CET5000258262192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:09.341522932 CET5000258262192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:09.341573000 CET5826250002110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:09.341625929 CET5826250002110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:09.341630936 CET5000258262192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:09.341638088 CET5826250002110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:09.341659069 CET5826250002110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:09.341664076 CET5000258262192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:09.341680050 CET5000258262192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:09.341691017 CET5826250002110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:09.341695070 CET5000258262192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:09.341700077 CET5826250002110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:09.341727972 CET5000258262192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:09.341751099 CET5000258262192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:09.346410990 CET5826250002110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:09.346421957 CET5826250002110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:09.346437931 CET5826250002110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:09.346467018 CET5000258262192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:09.346502066 CET5000258262192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:09.346513033 CET5826250002110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:09.346523046 CET5826250002110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:09.346533060 CET5826250002110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:09.346551895 CET5000258262192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:09.346585989 CET5000258262192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:09.346672058 CET5826250002110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:09.346745014 CET5000258262192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:09.346849918 CET5826250002110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:09.346894979 CET5000258262192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:09.351697922 CET5826250002110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:09.351746082 CET5826250002110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:09.351767063 CET5826250002110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:09.351845980 CET5826250002110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:09.351855040 CET5826250002110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:09.351933002 CET5826250002110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:09.351943016 CET5826250002110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:09.351958036 CET5826250002110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:09.351974010 CET5826250002110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:09.351983070 CET5826250002110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:09.351994991 CET5826250002110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:09.352776051 CET5826250002110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:09.352833033 CET5000258262192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:09.387309074 CET4999821192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:10.093621969 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:10.184287071 CET4999821192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:20.314758062 CET4999821192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:20.319698095 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:20.646693945 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:20.647201061 CET5000363314192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:20.652308941 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:20.652405024 CET5000363314192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:20.652486086 CET4999821192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:20.657248020 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.548082113 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.548367023 CET5000363314192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:21.553570032 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.553581953 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.553592920 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.553603888 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.553657055 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.553684950 CET5000363314192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:21.553745985 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.553749084 CET5000363314192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:21.553760052 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.553770065 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.553805113 CET5000363314192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:21.553833008 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.553833961 CET5000363314192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:21.553843021 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.553900957 CET5000363314192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:21.559021950 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.559091091 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.559099913 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.559108019 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.559142113 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.559151888 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.559176922 CET5000363314192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:21.559186935 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.559230089 CET5000363314192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:21.559345961 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.559355974 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.559402943 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.559480906 CET5000363314192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:21.559514999 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.559827089 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.559890032 CET5000363314192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:21.564208031 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.564265013 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.564414024 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.564515114 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.564594030 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.564702988 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.564790010 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.564800024 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.564809084 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.564870119 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.564917088 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.564925909 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.564935923 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.565018892 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.565028906 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.565434933 CET6331450003110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:21.565500021 CET5000363314192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:21.590384960 CET4999821192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:22.293498993 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:22.343750000 CET4999821192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:40.822057009 CET4999821192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:40.826884985 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:41.159176111 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:41.159563065 CET5000564682192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:41.164364100 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:41.164433956 CET5000564682192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:41.164501905 CET4999821192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:41.169323921 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.115654945 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.116122961 CET5000564682192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:42.123217106 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.123233080 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.123243093 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.123246908 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.123259068 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.123269081 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.123282909 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.123286963 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.123296976 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.123306036 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.123348951 CET5000564682192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:42.124905109 CET5000564682192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:42.130469084 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.130531073 CET5000564682192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:42.130669117 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.130739927 CET5000564682192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:42.131004095 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.131016016 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.131026030 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.131047010 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.131076097 CET5000564682192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:42.131248951 CET5000564682192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:42.131953001 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.131963015 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.131970882 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.131985903 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.132025957 CET5000564682192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:42.132077932 CET5000564682192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:42.132390976 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.132509947 CET5000564682192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:42.135389090 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.135576963 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.135940075 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.136010885 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.136089087 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.136133909 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.136804104 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.137136936 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.137334108 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.137531996 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.137543917 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.138063908 CET6468250005110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:42.138128996 CET5000564682192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:42.217020988 CET4999821192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:42.948185921 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:43.105935097 CET4999821192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:50.136940002 CET4999821192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:50.141954899 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:50.466926098 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:50.467569113 CET5000659550192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:50.472445011 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:50.472537041 CET5000659550192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:50.472620964 CET4999821192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:50.477379084 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.400015116 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.400619984 CET5000659550192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:51.405534029 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.405550003 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.405567884 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.405574083 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.405586958 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.405606985 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.405694008 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.405776978 CET5000659550192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:51.405846119 CET5000659550192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:51.405864000 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.405878067 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.405904055 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.405941010 CET5000659550192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:51.406021118 CET5000659550192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:51.410727024 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.410738945 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.410743952 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.410753012 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.410773039 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.410782099 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.410836935 CET5000659550192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:51.410876989 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.410888910 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.410912991 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.410959959 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.410985947 CET5000659550192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:51.411181927 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.411194086 CET5000659550192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:51.415673971 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.415796995 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.415808916 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.415887117 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.415898085 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.416064978 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.416075945 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.416085958 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.416129112 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.416522026 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.416534901 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.416546106 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.416557074 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.416565895 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.416578054 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.416589975 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.416599989 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.416613102 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.416961908 CET5955050006110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:51.417112112 CET5000659550192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:51.512995005 CET4999821192.168.2.6110.4.45.197
                                                                      Nov 6, 2024 15:11:52.191838026 CET2149998110.4.45.197192.168.2.6
                                                                      Nov 6, 2024 15:11:52.418433905 CET4999821192.168.2.6110.4.45.197

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Nov 6, 2024 15:08:03.042294025 CET5899453192.168.2.61.1.1.1
                                                                      Nov 6, 2024 15:08:03.640728951 CET53589941.1.1.1192.168.2.6
                                                                      Nov 6, 2024 15:08:05.131011963 CET5714653192.168.2.61.1.1.1
                                                                      Nov 6, 2024 15:08:05.435801029 CET53571461.1.1.1192.168.2.6

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Nov 6, 2024 15:08:03.042294025 CET192.168.2.61.1.1.10xc49cStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                      Nov 6, 2024 15:08:05.131011963 CET192.168.2.61.1.1.10xf2d8Standard query (0)ftp.haliza.com.myA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Nov 6, 2024 15:08:03.640728951 CET1.1.1.1192.168.2.60xc49cNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                      Nov 6, 2024 15:08:03.640728951 CET1.1.1.1192.168.2.60xc49cNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                      Nov 6, 2024 15:08:03.640728951 CET1.1.1.1192.168.2.60xc49cNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                      Nov 6, 2024 15:08:05.435801029 CET1.1.1.1192.168.2.60xf2d8No error (0)ftp.haliza.com.my110.4.45.197A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • api.ipify.org

                                                                      HTTPS Proxied Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.649712172.67.74.1524436484C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-11-06 14:08:04 UTC155OUTGET / HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                      Host: api.ipify.org
                                                                      Connection: Keep-Alive
                                                                      2024-11-06 14:08:04 UTC398INHTTP/1.1 200 OK
                                                                      Date: Wed, 06 Nov 2024 14:08:04 GMT
                                                                      Content-Type: text/plain
                                                                      Content-Length: 14
                                                                      Connection: close
                                                                      Vary: Origin
                                                                      cf-cache-status: DYNAMIC
                                                                      Server: cloudflare
                                                                      CF-RAY: 8de5a74b8c3e0c1b-DFW
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1717&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2816&recv_bytes=769&delivery_rate=1686662&cwnd=76&unsent_bytes=0&cid=95fed2cf8f77b7a3&ts=255&x=0"
                                                                      2024-11-06 14:08:04 UTC14INData Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 30
                                                                      Data Ascii: 173.254.250.80


                                                                      FTP Packets

                                                                      TimestampSource PortDest PortSource IPDest IPCommands
                                                                      Nov 6, 2024 15:08:06.386138916 CET2149715110.4.45.197192.168.2.6220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.
                                                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 22:08. Server port: 21.
                                                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 22:08. Server port: 21.220-This is a private system - No anonymous login
                                                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 22:08. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 22:08. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                                                      Nov 6, 2024 15:08:06.386460066 CET4971521192.168.2.6110.4.45.197USER origin@haliza.com.my
                                                                      Nov 6, 2024 15:08:06.716487885 CET2149715110.4.45.197192.168.2.6331 User origin@haliza.com.my OK. Password required
                                                                      Nov 6, 2024 15:08:06.716634035 CET4971521192.168.2.6110.4.45.197PASS JesusChrist007$
                                                                      Nov 6, 2024 15:08:07.061952114 CET2149715110.4.45.197192.168.2.6230 OK. Current restricted directory is /
                                                                      Nov 6, 2024 15:08:07.391413927 CET2149715110.4.45.197192.168.2.6504 Unknown command
                                                                      Nov 6, 2024 15:08:07.392249107 CET4971521192.168.2.6110.4.45.197PWD
                                                                      Nov 6, 2024 15:08:07.720525980 CET2149715110.4.45.197192.168.2.6257 "/" is your current location
                                                                      Nov 6, 2024 15:08:07.721949100 CET4971521192.168.2.6110.4.45.197TYPE I
                                                                      Nov 6, 2024 15:08:08.051364899 CET2149715110.4.45.197192.168.2.6200 TYPE is now 8-bit binary
                                                                      Nov 6, 2024 15:08:08.057339907 CET4971521192.168.2.6110.4.45.197PASV
                                                                      Nov 6, 2024 15:08:08.388428926 CET2149715110.4.45.197192.168.2.6227 Entering Passive Mode (110,4,45,197,220,21)
                                                                      Nov 6, 2024 15:08:08.395306110 CET4971521192.168.2.6110.4.45.197STOR CO_Chrome_Default.txt_user-585948_2024_11_06_09_38_03.txt
                                                                      Nov 6, 2024 15:08:09.347238064 CET2149715110.4.45.197192.168.2.6150 Accepted data connection
                                                                      Nov 6, 2024 15:08:09.723651886 CET2149715110.4.45.197192.168.2.6226-File successfully transferred
                                                                      226-File successfully transferred226 0.376 seconds (measured here), 0.75 Kbytes per second
                                                                      Nov 6, 2024 15:08:09.724426985 CET4971521192.168.2.6110.4.45.197PASV
                                                                      Nov 6, 2024 15:08:10.053410053 CET2149715110.4.45.197192.168.2.6227 Entering Passive Mode (110,4,45,197,222,154)
                                                                      Nov 6, 2024 15:08:10.059528112 CET4971521192.168.2.6110.4.45.197STOR CO_Edge Chromium_Default.txt_user-585948_2024_11_06_14_26_51.txt
                                                                      Nov 6, 2024 15:08:10.967376947 CET2149715110.4.45.197192.168.2.6150 Accepted data connection
                                                                      Nov 6, 2024 15:08:11.311857939 CET2149715110.4.45.197192.168.2.6226 File successfully transferred
                                                                      Nov 6, 2024 15:08:11.312459946 CET4971521192.168.2.6110.4.45.197PASV
                                                                      Nov 6, 2024 15:08:11.642340899 CET2149715110.4.45.197192.168.2.6227 Entering Passive Mode (110,4,45,197,237,81)
                                                                      Nov 6, 2024 15:08:11.649931908 CET4971521192.168.2.6110.4.45.197STOR CO_Firefox_2o7hffxt.default-release.txt_user-585948_2024_11_06_16_55_32.txt
                                                                      Nov 6, 2024 15:08:12.564027071 CET2149715110.4.45.197192.168.2.6150 Accepted data connection
                                                                      Nov 6, 2024 15:08:12.918576002 CET2149715110.4.45.197192.168.2.6226 File successfully transferred
                                                                      Nov 6, 2024 15:09:55.064202070 CET2149989110.4.45.197192.168.2.6220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed.
                                                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed.220-Local time is now 22:09. Server port: 21.
                                                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed.220-Local time is now 22:09. Server port: 21.220-This is a private system - No anonymous login
                                                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed.220-Local time is now 22:09. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 11 of 50 allowed.220-Local time is now 22:09. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                                                      Nov 6, 2024 15:09:55.065488100 CET4998921192.168.2.6110.4.45.197USER origin@haliza.com.my
                                                                      Nov 6, 2024 15:09:55.113933086 CET2149990110.4.45.197192.168.2.6220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 12 of 50 allowed.
                                                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 12 of 50 allowed.220-Local time is now 22:09. Server port: 21.
                                                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 12 of 50 allowed.220-Local time is now 22:09. Server port: 21.220-This is a private system - No anonymous login
                                                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 12 of 50 allowed.220-Local time is now 22:09. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 12 of 50 allowed.220-Local time is now 22:09. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                                                      Nov 6, 2024 15:09:55.114808083 CET4999021192.168.2.6110.4.45.197USER origin@haliza.com.my
                                                                      Nov 6, 2024 15:09:55.400418997 CET2149989110.4.45.197192.168.2.6331 User origin@haliza.com.my OK. Password required
                                                                      Nov 6, 2024 15:09:55.400553942 CET4998921192.168.2.6110.4.45.197PASS JesusChrist007$
                                                                      Nov 6, 2024 15:09:55.450510979 CET2149990110.4.45.197192.168.2.6331 User origin@haliza.com.my OK. Password required
                                                                      Nov 6, 2024 15:09:55.450664997 CET4999021192.168.2.6110.4.45.197PASS JesusChrist007$
                                                                      Nov 6, 2024 15:09:55.785609007 CET2149989110.4.45.197192.168.2.6230 OK. Current restricted directory is /
                                                                      Nov 6, 2024 15:09:55.812012911 CET2149990110.4.45.197192.168.2.6230 OK. Current restricted directory is /
                                                                      Nov 6, 2024 15:09:56.120951891 CET2149989110.4.45.197192.168.2.6504 Unknown command
                                                                      Nov 6, 2024 15:09:56.121135950 CET4998921192.168.2.6110.4.45.197PWD
                                                                      Nov 6, 2024 15:09:56.145541906 CET2149990110.4.45.197192.168.2.6504 Unknown command
                                                                      Nov 6, 2024 15:09:56.145706892 CET4999021192.168.2.6110.4.45.197PWD
                                                                      Nov 6, 2024 15:09:56.456497908 CET2149989110.4.45.197192.168.2.6257 "/" is your current location
                                                                      Nov 6, 2024 15:09:56.457571030 CET4998921192.168.2.6110.4.45.197TYPE I
                                                                      Nov 6, 2024 15:09:56.478585005 CET2149990110.4.45.197192.168.2.6257 "/" is your current location
                                                                      Nov 6, 2024 15:09:56.481615067 CET4999021192.168.2.6110.4.45.197TYPE I
                                                                      Nov 6, 2024 15:09:56.794536114 CET2149989110.4.45.197192.168.2.6200 TYPE is now 8-bit binary
                                                                      Nov 6, 2024 15:09:56.794990063 CET4998921192.168.2.6110.4.45.197PASV
                                                                      Nov 6, 2024 15:09:56.816080093 CET2149990110.4.45.197192.168.2.6200 TYPE is now 8-bit binary
                                                                      Nov 6, 2024 15:09:56.816236019 CET4999021192.168.2.6110.4.45.197PASV
                                                                      Nov 6, 2024 15:09:57.131975889 CET2149989110.4.45.197192.168.2.6227 Entering Passive Mode (110,4,45,197,226,91)
                                                                      Nov 6, 2024 15:09:57.141813993 CET4998921192.168.2.6110.4.45.197STOR KL_user-585948_2024_11_27_05_36_13.html
                                                                      Nov 6, 2024 15:09:57.149430990 CET2149990110.4.45.197192.168.2.6227 Entering Passive Mode (110,4,45,197,253,240)
                                                                      Nov 6, 2024 15:09:57.154934883 CET4999021192.168.2.6110.4.45.197STOR SC_user-585948_2024_11_27_06_56_22.jpeg
                                                                      Nov 6, 2024 15:09:58.042538881 CET2149990110.4.45.197192.168.2.6150 Accepted data connection
                                                                      Nov 6, 2024 15:09:58.095956087 CET2149989110.4.45.197192.168.2.6150 Accepted data connection
                                                                      Nov 6, 2024 15:09:58.446115971 CET2149989110.4.45.197192.168.2.6226-File successfully transferred
                                                                      226-File successfully transferred226 0.350 seconds (measured here), 0.90 Kbytes per second
                                                                      Nov 6, 2024 15:09:58.775192976 CET2149990110.4.45.197192.168.2.6226-File successfully transferred
                                                                      226-File successfully transferred226 0.733 seconds (measured here), 107.56 Kbytes per second
                                                                      Nov 6, 2024 15:10:09.354366064 CET4999021192.168.2.6110.4.45.197PASV
                                                                      Nov 6, 2024 15:10:09.687819004 CET2149990110.4.45.197192.168.2.6227 Entering Passive Mode (110,4,45,197,197,11)
                                                                      Nov 6, 2024 15:10:09.723207951 CET4999021192.168.2.6110.4.45.197STOR SC_user-585948_2024_12_05_20_13_38.jpeg
                                                                      Nov 6, 2024 15:10:10.625885010 CET2149990110.4.45.197192.168.2.6150 Accepted data connection
                                                                      Nov 6, 2024 15:10:11.417869091 CET2149990110.4.45.197192.168.2.6226-File successfully transferred
                                                                      226-File successfully transferred226 0.792 seconds (measured here), 93.56 Kbytes per second
                                                                      Nov 6, 2024 15:10:22.688045979 CET4999021192.168.2.6110.4.45.197PASV
                                                                      Nov 6, 2024 15:10:23.021492958 CET2149990110.4.45.197192.168.2.6227 Entering Passive Mode (110,4,45,197,230,143)
                                                                      Nov 6, 2024 15:10:23.026897907 CET4999021192.168.2.6110.4.45.197STOR SC_user-585948_2024_12_13_18_35_59.jpeg
                                                                      Nov 6, 2024 15:10:23.940109968 CET2149990110.4.45.197192.168.2.6150 Accepted data connection
                                                                      Nov 6, 2024 15:10:24.704694033 CET2149990110.4.45.197192.168.2.6226-File successfully transferred
                                                                      226-File successfully transferred226 0.764 seconds (measured here), 96.90 Kbytes per second
                                                                      Nov 6, 2024 15:10:33.362147093 CET4999021192.168.2.6110.4.45.197PASV
                                                                      Nov 6, 2024 15:10:33.695883989 CET2149990110.4.45.197192.168.2.6227 Entering Passive Mode (110,4,45,197,200,180)
                                                                      Nov 6, 2024 15:10:33.701457024 CET4999021192.168.2.6110.4.45.197STOR SC_user-585948_2024_12_20_08_42_09.jpeg
                                                                      Nov 6, 2024 15:10:34.607419968 CET2149990110.4.45.197192.168.2.6150 Accepted data connection
                                                                      Nov 6, 2024 15:10:35.407906055 CET2149990110.4.45.197192.168.2.6226-File successfully transferred
                                                                      226-File successfully transferred226 0.801 seconds (measured here), 92.53 Kbytes per second
                                                                      Nov 6, 2024 15:11:00.051328897 CET2149998110.4.45.197192.168.2.6220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 50 allowed.
                                                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 50 allowed.220-Local time is now 22:11. Server port: 21.
                                                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 50 allowed.220-Local time is now 22:11. Server port: 21.220-This is a private system - No anonymous login
                                                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 50 allowed.220-Local time is now 22:11. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 50 allowed.220-Local time is now 22:11. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                                                      Nov 6, 2024 15:11:00.051539898 CET4999821192.168.2.6110.4.45.197USER origin@haliza.com.my
                                                                      Nov 6, 2024 15:11:00.406196117 CET2149998110.4.45.197192.168.2.6331 User origin@haliza.com.my OK. Password required
                                                                      Nov 6, 2024 15:11:00.409353971 CET4999821192.168.2.6110.4.45.197PASS JesusChrist007$
                                                                      Nov 6, 2024 15:11:00.763201952 CET2149998110.4.45.197192.168.2.6230 OK. Current restricted directory is /
                                                                      Nov 6, 2024 15:11:01.092736959 CET2149998110.4.45.197192.168.2.6504 Unknown command
                                                                      Nov 6, 2024 15:11:01.092880964 CET4999821192.168.2.6110.4.45.197PWD
                                                                      Nov 6, 2024 15:11:01.422888994 CET2149998110.4.45.197192.168.2.6257 "/" is your current location
                                                                      Nov 6, 2024 15:11:01.429200888 CET4999821192.168.2.6110.4.45.197TYPE I
                                                                      Nov 6, 2024 15:11:01.758826017 CET2149998110.4.45.197192.168.2.6200 TYPE is now 8-bit binary
                                                                      Nov 6, 2024 15:11:01.762841940 CET4999821192.168.2.6110.4.45.197PASV
                                                                      Nov 6, 2024 15:11:02.092914104 CET2149998110.4.45.197192.168.2.6227 Entering Passive Mode (110,4,45,197,244,16)
                                                                      Nov 6, 2024 15:11:02.099225044 CET4999821192.168.2.6110.4.45.197STOR SC_user-585948_2025_01_08_02_10_52.jpeg
                                                                      Nov 6, 2024 15:11:02.993196011 CET2149998110.4.45.197192.168.2.6150 Accepted data connection
                                                                      Nov 6, 2024 15:11:03.312352896 CET2149998110.4.45.197192.168.2.6150 Accepted data connection
                                                                      Nov 6, 2024 15:11:03.750379086 CET2149998110.4.45.197192.168.2.6226-File successfully transferred
                                                                      226-File successfully transferred226 0.757 seconds (measured here), 97.91 Kbytes per second
                                                                      Nov 6, 2024 15:11:04.269177914 CET4999821192.168.2.6110.4.45.197PASV
                                                                      Nov 6, 2024 15:11:04.600888968 CET2149998110.4.45.197192.168.2.6227 Entering Passive Mode (110,4,45,197,251,74)
                                                                      Nov 6, 2024 15:11:04.606942892 CET4999821192.168.2.6110.4.45.197STOR SC_user-585948_2025_01_14_12_03_24.jpeg
                                                                      Nov 6, 2024 15:11:05.511127949 CET2149998110.4.45.197192.168.2.6150 Accepted data connection
                                                                      Nov 6, 2024 15:11:06.276916981 CET2149998110.4.45.197192.168.2.6226-File successfully transferred
                                                                      226-File successfully transferred226 0.766 seconds (measured here), 96.75 Kbytes per second
                                                                      Nov 6, 2024 15:11:08.081168890 CET4999821192.168.2.6110.4.45.197PASV
                                                                      Nov 6, 2024 15:11:08.411665916 CET2149998110.4.45.197192.168.2.6227 Entering Passive Mode (110,4,45,197,227,150)
                                                                      Nov 6, 2024 15:11:08.425318956 CET4999821192.168.2.6110.4.45.197STOR SC_user-585948_2025_01_18_08_27_49.jpeg
                                                                      Nov 6, 2024 15:11:09.336128950 CET2149998110.4.45.197192.168.2.6150 Accepted data connection
                                                                      Nov 6, 2024 15:11:10.093621969 CET2149998110.4.45.197192.168.2.6226-File successfully transferred
                                                                      226-File successfully transferred226 0.758 seconds (measured here), 97.75 Kbytes per second
                                                                      Nov 6, 2024 15:11:20.314758062 CET4999821192.168.2.6110.4.45.197PASV
                                                                      Nov 6, 2024 15:11:20.646693945 CET2149998110.4.45.197192.168.2.6227 Entering Passive Mode (110,4,45,197,247,82)
                                                                      Nov 6, 2024 15:11:20.652486086 CET4999821192.168.2.6110.4.45.197STOR SC_user-585948_2025_01_25_23_31_03.jpeg
                                                                      Nov 6, 2024 15:11:21.548082113 CET2149998110.4.45.197192.168.2.6150 Accepted data connection
                                                                      Nov 6, 2024 15:11:22.293498993 CET2149998110.4.45.197192.168.2.6226-File successfully transferred
                                                                      226-File successfully transferred226 0.745 seconds (measured here), 99.37 Kbytes per second
                                                                      Nov 6, 2024 15:11:40.822057009 CET4999821192.168.2.6110.4.45.197PASV
                                                                      Nov 6, 2024 15:11:41.159176111 CET2149998110.4.45.197192.168.2.6227 Entering Passive Mode (110,4,45,197,252,170)
                                                                      Nov 6, 2024 15:11:41.164501905 CET4999821192.168.2.6110.4.45.197STOR SC_user-585948_2025_02_05_11_16_24.jpeg
                                                                      Nov 6, 2024 15:11:42.115654945 CET2149998110.4.45.197192.168.2.6150 Accepted data connection
                                                                      Nov 6, 2024 15:11:42.948185921 CET2149998110.4.45.197192.168.2.6226-File successfully transferred
                                                                      226-File successfully transferred226 0.835 seconds (measured here), 88.71 Kbytes per second
                                                                      Nov 6, 2024 15:11:50.136940002 CET4999821192.168.2.6110.4.45.197PASV
                                                                      Nov 6, 2024 15:11:50.466926098 CET2149998110.4.45.197192.168.2.6227 Entering Passive Mode (110,4,45,197,232,158)
                                                                      Nov 6, 2024 15:11:50.472620964 CET4999821192.168.2.6110.4.45.197STOR SC_user-585948_2025_02_11_11_22_33.jpeg
                                                                      Nov 6, 2024 15:11:51.400015116 CET2149998110.4.45.197192.168.2.6150 Accepted data connection
                                                                      Nov 6, 2024 15:11:52.191838026 CET2149998110.4.45.197192.168.2.6226-File successfully transferred
                                                                      226-File successfully transferred226 0.797 seconds (measured here), 92.88 Kbytes per second

                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:09:07:55
                                                                      Start date:06/11/2024
                                                                      Path:C:\Users\user\Desktop\Pi648je050.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\Pi648je050.exe"
                                                                      Imagebase:0x400000
                                                                      File size:1'267'163 bytes
                                                                      MD5 hash:B47427B1A08950C5D561D65B664F0100
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.2143641913.0000000003B80000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:2
                                                                      Start time:09:07:57
                                                                      Start date:06/11/2024
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Users\user\Desktop\Pi648je050.exe"
                                                                      Imagebase:0x410000
                                                                      File size:45'984 bytes
                                                                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:3
                                                                      Start time:09:07:58
                                                                      Start date:06/11/2024
                                                                      Path:C:\Users\user\Desktop\Pi648je050.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\Pi648je050.exe"
                                                                      Imagebase:0x400000
                                                                      File size:1'267'163 bytes
                                                                      MD5 hash:B47427B1A08950C5D561D65B664F0100
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000003.00000002.2162568735.0000000003750000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:4
                                                                      Start time:09:08:00
                                                                      Start date:06/11/2024
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\Pi648je050.exe"
                                                                      Imagebase:0x5d0000
                                                                      File size:45'984 bytes
                                                                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4603760711.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4603760711.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.4603760711.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000004.00000002.4603760711.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                      • Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000004.00000002.4603760711.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4599985690.000000000272F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4599985690.000000000272F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.4599985690.000000000272F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4600489744.0000000002B8F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000004.00000002.4598852140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4600489744.0000000002B64000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4600489744.0000000002B64000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4603326550.0000000004F50000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4603326550.0000000004F50000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.4603326550.0000000004F50000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000004.00000002.4603326550.0000000004F50000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                      • Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000004.00000002.4603326550.0000000004F50000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:6
                                                                      Start time:09:08:13
                                                                      Start date:06/11/2024
                                                                      Path:C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                                                                      Imagebase:0x1a0000
                                                                      File size:45'984 bytes
                                                                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Antivirus matches:
                                                                      • Detection: 0%, ReversingLabs
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:7
                                                                      Start time:09:08:13
                                                                      Start date:06/11/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff66e660000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:8
                                                                      Start time:09:08:22
                                                                      Start date:06/11/2024
                                                                      Path:C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                                                                      Imagebase:0x560000
                                                                      File size:45'984 bytes
                                                                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:9
                                                                      Start time:09:08:22
                                                                      Start date:06/11/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff66e660000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      Disassembly

                                                                      Reset < >

                                                                        Execution Graph

                                                                        Execution Coverage:3.2%
                                                                        Dynamic/Decrypted Code Coverage:1.1%
                                                                        Signature Coverage:4%
                                                                        Total number of Nodes:1683
                                                                        Total number of Limit Nodes:52
                                                                        execution_graph 84652 467046 84653 46705d 84652->84653 84663 467136 84652->84663 84654 4671a0 84653->84654 84655 46710d 84653->84655 84656 467199 84653->84656 84665 46706e 84653->84665 84658 41171a 75 API calls 84654->84658 84659 41171a 75 API calls 84655->84659 84686 40e380 VariantClear moneypunct 84656->84686 84671 4670f3 _memcpy_s 84658->84671 84659->84671 84660 4670d2 84662 41171a 75 API calls 84660->84662 84661 41171a 75 API calls 84661->84663 84664 4670d8 84662->84664 84684 443466 75 API calls 84664->84684 84670 4670a9 moneypunct 84665->84670 84672 41171a 84665->84672 84668 4670e8 84685 45efe7 77 API calls moneypunct 84668->84685 84670->84654 84670->84660 84670->84671 84671->84661 84673 411724 84672->84673 84675 41173e 84673->84675 84679 411740 std::bad_alloc::bad_alloc 84673->84679 84687 4138ba 84673->84687 84705 411afc 6 API calls __decode_pointer 84673->84705 84675->84670 84677 411766 84709 4116fd 67 API calls std::exception::exception 84677->84709 84679->84677 84706 411421 84679->84706 84680 411770 84710 41805b RaiseException 84680->84710 84683 41177e 84684->84668 84685->84671 84686->84654 84688 41396d 84687->84688 84699 4138cc 84687->84699 84718 411afc 6 API calls __decode_pointer 84688->84718 84690 413973 84719 417f23 67 API calls __getptd_noexit 84690->84719 84693 413965 84693->84673 84696 4138dd 84696->84699 84711 418252 67 API calls 2 library calls 84696->84711 84712 4180a7 67 API calls 7 library calls 84696->84712 84713 411803 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 84696->84713 84697 413929 RtlAllocateHeap 84697->84699 84699->84693 84699->84696 84699->84697 84700 413959 84699->84700 84703 41395e 84699->84703 84714 41386b 67 API calls 4 library calls 84699->84714 84715 411afc 6 API calls __decode_pointer 84699->84715 84716 417f23 67 API calls __getptd_noexit 84700->84716 84717 417f23 67 API calls __getptd_noexit 84703->84717 84705->84673 84720 4113e5 84706->84720 84708 41142e 84708->84677 84709->84680 84710->84683 84711->84696 84712->84696 84714->84699 84715->84699 84716->84703 84717->84693 84718->84690 84719->84693 84721 4113f1 __locking 84720->84721 84728 41181b 84721->84728 84727 411412 __locking 84727->84708 84754 418407 84728->84754 84730 4113f6 84731 4112fa 84730->84731 84819 4169e9 TlsGetValue 84731->84819 84734 4169e9 __decode_pointer 6 API calls 84735 41131e 84734->84735 84746 4113a1 84735->84746 84829 4170e7 68 API calls 4 library calls 84735->84829 84737 41133c 84739 411357 84737->84739 84740 411366 84737->84740 84750 411388 84737->84750 84738 41696e __encode_pointer 6 API calls 84741 411396 84738->84741 84830 417047 73 API calls _realloc 84739->84830 84743 411360 84740->84743 84740->84746 84744 41696e __encode_pointer 6 API calls 84741->84744 84743->84740 84747 41137c 84743->84747 84831 417047 73 API calls _realloc 84743->84831 84744->84746 84751 41141b 84746->84751 84832 41696e TlsGetValue 84747->84832 84748 411376 84748->84746 84748->84747 84750->84738 84844 411824 84751->84844 84755 41841c 84754->84755 84756 41842f EnterCriticalSection 84754->84756 84761 418344 84755->84761 84756->84730 84758 418422 84758->84756 84789 4117af 67 API calls 3 library calls 84758->84789 84760 41842e 84760->84756 84762 418350 __locking 84761->84762 84763 418360 84762->84763 84764 418378 84762->84764 84790 418252 67 API calls 2 library calls 84763->84790 84776 418386 __locking 84764->84776 84793 416fb6 84764->84793 84767 418365 84791 4180a7 67 API calls 7 library calls 84767->84791 84770 4183a7 84774 418407 __lock 67 API calls 84770->84774 84771 418398 84799 417f23 67 API calls __getptd_noexit 84771->84799 84772 41836c 84792 411803 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 84772->84792 84777 4183ae 84774->84777 84776->84758 84779 4183e2 84777->84779 84780 4183b6 84777->84780 84781 413a88 __fcloseall 67 API calls 84779->84781 84800 4189e6 InitializeCriticalSectionAndSpinCount __locking 84780->84800 84783 4183d3 84781->84783 84815 4183fe LeaveCriticalSection _doexit 84783->84815 84784 4183c1 84784->84783 84801 413a88 84784->84801 84787 4183cd 84814 417f23 67 API calls __getptd_noexit 84787->84814 84789->84760 84790->84767 84791->84772 84794 416fbf 84793->84794 84795 4138ba _malloc 66 API calls 84794->84795 84796 416ff5 84794->84796 84797 416fd6 Sleep 84794->84797 84795->84794 84796->84770 84796->84771 84798 416feb 84797->84798 84798->84794 84798->84796 84799->84776 84800->84784 84803 413a94 __locking 84801->84803 84802 413b0d __locking __dosmaperr 84802->84787 84803->84802 84805 418407 __lock 65 API calls 84803->84805 84813 413ad3 84803->84813 84804 413ae8 RtlFreeHeap 84804->84802 84806 413afa 84804->84806 84810 413aab ___sbh_find_block 84805->84810 84818 417f23 67 API calls __getptd_noexit 84806->84818 84808 413aff GetLastError 84808->84802 84809 413ac5 84817 413ade LeaveCriticalSection _doexit 84809->84817 84810->84809 84816 419f9d __VEC_memcpy VirtualFree VirtualFree HeapFree __fptostr 84810->84816 84813->84802 84813->84804 84814->84783 84815->84776 84816->84809 84817->84813 84818->84808 84820 416a01 84819->84820 84821 416a22 GetModuleHandleW 84819->84821 84820->84821 84822 416a0b TlsGetValue 84820->84822 84823 416a32 84821->84823 84824 416a3d GetProcAddress 84821->84824 84826 416a16 84822->84826 84842 41177f Sleep GetModuleHandleW 84823->84842 84828 41130e 84824->84828 84826->84821 84826->84828 84827 416a38 84827->84824 84827->84828 84828->84734 84829->84737 84830->84743 84831->84748 84833 4169a7 GetModuleHandleW 84832->84833 84834 416986 84832->84834 84836 4169c2 GetProcAddress 84833->84836 84837 4169b7 84833->84837 84834->84833 84835 416990 TlsGetValue 84834->84835 84839 41699b 84835->84839 84841 41699f 84836->84841 84843 41177f Sleep GetModuleHandleW 84837->84843 84839->84833 84839->84841 84840 4169bd 84840->84836 84840->84841 84841->84750 84842->84827 84843->84840 84847 41832d LeaveCriticalSection 84844->84847 84846 411420 84846->84727 84847->84846 84848 4444e4 84853 40d900 84848->84853 84850 4444ee 84857 43723d 84850->84857 84852 444504 84854 40d917 84853->84854 84855 40d909 84853->84855 84854->84855 84856 40d91c CloseHandle 84854->84856 84855->84850 84856->84850 84858 40d900 CloseHandle 84857->84858 84859 437247 moneypunct 84858->84859 84859->84852 84860 444343 84863 444326 84860->84863 84862 44434e WriteFile 84864 444340 84863->84864 84865 4442c7 84863->84865 84864->84862 84870 40e190 SetFilePointerEx 84865->84870 84867 4442e0 SetFilePointerEx 84871 40e190 SetFilePointerEx 84867->84871 84869 4442ff 84869->84862 84870->84867 84871->84869 84872 46d22f 84875 46d098 84872->84875 84874 46d241 84876 46d0b5 84875->84876 84877 46d115 84876->84877 84878 46d0b9 84876->84878 84930 45c216 78 API calls 84877->84930 84879 41171a 75 API calls 84878->84879 84881 46d0c0 84879->84881 84884 46d0cc 84881->84884 84919 40d940 76 API calls 84881->84919 84882 46d126 84883 46d0f8 84882->84883 84890 46d142 84882->84890 84926 4092c0 84883->84926 84920 453063 84884->84920 84888 46d0fd 84888->84874 84891 46d1c8 84890->84891 84893 46d158 84890->84893 84940 4676a3 78 API calls 84891->84940 84896 453063 111 API calls 84893->84896 84894 46d0ea 84894->84890 84897 46d0ee 84894->84897 84906 46d15e 84896->84906 84897->84883 84925 44ade5 CloseHandle moneypunct 84897->84925 84898 46d1ce 84941 4444c2 SetFilePointerEx SetFilePointerEx WriteFile 84898->84941 84899 46d18d 84931 467fce 82 API calls 84899->84931 84903 46d196 84932 4013a0 84903->84932 84904 46d1e7 84908 4092c0 VariantClear 84904->84908 84917 46d194 84904->84917 84906->84899 84906->84903 84908->84917 84910 46d1ac 84938 40d3b0 75 API calls 2 library calls 84910->84938 84912 46d224 84912->84874 84913 46d1b8 84939 467fce 82 API calls 84913->84939 84914 40d900 CloseHandle 84916 46d216 84914->84916 84942 44ade5 CloseHandle moneypunct 84916->84942 84917->84912 84917->84914 84919->84884 84921 45306e 84920->84921 84922 45307a 84920->84922 84921->84922 84943 452e2a 111 API calls 5 library calls 84921->84943 84924 40dfa0 83 API calls 84922->84924 84924->84894 84925->84883 84927 4092c8 moneypunct 84926->84927 84928 429db0 VariantClear 84927->84928 84929 4092d5 moneypunct 84927->84929 84928->84929 84929->84888 84930->84882 84931->84917 84933 41171a 75 API calls 84932->84933 84934 4013c4 84933->84934 84944 401380 84934->84944 84937 40df50 75 API calls 84937->84910 84938->84913 84939->84917 84940->84898 84941->84904 84942->84912 84943->84922 84945 41171a 75 API calls 84944->84945 84946 401387 84945->84946 84946->84937 84947 40116e 84948 401119 DefWindowProcW 84947->84948 84949 429212 84954 410b90 84949->84954 84952 411421 __cinit 74 API calls 84953 42922f 84952->84953 84955 410b9a __write_nolock 84954->84955 84956 41171a 75 API calls 84955->84956 84957 410c31 GetModuleFileNameW 84956->84957 84971 413db0 84957->84971 84959 410c66 _wcsncat 84974 413e3c 84959->84974 84962 41171a 75 API calls 84963 410ca3 _wcscpy 84962->84963 84964 410cd1 RegOpenKeyExW 84963->84964 84965 429bc3 RegQueryValueExW 84964->84965 84966 410cf7 84964->84966 84967 429cd9 RegCloseKey 84965->84967 84969 429bf2 _wcscat _wcslen _wcsncpy 84965->84969 84966->84952 84968 41171a 75 API calls 84968->84969 84969->84968 84970 429cd8 84969->84970 84970->84967 84977 413b95 84971->84977 85007 41abec 84974->85007 84978 413c2f 84977->84978 84985 413bae 84977->84985 84979 413d60 84978->84979 84980 413d7b 84978->84980 85003 417f23 67 API calls __getptd_noexit 84979->85003 85005 417f23 67 API calls __getptd_noexit 84980->85005 84983 413d65 84989 413cfb 84983->84989 85004 417ebb 6 API calls 2 library calls 84983->85004 84985->84978 84993 413c1d 84985->84993 84999 41ab19 67 API calls __locking 84985->84999 84987 413d03 84987->84978 84987->84989 84990 413d8e 84987->84990 84988 413cb9 84988->84978 84991 413cd6 84988->84991 85001 41ab19 67 API calls __locking 84988->85001 84989->84959 85006 41ab19 67 API calls __locking 84990->85006 84991->84978 84991->84989 84995 413cef 84991->84995 84993->84978 84998 413c9b 84993->84998 85000 41ab19 67 API calls __locking 84993->85000 85002 41ab19 67 API calls __locking 84995->85002 84998->84987 84998->84988 84999->84993 85000->84998 85001->84991 85002->84989 85003->84983 85005->84983 85006->84989 85008 41ac02 85007->85008 85009 41abfd 85007->85009 85016 417f23 67 API calls __getptd_noexit 85008->85016 85009->85008 85014 41ac22 85009->85014 85011 41ac07 85017 417ebb 6 API calls 2 library calls 85011->85017 85013 410c99 85013->84962 85014->85013 85018 417f23 67 API calls __getptd_noexit 85014->85018 85016->85011 85018->85011 85019 401230 85020 401241 _memset 85019->85020 85021 4012c5 85019->85021 85034 401be0 85020->85034 85023 40126b 85024 4012ae KillTimer SetTimer 85023->85024 85025 42aa61 85023->85025 85026 401298 85023->85026 85024->85021 85029 42aa8b Shell_NotifyIconW 85025->85029 85030 42aa69 Shell_NotifyIconW 85025->85030 85027 4012a2 85026->85027 85028 42aaac 85026->85028 85027->85024 85031 42aaf8 Shell_NotifyIconW 85027->85031 85032 42aad7 Shell_NotifyIconW 85028->85032 85033 42aab5 Shell_NotifyIconW 85028->85033 85029->85024 85030->85024 85031->85024 85032->85024 85033->85024 85035 401bfb 85034->85035 85055 401cde 85034->85055 85036 4013a0 75 API calls 85035->85036 85037 401c0b 85036->85037 85038 42a9a0 LoadStringW 85037->85038 85039 401c18 85037->85039 85042 42a9bb 85038->85042 85056 4021e0 85039->85056 85041 401c2d 85044 401c3a 85041->85044 85045 42a9cd 85041->85045 85069 40df50 75 API calls 85042->85069 85044->85042 85046 401c44 85044->85046 85070 40d3b0 75 API calls 2 library calls 85045->85070 85068 40d3b0 75 API calls 2 library calls 85046->85068 85049 42a9dc 85050 401c53 _memset _wcscpy _wcsncpy 85049->85050 85051 42a9f0 85049->85051 85054 401cc2 Shell_NotifyIconW 85050->85054 85071 40d3b0 75 API calls 2 library calls 85051->85071 85053 42a9fe 85054->85055 85055->85023 85057 4021f1 _wcslen 85056->85057 85058 42a598 85056->85058 85061 402205 85057->85061 85062 402226 85057->85062 85073 40c740 85058->85073 85060 42a5a2 85072 404020 75 API calls moneypunct 85061->85072 85063 401380 75 API calls 85062->85063 85065 40222d 85063->85065 85065->85060 85067 41171a 75 API calls 85065->85067 85066 40220c _memcpy_s 85066->85041 85067->85066 85068->85050 85069->85050 85070->85049 85071->85053 85072->85066 85074 40c752 85073->85074 85075 40c747 85073->85075 85074->85060 85075->85074 85078 402ae0 85075->85078 85077 42a572 _memcpy_s 85077->85060 85079 42a06a 85078->85079 85080 402aef 85078->85080 85081 401380 75 API calls 85079->85081 85080->85077 85082 42a072 85081->85082 85083 41171a 75 API calls 85082->85083 85084 42a095 _memcpy_s 85083->85084 85084->85077 85085 40c170 85086 40c17b 85085->85086 85087 40c1a5 _memcpy_s 85085->85087 85086->85087 85088 40c1d6 85086->85088 85089 40c19b 85086->85089 85091 41171a 75 API calls 85088->85091 85094 4034b0 85089->85094 85092 40c1df 85091->85092 85092->85087 85093 41171a 75 API calls 85092->85093 85093->85087 85095 4034b9 85094->85095 85096 4034bd 85094->85096 85095->85087 85097 41171a 75 API calls 85096->85097 85098 42a0ba 85096->85098 85099 4034fe _memcpy_s moneypunct 85097->85099 85099->85087 85100 40f110 RegOpenKeyExW 85101 40f13c RegQueryValueExW RegCloseKey 85100->85101 85102 40f15f 85100->85102 85101->85102 85103 416193 85140 41718c 85103->85140 85105 41619f GetStartupInfoW 85107 4161c2 85105->85107 85141 41aa31 HeapCreate 85107->85141 85109 416212 85143 416e29 GetModuleHandleW 85109->85143 85113 416223 __RTC_Initialize 85177 41b669 85113->85177 85116 416231 85117 41623d GetCommandLineW 85116->85117 85245 4117af 67 API calls 3 library calls 85116->85245 85192 42235f GetEnvironmentStringsW 85117->85192 85120 41623c 85120->85117 85121 41624c 85198 4222b1 GetModuleFileNameW 85121->85198 85123 416256 85124 416261 85123->85124 85246 4117af 67 API calls 3 library calls 85123->85246 85202 422082 85124->85202 85128 416272 85215 41186e 85128->85215 85131 416279 85133 416284 __wwincmdln 85131->85133 85248 4117af 67 API calls 3 library calls 85131->85248 85221 40d7f0 85133->85221 85136 4162b3 85250 411a4b 67 API calls _doexit 85136->85250 85139 4162b8 __locking 85140->85105 85142 416206 85141->85142 85142->85109 85243 41616a 67 API calls 3 library calls 85142->85243 85144 416e44 85143->85144 85145 416e3d 85143->85145 85146 416fac 85144->85146 85147 416e4e GetProcAddress GetProcAddress GetProcAddress GetProcAddress 85144->85147 85251 41177f Sleep GetModuleHandleW 85145->85251 85261 416ad5 70 API calls 2 library calls 85146->85261 85150 416e97 TlsAlloc 85147->85150 85149 416e43 85149->85144 85153 416218 85150->85153 85154 416ee5 TlsSetValue 85150->85154 85153->85113 85244 41616a 67 API calls 3 library calls 85153->85244 85154->85153 85155 416ef6 85154->85155 85252 411a69 6 API calls 4 library calls 85155->85252 85157 416efb 85158 41696e __encode_pointer 6 API calls 85157->85158 85159 416f06 85158->85159 85160 41696e __encode_pointer 6 API calls 85159->85160 85161 416f16 85160->85161 85162 41696e __encode_pointer 6 API calls 85161->85162 85163 416f26 85162->85163 85164 41696e __encode_pointer 6 API calls 85163->85164 85165 416f36 85164->85165 85253 41828b InitializeCriticalSectionAndSpinCount __ioinit 85165->85253 85167 416f43 85167->85146 85168 4169e9 __decode_pointer 6 API calls 85167->85168 85169 416f57 85168->85169 85169->85146 85254 416ffb 85169->85254 85172 4169e9 __decode_pointer 6 API calls 85173 416f8a 85172->85173 85173->85146 85174 416f91 85173->85174 85260 416b12 67 API calls 5 library calls 85174->85260 85176 416f99 GetCurrentThreadId 85176->85153 85280 41718c 85177->85280 85179 41b675 GetStartupInfoA 85180 416ffb __calloc_crt 67 API calls 85179->85180 85187 41b696 85180->85187 85181 41b8b4 __locking 85181->85116 85182 41b831 GetStdHandle 85186 41b7fb 85182->85186 85183 41b896 SetHandleCount 85183->85181 85184 416ffb __calloc_crt 67 API calls 85184->85187 85185 41b843 GetFileType 85185->85186 85186->85181 85186->85182 85186->85183 85186->85185 85282 4189e6 InitializeCriticalSectionAndSpinCount __locking 85186->85282 85187->85181 85187->85184 85187->85186 85189 41b77e 85187->85189 85189->85181 85189->85186 85190 41b7a7 GetFileType 85189->85190 85281 4189e6 InitializeCriticalSectionAndSpinCount __locking 85189->85281 85190->85189 85193 422370 85192->85193 85194 422374 85192->85194 85193->85121 85195 416fb6 __malloc_crt 67 API calls 85194->85195 85197 422395 _memcpy_s 85195->85197 85196 42239c FreeEnvironmentStringsW 85196->85121 85197->85196 85199 4222e6 _wparse_cmdline 85198->85199 85200 416fb6 __malloc_crt 67 API calls 85199->85200 85201 422329 _wparse_cmdline 85199->85201 85200->85201 85201->85123 85203 42209a _wcslen 85202->85203 85207 416267 85202->85207 85204 416ffb __calloc_crt 67 API calls 85203->85204 85210 4220be _wcslen 85204->85210 85205 422123 85206 413a88 __fcloseall 67 API calls 85205->85206 85206->85207 85207->85128 85247 4117af 67 API calls 3 library calls 85207->85247 85208 416ffb __calloc_crt 67 API calls 85208->85210 85209 422149 85211 413a88 __fcloseall 67 API calls 85209->85211 85210->85205 85210->85207 85210->85208 85210->85209 85213 422108 85210->85213 85283 426349 67 API calls __locking 85210->85283 85211->85207 85213->85210 85284 417d93 10 API calls 3 library calls 85213->85284 85216 41187c __IsNonwritableInCurrentImage 85215->85216 85285 418486 85216->85285 85218 41189a __initterm_e 85219 411421 __cinit 74 API calls 85218->85219 85220 4118b9 __IsNonwritableInCurrentImage __initterm 85218->85220 85219->85220 85220->85131 85222 431bcb 85221->85222 85223 40d80c 85221->85223 85224 4092c0 VariantClear 85223->85224 85225 40d847 85224->85225 85289 40eb50 85225->85289 85228 40d877 85292 411ac6 67 API calls 4 library calls 85228->85292 85231 40d888 85293 411b24 67 API calls __locking 85231->85293 85233 40d891 85294 40f370 SystemParametersInfoW SystemParametersInfoW 85233->85294 85235 40d89f 85295 40d6d0 GetCurrentDirectoryW 85235->85295 85237 40d8a7 SystemParametersInfoW 85238 40d8cd 85237->85238 85239 4092c0 VariantClear 85238->85239 85240 40d8dd 85239->85240 85241 4092c0 VariantClear 85240->85241 85242 40d8e6 85241->85242 85242->85136 85249 411a1f 67 API calls _doexit 85242->85249 85243->85109 85244->85113 85245->85120 85246->85124 85247->85128 85248->85133 85249->85136 85250->85139 85251->85149 85252->85157 85253->85167 85257 417004 85254->85257 85256 416f70 85256->85146 85256->85172 85257->85256 85258 417022 Sleep 85257->85258 85262 422452 85257->85262 85259 417037 85258->85259 85259->85256 85259->85257 85260->85176 85261->85153 85263 42245e __locking 85262->85263 85264 422476 85263->85264 85269 422495 _memset 85263->85269 85275 417f23 67 API calls __getptd_noexit 85264->85275 85266 42247b 85276 417ebb 6 API calls 2 library calls 85266->85276 85268 422507 HeapAlloc 85268->85269 85269->85268 85271 418407 __lock 66 API calls 85269->85271 85272 42248b __locking 85269->85272 85277 41a74c 5 API calls 2 library calls 85269->85277 85278 42254e LeaveCriticalSection _doexit 85269->85278 85279 411afc 6 API calls __decode_pointer 85269->85279 85271->85269 85272->85257 85275->85266 85277->85269 85278->85269 85279->85269 85280->85179 85281->85189 85282->85186 85283->85210 85284->85213 85286 41848c 85285->85286 85287 41696e __encode_pointer 6 API calls 85286->85287 85288 4184a4 85286->85288 85287->85286 85288->85218 85333 40eb70 85289->85333 85292->85231 85293->85233 85294->85235 85337 401f80 85295->85337 85297 40d6f1 IsDebuggerPresent 85298 431a9d MessageBoxA 85297->85298 85299 40d6ff 85297->85299 85300 431ab6 85298->85300 85299->85300 85301 40d71f 85299->85301 85439 403e90 75 API calls 3 library calls 85300->85439 85407 40f3b0 85301->85407 85305 40d73a GetFullPathNameW 85437 401440 127 API calls _wcscat 85305->85437 85307 40d77a 85308 40d782 85307->85308 85309 431b09 SetCurrentDirectoryW 85307->85309 85310 40d78b 85308->85310 85440 43604b 6 API calls 85308->85440 85309->85308 85419 4101f0 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 85310->85419 85313 431b28 85313->85310 85315 431b30 GetModuleFileNameW 85313->85315 85317 431ba4 GetForegroundWindow ShellExecuteW 85315->85317 85318 431b4c 85315->85318 85320 40d7c7 85317->85320 85441 401b70 85318->85441 85319 40d795 85326 40d7a8 85319->85326 85427 40e1e0 85319->85427 85324 40d7d1 SetCurrentDirectoryW 85320->85324 85324->85237 85326->85320 85438 401000 Shell_NotifyIconW _memset 85326->85438 85327 431b66 85448 40d3b0 75 API calls 2 library calls 85327->85448 85330 431b72 GetForegroundWindow ShellExecuteW 85331 431b9f 85330->85331 85331->85320 85332 40eba0 LoadLibraryA GetProcAddress 85332->85228 85334 40d86e 85333->85334 85335 40eb76 LoadLibraryA 85333->85335 85334->85228 85334->85332 85335->85334 85336 40eb87 GetProcAddress 85335->85336 85336->85334 85449 40e680 85337->85449 85341 401fa2 GetModuleFileNameW 85467 40ff90 85341->85467 85343 401fbd 85479 4107b0 85343->85479 85346 401b70 75 API calls 85347 401fe4 85346->85347 85482 4019e0 85347->85482 85349 401ff2 85350 4092c0 VariantClear 85349->85350 85351 402002 85350->85351 85352 401b70 75 API calls 85351->85352 85353 40201c 85352->85353 85354 4019e0 76 API calls 85353->85354 85355 40202c 85354->85355 85356 401b70 75 API calls 85355->85356 85357 40203c 85356->85357 85490 40c3e0 85357->85490 85359 40204d 85508 40c060 85359->85508 85363 40206e 85520 4115d0 85363->85520 85366 42c174 85368 401a70 75 API calls 85366->85368 85367 402088 85369 4115d0 __wcsicoll 79 API calls 85367->85369 85370 42c189 85368->85370 85371 402093 85369->85371 85373 401a70 75 API calls 85370->85373 85371->85370 85372 40209e 85371->85372 85374 4115d0 __wcsicoll 79 API calls 85372->85374 85375 42c1a7 85373->85375 85376 4020a9 85374->85376 85377 42c1b0 GetModuleFileNameW 85375->85377 85376->85377 85378 4020b4 85376->85378 85380 401a70 75 API calls 85377->85380 85379 4115d0 __wcsicoll 79 API calls 85378->85379 85381 4020bf 85379->85381 85382 42c1e2 85380->85382 85383 402107 85381->85383 85388 401a70 75 API calls 85381->85388 85390 42c20a _wcscpy 85381->85390 85532 40df50 75 API calls 85382->85532 85385 402119 85383->85385 85383->85390 85387 42c243 85385->85387 85528 40e7e0 76 API calls 85385->85528 85386 42c1f1 85389 401a70 75 API calls 85386->85389 85392 4020e5 _wcscpy 85388->85392 85393 42c201 85389->85393 85394 401a70 75 API calls 85390->85394 85397 401a70 75 API calls 85392->85397 85393->85390 85400 402148 85394->85400 85395 402132 85529 40d030 76 API calls 85395->85529 85397->85383 85398 40213e 85399 4092c0 VariantClear 85398->85399 85399->85400 85403 402184 85400->85403 85405 401a70 75 API calls 85400->85405 85530 40d030 76 API calls 85400->85530 85531 40e640 76 API calls 85400->85531 85404 4092c0 VariantClear 85403->85404 85406 402196 moneypunct 85404->85406 85405->85400 85406->85297 85408 42ccf4 _memset 85407->85408 85409 40f3c9 85407->85409 85411 42cd05 GetOpenFileNameW 85408->85411 86209 40ffb0 76 API calls moneypunct 85409->86209 85411->85409 85414 40d732 85411->85414 85412 40f3d2 86210 410130 SHGetMalloc 85412->86210 85414->85305 85414->85307 85415 40f3d9 86215 410020 88 API calls __wcsicoll 85415->86215 85417 40f3e7 86216 40f400 85417->86216 85420 42b9d3 85419->85420 85421 41025a LoadImageW RegisterClassExW 85419->85421 86270 443e8f EnumResourceNamesW LoadImageW 85420->86270 86269 4102f0 7 API calls 85421->86269 85424 42b9da 85425 40d790 85426 4103e0 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 85425->85426 85426->85319 85428 40e207 _memset 85427->85428 85429 42aa14 DestroyIcon 85428->85429 85430 40e262 85428->85430 85429->85430 85431 40e2a4 85430->85431 86271 43737d 84 API calls __wcsicoll 85430->86271 85433 40e2c0 Shell_NotifyIconW 85431->85433 85434 42aa50 Shell_NotifyIconW 85431->85434 85435 401be0 77 API calls 85433->85435 85436 40e2da 85435->85436 85436->85326 85437->85307 85438->85320 85439->85307 85440->85313 85442 401b76 _wcslen 85441->85442 85443 41171a 75 API calls 85442->85443 85446 401bc5 85442->85446 85444 401bad _memcpy_s 85443->85444 85445 41171a 75 API calls 85444->85445 85445->85446 85447 40d3b0 75 API calls 2 library calls 85446->85447 85447->85327 85448->85330 85450 40c060 75 API calls 85449->85450 85451 401f90 85450->85451 85452 402940 85451->85452 85453 40294a __write_nolock 85452->85453 85454 4021e0 75 API calls 85453->85454 85456 402972 85454->85456 85466 4029a4 85456->85466 85533 401cf0 85456->85533 85457 402ae0 75 API calls 85457->85466 85458 402a8c 85459 401b70 75 API calls 85458->85459 85465 402abe 85458->85465 85461 402ab3 85459->85461 85460 401b70 75 API calls 85460->85466 85537 40d970 75 API calls 2 library calls 85461->85537 85463 401cf0 75 API calls 85463->85466 85465->85341 85466->85457 85466->85458 85466->85460 85466->85463 85536 40d970 75 API calls 2 library calls 85466->85536 85538 40f5e0 85467->85538 85470 40ffa6 85470->85343 85472 42b6d8 85473 42b6e6 85472->85473 85594 434fe1 85472->85594 85475 413a88 __fcloseall 67 API calls 85473->85475 85476 42b6f5 85475->85476 85477 434fe1 106 API calls 85476->85477 85478 42b702 85477->85478 85478->85343 85480 41171a 75 API calls 85479->85480 85481 401fd6 85480->85481 85481->85346 85483 401a03 85482->85483 85487 4019e5 85482->85487 85484 401a1a 85483->85484 85483->85487 86198 404260 76 API calls 85484->86198 85485 4019ff 85485->85349 85487->85485 86197 404260 76 API calls 85487->86197 85489 401a26 85489->85349 85491 40c3e4 85490->85491 85492 40c42c 85490->85492 85493 40c3f0 85491->85493 85494 42a475 85491->85494 85495 42a422 85492->85495 85496 40c435 85492->85496 86199 4042f0 75 API calls __cinit 85493->86199 86204 453155 75 API calls 85494->86204 85498 42a427 85495->85498 85499 42a445 85495->85499 85500 40c441 85496->85500 85501 42a455 85496->85501 85502 40c3fb 85498->85502 86201 453155 75 API calls 85498->86201 86202 453155 75 API calls 85499->86202 86200 4042f0 75 API calls __cinit 85500->86200 86203 453155 75 API calls 85501->86203 85502->85359 85509 41171a 75 API calls 85508->85509 85510 40c088 85509->85510 85511 41171a 75 API calls 85510->85511 85512 402061 85511->85512 85513 401a70 85512->85513 85514 401a90 85513->85514 85515 401a77 85513->85515 85517 4021e0 75 API calls 85514->85517 85516 401a8d 85515->85516 86205 404080 75 API calls _memcpy_s 85515->86205 85516->85363 85518 401a9c 85517->85518 85518->85363 85521 4115e1 85520->85521 85522 411650 85520->85522 85525 40207d 85521->85525 86206 417f23 67 API calls __getptd_noexit 85521->86206 86208 4114bf 79 API calls 3 library calls 85522->86208 85525->85366 85525->85367 85526 4115ed 86207 417ebb 6 API calls 2 library calls 85526->86207 85528->85395 85529->85398 85530->85400 85531->85400 85532->85386 85534 402ae0 75 API calls 85533->85534 85535 401cf7 85534->85535 85535->85456 85536->85466 85537->85465 85598 40f580 85538->85598 85540 40f5f8 _strcat moneypunct 85606 40f6d0 85540->85606 85545 42b2ee 85635 4151b0 85545->85635 85547 40f679 85547->85545 85548 40f681 85547->85548 85622 414e94 85548->85622 85552 40f68b 85552->85470 85557 452574 85552->85557 85554 42b31d 85641 415484 85554->85641 85556 42b33d 85558 41557c _fseek 105 API calls 85557->85558 85559 4525df 85558->85559 86142 4523ce 85559->86142 85562 4525fc 85562->85472 85563 4151b0 __fread_nolock 81 API calls 85564 45261d 85563->85564 85565 4151b0 __fread_nolock 81 API calls 85564->85565 85566 45262e 85565->85566 85567 4151b0 __fread_nolock 81 API calls 85566->85567 85568 452649 85567->85568 85569 4151b0 __fread_nolock 81 API calls 85568->85569 85570 452666 85569->85570 85571 41557c _fseek 105 API calls 85570->85571 85572 452682 85571->85572 85573 4138ba _malloc 67 API calls 85572->85573 85574 45268e 85573->85574 85575 4138ba _malloc 67 API calls 85574->85575 85576 45269b 85575->85576 85577 4151b0 __fread_nolock 81 API calls 85576->85577 85578 4526ac 85577->85578 85579 44afdc GetSystemTimeAsFileTime 85578->85579 85580 4526bf 85579->85580 85581 4526d5 85580->85581 85582 4526fd 85580->85582 85585 413a88 __fcloseall 67 API calls 85581->85585 85583 452704 85582->85583 85584 45275b 85582->85584 86148 44b195 85583->86148 85588 413a88 __fcloseall 67 API calls 85584->85588 85586 4526df 85585->85586 85589 413a88 __fcloseall 67 API calls 85586->85589 85591 452759 85588->85591 85592 4526e8 85589->85592 85590 452753 85593 413a88 __fcloseall 67 API calls 85590->85593 85591->85472 85592->85472 85593->85591 85595 434ff1 85594->85595 85596 434feb 85594->85596 85595->85473 85597 414e94 __fcloseall 106 API calls 85596->85597 85597->85595 85599 429440 85598->85599 85600 40f589 _wcslen 85598->85600 85601 40f58f WideCharToMultiByte 85600->85601 85602 40f5d8 85601->85602 85603 40f5ad 85601->85603 85602->85540 85604 41171a 75 API calls 85603->85604 85605 40f5bb WideCharToMultiByte 85604->85605 85605->85540 85607 40f6dd _strlen 85606->85607 85654 40f790 85607->85654 85610 414e06 85673 414d40 85610->85673 85612 40f666 85612->85545 85613 40f450 85612->85613 85616 40f45a _strcat _memcpy_s __write_nolock 85613->85616 85614 4151b0 __fread_nolock 81 API calls 85614->85616 85616->85614 85617 42936d 85616->85617 85621 40f531 85616->85621 85756 41557c 85616->85756 85618 41557c _fseek 105 API calls 85617->85618 85619 429394 85618->85619 85620 4151b0 __fread_nolock 81 API calls 85619->85620 85620->85621 85621->85547 85623 414ea0 __locking 85622->85623 85624 414ed1 85623->85624 85625 414eb4 85623->85625 85627 415965 __lock_file 68 API calls 85624->85627 85631 414ec9 __locking 85624->85631 85895 417f23 67 API calls __getptd_noexit 85625->85895 85629 414ee9 85627->85629 85628 414eb9 85896 417ebb 6 API calls 2 library calls 85628->85896 85879 414e1d 85629->85879 85631->85552 85964 41511a 85635->85964 85637 4151c8 85638 44afdc 85637->85638 86135 4431e0 85638->86135 85640 44affd 85640->85554 85642 415490 __locking 85641->85642 85643 4154bb 85642->85643 85644 41549e 85642->85644 85646 415965 __lock_file 68 API calls 85643->85646 86139 417f23 67 API calls __getptd_noexit 85644->86139 85647 4154c3 85646->85647 85649 4152e7 __ftell_nolock 71 API calls 85647->85649 85648 4154a3 86140 417ebb 6 API calls 2 library calls 85648->86140 85651 4154cf 85649->85651 86141 4154e8 LeaveCriticalSection LeaveCriticalSection __wfsopen 85651->86141 85653 4154b3 __locking 85653->85556 85655 40f7ae _memset 85654->85655 85657 40f628 85655->85657 85658 415258 85655->85658 85657->85610 85659 415285 85658->85659 85660 415268 85658->85660 85659->85660 85662 41528c 85659->85662 85669 417f23 67 API calls __getptd_noexit 85660->85669 85671 41c551 103 API calls 14 library calls 85662->85671 85663 41526d 85670 417ebb 6 API calls 2 library calls 85663->85670 85665 4152b2 85667 41527d 85665->85667 85672 4191c9 101 API calls 6 library calls 85665->85672 85667->85655 85669->85663 85671->85665 85672->85667 85674 414d4c __locking 85673->85674 85675 414d5f 85674->85675 85678 414d95 85674->85678 85725 417f23 67 API calls __getptd_noexit 85675->85725 85677 414d64 85726 417ebb 6 API calls 2 library calls 85677->85726 85692 41e28c 85678->85692 85681 414d9a 85682 414da1 85681->85682 85683 414dae 85681->85683 85727 417f23 67 API calls __getptd_noexit 85682->85727 85684 414dd6 85683->85684 85685 414db6 85683->85685 85710 41dfd8 85684->85710 85728 417f23 67 API calls __getptd_noexit 85685->85728 85689 414d74 __locking @_EH4_CallFilterFunc@8 85689->85612 85693 41e298 __locking 85692->85693 85694 418407 __lock 67 API calls 85693->85694 85707 41e2a6 85694->85707 85695 41e322 85697 416fb6 __malloc_crt 67 API calls 85695->85697 85699 41e32c 85697->85699 85698 41e3b0 __locking 85698->85681 85706 41e31b 85699->85706 85735 4189e6 InitializeCriticalSectionAndSpinCount __locking 85699->85735 85701 418344 __mtinitlocknum 67 API calls 85701->85707 85703 41e351 85704 41e35c 85703->85704 85705 41e36f EnterCriticalSection 85703->85705 85708 413a88 __fcloseall 67 API calls 85704->85708 85705->85706 85730 41e3bb 85706->85730 85707->85695 85707->85701 85707->85706 85733 4159a6 68 API calls __lock 85707->85733 85734 415a14 LeaveCriticalSection LeaveCriticalSection _doexit 85707->85734 85708->85706 85719 41dffb __wopenfile 85710->85719 85711 41e015 85740 417f23 67 API calls __getptd_noexit 85711->85740 85712 41e1e9 85712->85711 85715 41e247 85712->85715 85714 41e01a 85741 417ebb 6 API calls 2 library calls 85714->85741 85737 425db0 85715->85737 85719->85711 85719->85712 85742 4136bc 79 API calls 2 library calls 85719->85742 85721 41e1e2 85721->85712 85743 4136bc 79 API calls 2 library calls 85721->85743 85723 41e201 85723->85712 85744 4136bc 79 API calls 2 library calls 85723->85744 85725->85677 85727->85689 85728->85689 85729 414dfc LeaveCriticalSection LeaveCriticalSection __wfsopen 85729->85689 85736 41832d LeaveCriticalSection 85730->85736 85732 41e3c2 85732->85698 85733->85707 85734->85707 85735->85703 85736->85732 85745 425ce4 85737->85745 85739 414de1 85739->85729 85740->85714 85742->85721 85743->85723 85744->85712 85746 425cf0 __locking 85745->85746 85747 425d03 85746->85747 85749 425d41 85746->85749 85748 417f23 __locking 67 API calls 85747->85748 85750 425d08 85748->85750 85751 4255c4 __tsopen_nolock 132 API calls 85749->85751 85752 417ebb __locking 6 API calls 85750->85752 85753 425d5b 85751->85753 85755 425d17 __locking 85752->85755 85754 425d82 __sopen_helper LeaveCriticalSection 85753->85754 85754->85755 85755->85739 85759 415588 __locking 85756->85759 85757 415596 85787 417f23 67 API calls __getptd_noexit 85757->85787 85758 4155c4 85769 415965 85758->85769 85759->85757 85759->85758 85762 41559b 85788 417ebb 6 API calls 2 library calls 85762->85788 85768 4155ab __locking 85768->85616 85770 415977 85769->85770 85771 415999 EnterCriticalSection 85769->85771 85770->85771 85772 41597f 85770->85772 85773 4155cc 85771->85773 85774 418407 __lock 67 API calls 85772->85774 85775 4154f2 85773->85775 85774->85773 85776 415512 85775->85776 85777 415502 85775->85777 85779 415524 85776->85779 85790 4152e7 85776->85790 85844 417f23 67 API calls __getptd_noexit 85777->85844 85807 41486c 85779->85807 85786 415507 85789 4155f7 LeaveCriticalSection LeaveCriticalSection __wfsopen 85786->85789 85787->85762 85789->85768 85791 41531a 85790->85791 85792 4152fa 85790->85792 85793 41453a __fileno 67 API calls 85791->85793 85845 417f23 67 API calls __getptd_noexit 85792->85845 85795 415320 85793->85795 85798 41efd4 __locking 71 API calls 85795->85798 85796 4152ff 85846 417ebb 6 API calls 2 library calls 85796->85846 85799 415335 85798->85799 85800 4153a9 85799->85800 85802 415364 85799->85802 85806 41530f 85799->85806 85847 417f23 67 API calls __getptd_noexit 85800->85847 85803 41efd4 __locking 71 API calls 85802->85803 85802->85806 85804 415404 85803->85804 85805 41efd4 __locking 71 API calls 85804->85805 85804->85806 85805->85806 85806->85779 85808 414885 85807->85808 85812 4148a7 85807->85812 85809 41453a __fileno 67 API calls 85808->85809 85808->85812 85810 4148a0 85809->85810 85848 41c3cf 101 API calls 3 library calls 85810->85848 85813 41453a 85812->85813 85814 414549 85813->85814 85818 41455e 85813->85818 85849 417f23 67 API calls __getptd_noexit 85814->85849 85816 41454e 85850 417ebb 6 API calls 2 library calls 85816->85850 85819 41efd4 85818->85819 85820 41efe0 __locking 85819->85820 85821 41f003 85820->85821 85822 41efe8 85820->85822 85823 41f011 85821->85823 85829 41f052 85821->85829 85871 417f36 67 API calls __getptd_noexit 85822->85871 85873 417f36 67 API calls __getptd_noexit 85823->85873 85825 41efed 85872 417f23 67 API calls __getptd_noexit 85825->85872 85828 41f016 85874 417f23 67 API calls __getptd_noexit 85828->85874 85851 41ba3b 85829->85851 85830 41eff5 __locking 85830->85786 85833 41f058 85835 41f065 85833->85835 85836 41f07b 85833->85836 85834 41f01d 85875 417ebb 6 API calls 2 library calls 85834->85875 85861 41ef5f 85835->85861 85876 417f23 67 API calls __getptd_noexit 85836->85876 85840 41f080 85877 417f36 67 API calls __getptd_noexit 85840->85877 85841 41f073 85878 41f0a6 LeaveCriticalSection __unlock_fhandle 85841->85878 85844->85786 85845->85796 85847->85806 85848->85812 85849->85816 85852 41ba47 __locking 85851->85852 85853 41baa2 85852->85853 85854 418407 __lock 67 API calls 85852->85854 85855 41bac4 __locking 85853->85855 85856 41baa7 EnterCriticalSection 85853->85856 85857 41ba73 85854->85857 85855->85833 85856->85855 85858 41ba8a 85857->85858 85859 4189e6 __ioinit InitializeCriticalSectionAndSpinCount 85857->85859 85860 41bad2 ___lock_fhandle LeaveCriticalSection 85858->85860 85859->85858 85860->85853 85862 41b9c4 __commit 67 API calls 85861->85862 85863 41ef6e 85862->85863 85864 41ef84 SetFilePointer 85863->85864 85865 41ef74 85863->85865 85867 41efa3 85864->85867 85868 41ef9b GetLastError 85864->85868 85866 417f23 __locking 67 API calls 85865->85866 85869 41ef79 85866->85869 85867->85869 85870 417f49 __dosmaperr 67 API calls 85867->85870 85868->85867 85869->85841 85870->85869 85871->85825 85872->85830 85873->85828 85874->85834 85876->85840 85877->85841 85878->85830 85880 414e31 85879->85880 85881 414e4d 85879->85881 85925 417f23 67 API calls __getptd_noexit 85880->85925 85883 41486c __flush 101 API calls 85881->85883 85893 414e46 85881->85893 85885 414e59 85883->85885 85884 414e36 85926 417ebb 6 API calls 2 library calls 85884->85926 85898 41e680 85885->85898 85889 41453a __fileno 67 API calls 85890 414e67 85889->85890 85902 41e5b3 85890->85902 85892 414e6d 85892->85893 85894 413a88 __fcloseall 67 API calls 85892->85894 85897 414f08 LeaveCriticalSection LeaveCriticalSection __wfsopen 85893->85897 85894->85893 85895->85628 85897->85631 85899 41e690 85898->85899 85900 414e61 85898->85900 85899->85900 85901 413a88 __fcloseall 67 API calls 85899->85901 85900->85889 85901->85900 85903 41e5bf __locking 85902->85903 85904 41e5e2 85903->85904 85905 41e5c7 85903->85905 85906 41e5f0 85904->85906 85911 41e631 85904->85911 85942 417f36 67 API calls __getptd_noexit 85905->85942 85944 417f36 67 API calls __getptd_noexit 85906->85944 85909 41e5cc 85943 417f23 67 API calls __getptd_noexit 85909->85943 85910 41e5f5 85945 417f23 67 API calls __getptd_noexit 85910->85945 85914 41ba3b ___lock_fhandle 68 API calls 85911->85914 85916 41e637 85914->85916 85915 41e5fc 85946 417ebb 6 API calls 2 library calls 85915->85946 85918 41e652 85916->85918 85919 41e644 85916->85919 85947 417f23 67 API calls __getptd_noexit 85918->85947 85927 41e517 85919->85927 85922 41e64c 85948 41e676 LeaveCriticalSection __unlock_fhandle 85922->85948 85924 41e5d4 __locking 85924->85892 85925->85884 85949 41b9c4 85927->85949 85929 41e57d 85962 41b93e 68 API calls __locking 85929->85962 85931 41e527 85931->85929 85934 41b9c4 __commit 67 API calls 85931->85934 85941 41e55b 85931->85941 85932 41b9c4 __commit 67 API calls 85936 41e567 CloseHandle 85932->85936 85933 41e585 85940 41e5a7 85933->85940 85963 417f49 67 API calls 2 library calls 85933->85963 85935 41e552 85934->85935 85937 41b9c4 __commit 67 API calls 85935->85937 85936->85929 85938 41e573 GetLastError 85936->85938 85937->85941 85938->85929 85940->85922 85941->85929 85941->85932 85942->85909 85943->85924 85944->85910 85945->85915 85947->85922 85948->85924 85950 41b9d1 85949->85950 85953 41b9e9 85949->85953 85951 417f36 __locking 67 API calls 85950->85951 85952 41b9d6 85951->85952 85955 417f23 __locking 67 API calls 85952->85955 85954 417f36 __locking 67 API calls 85953->85954 85956 41ba2e 85953->85956 85957 41ba17 85954->85957 85958 41b9de 85955->85958 85956->85931 85959 417f23 __locking 67 API calls 85957->85959 85958->85931 85960 41ba1e 85959->85960 85961 417ebb __locking 6 API calls 85960->85961 85961->85956 85962->85933 85963->85940 85965 415126 __locking 85964->85965 85966 41516f 85965->85966 85968 415164 __locking 85965->85968 85970 41513a _memset 85965->85970 85967 415965 __lock_file 68 API calls 85966->85967 85969 415177 85967->85969 85968->85637 85977 414f10 85969->85977 85993 417f23 67 API calls __getptd_noexit 85970->85993 85973 415154 85994 417ebb 6 API calls 2 library calls 85973->85994 85980 414f2e _memset 85977->85980 85983 414f4c 85977->85983 85978 414f37 86046 417f23 67 API calls __getptd_noexit 85978->86046 85980->85978 85980->85983 85990 414f8b 85980->85990 85981 414f3c 86047 417ebb 6 API calls 2 library calls 85981->86047 85995 4151a6 LeaveCriticalSection LeaveCriticalSection __wfsopen 85983->85995 85985 4150d5 _memset 86050 417f23 67 API calls __getptd_noexit 85985->86050 85986 4150a9 _memset 86049 417f23 67 API calls __getptd_noexit 85986->86049 85987 41453a __fileno 67 API calls 85987->85990 85990->85983 85990->85985 85990->85986 85990->85987 85996 41ed9e 85990->85996 86026 41e6b1 85990->86026 86048 41ee9b 67 API calls 3 library calls 85990->86048 85993->85973 85995->85968 85997 41edaa __locking 85996->85997 85998 41edb2 85997->85998 85999 41edcd 85997->85999 86120 417f36 67 API calls __getptd_noexit 85998->86120 86001 41eddb 85999->86001 86005 41ee1c 85999->86005 86122 417f36 67 API calls __getptd_noexit 86001->86122 86003 41edb7 86121 417f23 67 API calls __getptd_noexit 86003->86121 86004 41ede0 86123 417f23 67 API calls __getptd_noexit 86004->86123 86008 41ee29 86005->86008 86009 41ee3d 86005->86009 86125 417f36 67 API calls __getptd_noexit 86008->86125 86010 41ba3b ___lock_fhandle 68 API calls 86009->86010 86012 41ee43 86010->86012 86014 41ee50 86012->86014 86015 41ee66 86012->86015 86013 41ee2e 86126 417f23 67 API calls __getptd_noexit 86013->86126 86051 41e7dc 86014->86051 86127 417f23 67 API calls __getptd_noexit 86015->86127 86020 41edbf __locking 86020->85990 86021 41ede7 86124 417ebb 6 API calls 2 library calls 86021->86124 86022 41ee5e 86129 41ee91 LeaveCriticalSection __unlock_fhandle 86022->86129 86023 41ee6b 86128 417f36 67 API calls __getptd_noexit 86023->86128 86027 41e6c1 86026->86027 86028 41e6de 86026->86028 86133 417f23 67 API calls __getptd_noexit 86027->86133 86032 41e713 86028->86032 86038 41e6d6 86028->86038 86130 423600 86028->86130 86030 41e6c6 86134 417ebb 6 API calls 2 library calls 86030->86134 86034 41453a __fileno 67 API calls 86032->86034 86035 41e727 86034->86035 86036 41ed9e __read 79 API calls 86035->86036 86037 41e72e 86036->86037 86037->86038 86039 41453a __fileno 67 API calls 86037->86039 86038->85990 86040 41e751 86039->86040 86040->86038 86041 41453a __fileno 67 API calls 86040->86041 86042 41e75d 86041->86042 86042->86038 86043 41453a __fileno 67 API calls 86042->86043 86044 41e769 86043->86044 86045 41453a __fileno 67 API calls 86044->86045 86045->86038 86046->85981 86048->85990 86049->85981 86050->85981 86052 41e813 86051->86052 86053 41e7f8 86051->86053 86055 41e822 86052->86055 86057 41e849 86052->86057 86054 417f36 __locking 67 API calls 86053->86054 86056 41e7fd 86054->86056 86058 417f36 __locking 67 API calls 86055->86058 86059 417f23 __locking 67 API calls 86056->86059 86061 41e868 86057->86061 86074 41e87c 86057->86074 86060 41e827 86058->86060 86063 41e805 86059->86063 86065 417f23 __locking 67 API calls 86060->86065 86062 417f36 __locking 67 API calls 86061->86062 86066 41e86d 86062->86066 86063->86022 86064 41e8d4 86068 417f36 __locking 67 API calls 86064->86068 86067 41e82e 86065->86067 86070 417f23 __locking 67 API calls 86066->86070 86071 417ebb __locking 6 API calls 86067->86071 86069 41e8d9 86068->86069 86072 417f23 __locking 67 API calls 86069->86072 86073 41e874 86070->86073 86071->86063 86072->86073 86076 417ebb __locking 6 API calls 86073->86076 86074->86063 86074->86064 86075 41e8b0 86074->86075 86078 41e8f5 86074->86078 86075->86064 86077 41e8bb ReadFile 86075->86077 86076->86063 86082 41ed62 GetLastError 86077->86082 86083 41e9e7 86077->86083 86080 416fb6 __malloc_crt 67 API calls 86078->86080 86081 41e90b 86080->86081 86086 41e931 86081->86086 86087 41e913 86081->86087 86084 41ebe8 86082->86084 86085 41ed6f 86082->86085 86083->86082 86088 41e9fb 86083->86088 86095 417f49 __dosmaperr 67 API calls 86084->86095 86099 41eb6d 86084->86099 86090 417f23 __locking 67 API calls 86085->86090 86089 423462 __lseeki64_nolock 69 API calls 86086->86089 86091 417f23 __locking 67 API calls 86087->86091 86088->86099 86101 41ec2d 86088->86101 86107 41ea17 86088->86107 86092 41e93d 86089->86092 86093 41ed74 86090->86093 86094 41e918 86091->86094 86092->86077 86096 417f36 __locking 67 API calls 86093->86096 86097 417f36 __locking 67 API calls 86094->86097 86095->86099 86096->86099 86097->86063 86098 413a88 __fcloseall 67 API calls 86098->86063 86099->86063 86099->86098 86100 41eca5 ReadFile 86104 41ecc4 GetLastError 86100->86104 86112 41ecce 86100->86112 86101->86099 86101->86100 86102 41ea7d ReadFile 86103 41ea9b GetLastError 86102->86103 86111 41eaa5 86102->86111 86103->86107 86103->86111 86104->86101 86104->86112 86105 41ebbe MultiByteToWideChar 86105->86099 86106 41ebe2 GetLastError 86105->86106 86106->86084 86107->86102 86108 41eafa 86107->86108 86108->86099 86109 41eb75 86108->86109 86110 41eb68 86108->86110 86114 41eb32 86108->86114 86109->86114 86115 41ebac 86109->86115 86113 417f23 __locking 67 API calls 86110->86113 86111->86107 86116 423462 __lseeki64_nolock 69 API calls 86111->86116 86112->86101 86117 423462 __lseeki64_nolock 69 API calls 86112->86117 86113->86099 86114->86105 86118 423462 __lseeki64_nolock 69 API calls 86115->86118 86116->86111 86117->86112 86119 41ebbb 86118->86119 86119->86105 86120->86003 86121->86020 86122->86004 86123->86021 86125->86013 86126->86021 86127->86023 86128->86022 86129->86020 86131 416fb6 __malloc_crt 67 API calls 86130->86131 86132 423615 86131->86132 86132->86032 86133->86030 86138 414cef GetSystemTimeAsFileTime __aulldiv 86135->86138 86137 4431ef 86137->85640 86138->86137 86139->85648 86141->85653 86143 4523e1 _wcscpy 86142->86143 86144 4151b0 81 API calls __fread_nolock 86143->86144 86145 44afdc GetSystemTimeAsFileTime 86143->86145 86146 452553 86143->86146 86147 41557c 105 API calls _fseek 86143->86147 86144->86143 86145->86143 86146->85562 86146->85563 86147->86143 86149 44b1b4 86148->86149 86150 44b1a6 86148->86150 86152 44b1ca 86149->86152 86153 414e06 138 API calls 86149->86153 86154 44b1c2 86149->86154 86151 414e06 138 API calls 86150->86151 86151->86149 86183 4352d1 81 API calls 2 library calls 86152->86183 86155 44b2c1 86153->86155 86154->85590 86155->86152 86157 44b2cf 86155->86157 86159 44b2dc 86157->86159 86163 414e94 __fcloseall 106 API calls 86157->86163 86158 44b20d 86160 44b211 86158->86160 86161 44b23b 86158->86161 86159->85590 86162 44b21e 86160->86162 86165 414e94 __fcloseall 106 API calls 86160->86165 86184 43526e 86161->86184 86166 44b22e 86162->86166 86168 414e94 __fcloseall 106 API calls 86162->86168 86163->86159 86165->86162 86166->85590 86167 44b242 86169 44b270 86167->86169 86170 44b248 86167->86170 86168->86166 86194 44b0af 111 API calls 86169->86194 86172 44b255 86170->86172 86175 414e94 __fcloseall 106 API calls 86170->86175 86173 44b265 86172->86173 86176 414e94 __fcloseall 106 API calls 86172->86176 86173->85590 86174 44b276 86195 43522c 67 API calls __fcloseall 86174->86195 86175->86172 86176->86173 86178 44b27c 86179 44b289 86178->86179 86180 414e94 __fcloseall 106 API calls 86178->86180 86181 44b299 86179->86181 86182 414e94 __fcloseall 106 API calls 86179->86182 86180->86179 86181->85590 86182->86181 86183->86158 86185 4138ba _malloc 67 API calls 86184->86185 86186 43527d 86185->86186 86187 4138ba _malloc 67 API calls 86186->86187 86188 43528d 86187->86188 86189 4138ba _malloc 67 API calls 86188->86189 86190 43529d 86189->86190 86192 4352bc 86190->86192 86196 43522c 67 API calls __fcloseall 86190->86196 86192->86167 86193 4352c8 86193->86167 86194->86174 86195->86178 86196->86193 86197->85485 86198->85489 86199->85502 86200->85502 86201->85502 86202->85501 86203->85502 86204->85502 86205->85516 86206->85526 86208->85525 86209->85412 86211 410148 SHGetDesktopFolder 86210->86211 86214 4101a3 _wcscpy 86210->86214 86212 41015a _wcscpy 86211->86212 86211->86214 86213 41018a SHGetPathFromIDListW 86212->86213 86212->86214 86213->86214 86214->85415 86215->85417 86217 40f5e0 152 API calls 86216->86217 86218 40f417 86217->86218 86219 42ca37 86218->86219 86221 40f42c 86218->86221 86222 42ca1f 86218->86222 86220 452574 140 API calls 86219->86220 86224 42ca50 86220->86224 86264 4037e0 139 API calls 7 library calls 86221->86264 86265 43717f 110 API calls _printf 86222->86265 86227 42ca76 86224->86227 86228 42ca54 86224->86228 86226 42ca2d 86226->86219 86231 41171a 75 API calls 86227->86231 86230 434fe1 106 API calls 86228->86230 86229 40f446 86229->85414 86232 42ca5e 86230->86232 86239 42cacc moneypunct 86231->86239 86266 43717f 110 API calls _printf 86232->86266 86234 42ccc3 86236 413a88 __fcloseall 67 API calls 86234->86236 86235 42ca6c 86235->86227 86237 42cccd 86236->86237 86238 434fe1 106 API calls 86237->86238 86240 42ccda 86238->86240 86239->86234 86244 401b70 75 API calls 86239->86244 86247 445051 86239->86247 86250 402cc0 86239->86250 86258 4026a0 86239->86258 86267 44c80c 87 API calls 3 library calls 86239->86267 86268 44b408 75 API calls 86239->86268 86244->86239 86248 41171a 75 API calls 86247->86248 86249 445080 _memcpy_s 86248->86249 86249->86239 86249->86249 86251 402d71 86250->86251 86255 402cd2 _memcpy_s moneypunct 86250->86255 86253 41171a 75 API calls 86251->86253 86252 41171a 75 API calls 86254 402cd9 86252->86254 86253->86255 86256 41171a 75 API calls 86254->86256 86257 402cff 86254->86257 86255->86252 86256->86257 86257->86239 86259 40276b 86258->86259 86260 4026af 86258->86260 86259->86239 86260->86259 86261 41171a 75 API calls 86260->86261 86262 4026ee moneypunct 86260->86262 86261->86262 86262->86259 86263 41171a 75 API calls 86262->86263 86263->86262 86264->86229 86265->86226 86266->86235 86267->86239 86268->86239 86269->85425 86270->85424 86271->85431 86272 431914 86273 431920 86272->86273 86274 431928 86273->86274 86275 43193d 86273->86275 86481 45e62e 116 API calls 3 library calls 86274->86481 86482 47f2b4 174 API calls 86275->86482 86278 43194a 86286 4095b0 moneypunct 86278->86286 86483 45e62e 116 API calls 3 library calls 86278->86483 86279 409708 86282 4097af 86282->86279 86467 40d590 VariantClear 86282->86467 86284 4315b8 WaitForSingleObject 86284->86286 86288 4315d6 GetExitCodeProcess CloseHandle 86284->86288 86285 431623 Sleep 86291 43163b timeGetTime 86285->86291 86299 409894 86285->86299 86286->86279 86286->86282 86286->86284 86286->86285 86292 40986e Sleep 86286->86292 86295 4098f1 TranslateMessage DispatchMessageW 86286->86295 86286->86299 86309 45e62e 116 API calls 86286->86309 86314 4319c9 VariantClear 86286->86314 86316 4092c0 VariantClear 86286->86316 86318 409030 86286->86318 86332 40d300 86286->86332 86337 40d320 86286->86337 86343 40b380 119 API calls moneypunct 86286->86343 86344 409a40 86286->86344 86468 409340 174 API calls moneypunct 86286->86468 86484 40e380 VariantClear moneypunct 86286->86484 86472 40d590 VariantClear 86288->86472 86291->86299 86296 409880 timeGetTime 86292->86296 86292->86299 86295->86286 86296->86299 86297 431673 CloseHandle 86297->86299 86298 40d590 VariantClear 86298->86299 86299->86286 86299->86297 86299->86298 86300 43170c GetExitCodeProcess CloseHandle 86299->86300 86301 46e641 134 API calls 86299->86301 86304 46dd22 133 API calls 86299->86304 86306 431781 Sleep 86299->86306 86315 4092c0 VariantClear 86299->86315 86469 447e59 75 API calls 86299->86469 86470 453b07 77 API calls 86299->86470 86471 4646a2 76 API calls 86299->86471 86473 444233 88 API calls _wcslen 86299->86473 86474 457509 VariantClear 86299->86474 86475 404120 86299->86475 86479 4717e3 VariantClear 86299->86479 86480 436272 6 API calls 86299->86480 86300->86299 86301->86299 86304->86299 86306->86286 86309->86286 86314->86286 86315->86299 86316->86286 86485 409110 117 API calls 86318->86485 86320 42ceb6 86496 410ae0 VariantClear moneypunct 86320->86496 86322 40906e 86322->86320 86324 42cea9 86322->86324 86326 4090a4 86322->86326 86323 42cebf 86495 45e62e 116 API calls 3 library calls 86324->86495 86486 404160 86326->86486 86329 4090f0 moneypunct 86329->86286 86330 4092c0 VariantClear 86331 4090be moneypunct 86330->86331 86331->86329 86331->86330 86333 4292e3 86332->86333 86334 40d30c 86332->86334 86335 429323 86333->86335 86336 4292fd TranslateAcceleratorW 86333->86336 86334->86286 86335->86286 86336->86334 86338 4296d0 86337->86338 86341 40d32f 86337->86341 86338->86286 86339 40d33c 86339->86286 86340 42972a IsDialogMessageW 86340->86339 86340->86341 86341->86339 86341->86340 86677 4340ec GetClassLongW 86341->86677 86343->86286 86345 409a66 _wcslen 86344->86345 86346 40aade _memcpy_s moneypunct 86345->86346 86347 41171a 75 API calls 86345->86347 86349 401380 75 API calls 86346->86349 86348 409a9c _memcpy_s 86347->86348 86350 41171a 75 API calls 86348->86350 86351 42cee9 86349->86351 86352 409abd 86350->86352 86354 41171a 75 API calls 86351->86354 86352->86346 86353 409aeb CharUpperBuffW 86352->86353 86359 409b09 moneypunct 86352->86359 86353->86359 86355 42cf10 _memcpy_s 86354->86355 86708 45e62e 116 API calls 3 library calls 86355->86708 86357 409b88 moneypunct 86357->86355 86364 409e4a 86357->86364 86366 40aa5b 86357->86366 86367 41171a 75 API calls 86357->86367 86370 40c3e0 75 API calls 86357->86370 86379 42d195 VariantClear 86357->86379 86382 4092c0 VariantClear 86357->86382 86384 40aa81 _memcpy_s moneypunct 86357->86384 86396 42d128 86357->86396 86399 42d20c 86357->86399 86410 42dbb9 86357->86410 86680 40c620 118 API calls 86357->86680 86682 40be00 75 API calls 2 library calls 86357->86682 86683 40e380 VariantClear moneypunct 86357->86683 86359->86357 86679 47d10e 150 API calls 86359->86679 86360 4092c0 VariantClear 86361 42e5e0 86360->86361 86709 410ae0 VariantClear moneypunct 86361->86709 86363 42e5f2 86364->86355 86365 409ea4 86364->86365 86368 41171a 75 API calls 86364->86368 86371 409ed0 86365->86371 86372 41171a 75 API calls 86365->86372 86369 41171a 75 API calls 86366->86369 86367->86357 86368->86365 86369->86384 86370->86357 86374 42d50d 86371->86374 86431 409ef8 _memcpy_s moneypunct 86371->86431 86688 40b800 VariantClear VariantClear moneypunct 86371->86688 86373 42d480 86372->86373 86375 42d491 86373->86375 86684 44b3f6 75 API calls 86373->86684 86377 42d527 86374->86377 86689 40b800 VariantClear VariantClear moneypunct 86374->86689 86685 40df50 75 API calls 86375->86685 86377->86431 86690 40e2e0 VariantClear moneypunct 86377->86690 86378 40a3a7 86381 40a415 86378->86381 86428 42db5c 86378->86428 86379->86357 86388 41171a 75 API calls 86381->86388 86382->86357 86390 41171a 75 API calls 86384->86390 86403 40a41c 86388->86403 86390->86346 86391 42d4a6 86686 4530b3 75 API calls 86391->86686 86393 42db96 86695 45e62e 116 API calls 3 library calls 86393->86695 86398 4092c0 VariantClear 86396->86398 86397 42d4d7 86687 4530b3 75 API calls 86397->86687 86402 42d131 86398->86402 86399->86286 86681 410ae0 VariantClear moneypunct 86402->86681 86414 40a481 86403->86414 86696 40c8a0 VariantClear moneypunct 86403->86696 86407 402cc0 75 API calls 86407->86431 86408 44b3f6 75 API calls 86408->86431 86410->86360 86411 4092c0 VariantClear 86439 40a534 _memcpy_s moneypunct 86411->86439 86412 411421 74 API calls __cinit 86412->86431 86413 41171a 75 API calls 86413->86431 86415 40a4ed 86414->86415 86416 42dc1e VariantClear 86414->86416 86414->86439 86421 40a4ff moneypunct 86415->86421 86697 40e380 VariantClear moneypunct 86415->86697 86416->86421 86419 4019e0 76 API calls 86419->86431 86420 41171a 75 API calls 86420->86439 86421->86420 86421->86439 86424 42deb6 VariantClear 86424->86439 86425 40a73c 86427 42e237 86425->86427 86435 40a76b 86425->86435 86426 40e380 VariantClear 86426->86439 86701 46e709 VariantClear VariantClear moneypunct 86427->86701 86694 4721e5 VariantClear 86428->86694 86429 42df47 VariantClear 86429->86439 86430 42dfe9 VariantClear 86430->86439 86431->86346 86431->86378 86431->86393 86431->86407 86431->86408 86431->86412 86431->86413 86431->86419 86431->86428 86434 40a053 86431->86434 86691 45ee98 75 API calls 86431->86691 86692 404260 76 API calls 86431->86692 86693 409210 VariantClear 86431->86693 86433 40a7a2 86446 40a7ad moneypunct 86433->86446 86702 40b800 VariantClear VariantClear moneypunct 86433->86702 86434->86286 86435->86433 86459 40a800 moneypunct 86435->86459 86678 40b800 VariantClear VariantClear moneypunct 86435->86678 86438 41171a 75 API calls 86438->86439 86439->86411 86439->86424 86439->86425 86439->86426 86439->86427 86439->86429 86439->86430 86439->86438 86442 41171a 75 API calls 86439->86442 86698 46e9cd 75 API calls 86439->86698 86699 409210 VariantClear 86439->86699 86700 44cc6c VariantClear moneypunct 86439->86700 86440 40a8b0 86452 40a8c2 moneypunct 86440->86452 86704 40e380 VariantClear moneypunct 86440->86704 86441 42e312 86443 42e337 VariantClear 86441->86443 86441->86452 86444 42dd10 VariantInit VariantCopy 86442->86444 86443->86452 86444->86439 86448 42dd30 VariantClear 86444->86448 86447 40a7ee 86446->86447 86450 42e2a7 VariantClear 86446->86450 86446->86459 86447->86459 86703 40e380 VariantClear moneypunct 86447->86703 86448->86439 86449 42e3b2 86454 42e3da VariantClear 86449->86454 86460 40a91a moneypunct 86449->86460 86450->86459 86452->86449 86453 40a908 86452->86453 86453->86460 86705 40e380 VariantClear moneypunct 86453->86705 86454->86460 86456 42e47f 86461 42e4a3 VariantClear 86456->86461 86466 40a957 moneypunct 86456->86466 86457 40a945 86457->86466 86706 40e380 VariantClear moneypunct 86457->86706 86459->86440 86459->86441 86460->86456 86460->86457 86461->86466 86463 40aa22 moneypunct 86463->86286 86464 42e559 VariantClear 86464->86466 86466->86463 86466->86464 86707 40e380 VariantClear moneypunct 86466->86707 86467->86279 86468->86286 86469->86299 86470->86299 86471->86299 86472->86299 86473->86299 86474->86299 86476 40412e 86475->86476 86477 4092c0 VariantClear 86476->86477 86478 404138 86477->86478 86478->86306 86479->86299 86480->86299 86481->86286 86482->86278 86483->86286 86484->86286 86485->86322 86487 4092c0 VariantClear 86486->86487 86488 40416e 86487->86488 86489 404120 VariantClear 86488->86489 86490 40419b 86489->86490 86497 40efe0 86490->86497 86505 4734b7 86490->86505 86547 480df5 86490->86547 86491 4041c6 86491->86320 86491->86331 86495->86320 86496->86323 86498 40eff5 CreateFileW 86497->86498 86499 4299bf 86497->86499 86501 40f017 86498->86501 86500 4299c4 CreateFileW 86499->86500 86499->86501 86500->86501 86502 4299ea 86500->86502 86501->86491 86555 40e0d0 SetFilePointerEx SetFilePointerEx 86502->86555 86504 4299f5 86504->86501 86506 453063 111 API calls 86505->86506 86507 4734d7 86506->86507 86508 473545 86507->86508 86509 47350c 86507->86509 86556 463c42 86508->86556 86510 4092c0 VariantClear 86509->86510 86516 473514 86510->86516 86512 473558 86513 47355c 86512->86513 86530 473595 86512->86530 86515 4092c0 VariantClear 86513->86515 86514 473616 86569 463d7e 86514->86569 86523 473564 86515->86523 86516->86491 86518 453063 111 API calls 86518->86530 86519 473622 86520 473697 86519->86520 86521 47362c 86519->86521 86601 457838 86520->86601 86522 4092c0 VariantClear 86521->86522 86526 473634 86522->86526 86523->86491 86526->86491 86529 473655 86532 4092c0 VariantClear 86529->86532 86530->86514 86530->86518 86530->86529 86613 462f5a 87 API calls __wcsicoll 86530->86613 86542 47365d 86532->86542 86533 4736b0 86614 45e62e 116 API calls 3 library calls 86533->86614 86534 4736c9 86615 40e7e0 76 API calls 86534->86615 86537 4736ba GetCurrentProcess TerminateProcess 86537->86534 86538 4736db 86544 4736ff 86538->86544 86616 40d030 76 API calls 86538->86616 86540 4736f1 86617 46b945 134 API calls 2 library calls 86540->86617 86542->86491 86546 473731 86544->86546 86618 40d030 76 API calls 86544->86618 86619 46b945 134 API calls 2 library calls 86544->86619 86546->86491 86548 453081 111 API calls 86547->86548 86549 480e33 86548->86549 86641 402dd0 86549->86641 86551 480e3b 86553 480e65 86551->86553 86670 40e6d0 76 API calls 86551->86670 86553->86491 86554 480e9f 86554->86491 86555->86504 86620 45335b 76 API calls 86556->86620 86558 463c5d 86621 442c52 80 API calls _wcslen 86558->86621 86560 463c72 86562 40c060 75 API calls 86560->86562 86568 463cac 86560->86568 86563 463c8e 86562->86563 86622 4608ce 75 API calls _memcpy_s 86563->86622 86565 463ca4 86567 40c740 75 API calls 86565->86567 86566 463cf7 86566->86512 86567->86568 86568->86566 86623 462f5a 87 API calls __wcsicoll 86568->86623 86570 453063 111 API calls 86569->86570 86571 463d99 86570->86571 86572 463de0 86571->86572 86573 463dca 86571->86573 86630 40c760 78 API calls 86572->86630 86624 453081 86573->86624 86576 463dd0 LoadLibraryW 86578 463e09 86576->86578 86577 463de7 86591 463e19 86577->86591 86631 40c760 78 API calls 86577->86631 86580 463e3e 86578->86580 86578->86591 86583 463e4e 86580->86583 86584 463e7b 86580->86584 86581 463dfb 86581->86591 86632 40c760 78 API calls 86581->86632 86633 40d500 75 API calls 86583->86633 86635 40c760 78 API calls 86584->86635 86587 463e57 86634 45efe7 77 API calls moneypunct 86587->86634 86588 463e82 GetProcAddress 86592 463e90 86588->86592 86590 463e62 GetProcAddress 86593 463e79 86590->86593 86591->86519 86592->86591 86592->86593 86593->86592 86636 403470 75 API calls _memcpy_s 86593->86636 86595 463eb4 86637 40d500 75 API calls 86595->86637 86597 463ebd 86638 45efe7 77 API calls moneypunct 86597->86638 86599 463ec8 GetProcAddress 86639 401330 moneypunct 86599->86639 86602 457a4c 86601->86602 86608 45785f _strcat moneypunct _wcslen _wcscpy 86601->86608 86609 410d40 86602->86609 86603 443576 78 API calls 86603->86608 86604 453081 111 API calls 86604->86608 86605 40c760 78 API calls 86605->86608 86606 4138ba 67 API calls _malloc 86606->86608 86607 40f580 77 API calls 86607->86608 86608->86602 86608->86603 86608->86604 86608->86605 86608->86606 86608->86607 86611 410d55 86609->86611 86610 410ded VirtualProtect 86612 410dbb 86610->86612 86611->86610 86611->86612 86612->86533 86612->86534 86613->86530 86614->86537 86615->86538 86616->86540 86617->86544 86618->86544 86619->86544 86620->86558 86621->86560 86622->86565 86623->86566 86625 45308c 86624->86625 86626 4530aa 86624->86626 86627 4530a1 86625->86627 86640 452e2a 111 API calls 5 library calls 86625->86640 86626->86576 86627->86576 86629 453098 86629->86576 86630->86577 86631->86581 86632->86578 86633->86587 86634->86590 86635->86588 86636->86595 86637->86597 86638->86599 86639->86591 86640->86629 86642 41171a 75 API calls 86641->86642 86643 402e03 86642->86643 86644 41171a 75 API calls 86643->86644 86654 402e16 moneypunct 86644->86654 86645 402cc0 75 API calls 86646 403094 moneypunct 86645->86646 86646->86551 86649 40305a moneypunct 86649->86645 86650 42b5fe 86675 45ffa9 118 API calls 3 library calls 86650->86675 86651 403770 75 API calls 86651->86654 86653 42b612 86653->86646 86676 45ffa9 118 API calls 3 library calls 86653->86676 86654->86649 86654->86650 86654->86651 86654->86653 86655 403470 75 API calls 86654->86655 86658 402cc0 75 API calls 86654->86658 86661 42b68a 86654->86661 86662 402ae0 75 API calls 86654->86662 86666 402650 75 API calls 86654->86666 86668 41171a 75 API calls 86654->86668 86669 42b5c3 86654->86669 86671 4035d0 86 API calls 86654->86671 86672 402b70 76 API calls 86654->86672 86673 403530 118 API calls _memcpy_s 86654->86673 86655->86654 86658->86654 86660 42b655 86664 42b5e1 86660->86664 86667 402cc0 75 API calls 86660->86667 86665 402cc0 75 API calls 86661->86665 86663 402ff0 CharUpperBuffW 86662->86663 86663->86654 86664->86646 86665->86646 86666->86654 86667->86664 86668->86654 86674 45ffa9 118 API calls 3 library calls 86669->86674 86670->86554 86671->86654 86672->86654 86673->86654 86674->86664 86675->86653 86676->86660 86677->86341 86678->86433 86679->86359 86680->86357 86681->86463 86682->86357 86683->86357 86684->86375 86685->86391 86686->86397 86687->86371 86688->86374 86689->86377 86690->86431 86691->86431 86692->86431 86693->86431 86694->86393 86695->86410 86696->86403 86697->86421 86698->86439 86699->86439 86700->86439 86701->86433 86702->86446 86703->86459 86704->86452 86705->86460 86706->86466 86707->86466 86708->86410 86709->86363 86710 42919b 86715 40ef10 86710->86715 86713 411421 __cinit 74 API calls 86714 4291aa 86713->86714 86716 41171a 75 API calls 86715->86716 86717 40ef17 86716->86717 86718 42ad48 86717->86718 86723 40ef40 74 API calls __cinit 86717->86723 86720 40ef2a 86724 40e470 86720->86724 86723->86720 86725 40c060 75 API calls 86724->86725 86726 40e483 GetVersionExW 86725->86726 86727 4021e0 75 API calls 86726->86727 86728 40e4bb 86727->86728 86750 40e600 86728->86750 86735 42accc 86736 42ad28 GetSystemInfo 86735->86736 86739 42ad38 GetSystemInfo 86736->86739 86737 40e557 GetCurrentProcess 86770 40ee30 LoadLibraryA GetProcAddress 86737->86770 86740 40e56c 86740->86739 86763 40eee0 86740->86763 86743 40e5c9 86767 40eea0 86743->86767 86746 40e5e0 86748 40e5f1 FreeLibrary 86746->86748 86749 40e5f4 86746->86749 86747 40e5dd FreeLibrary 86747->86746 86748->86749 86749->86713 86751 40e60b 86750->86751 86752 40c740 75 API calls 86751->86752 86753 40e4c2 86752->86753 86754 40e620 86753->86754 86755 40e62a 86754->86755 86756 42ac93 86755->86756 86757 40c740 75 API calls 86755->86757 86758 40e4ce 86757->86758 86758->86735 86759 40ee70 86758->86759 86760 40e551 86759->86760 86761 40ee76 LoadLibraryA 86759->86761 86760->86737 86760->86740 86761->86760 86762 40ee87 GetProcAddress 86761->86762 86762->86760 86764 40e5bf 86763->86764 86765 40eee6 LoadLibraryA 86763->86765 86764->86736 86764->86743 86765->86764 86766 40eef7 GetProcAddress 86765->86766 86766->86764 86771 40eec0 LoadLibraryA GetProcAddress 86767->86771 86769 40e5d3 GetNativeSystemInfo 86769->86746 86769->86747 86770->86740 86771->86769 86772 42e89e 86779 40c000 86772->86779 86774 42e8ac 86775 409a40 165 API calls 86774->86775 86776 42e8ca 86775->86776 86790 44b92e VariantClear 86776->86790 86778 42f3ae 86780 40c014 86779->86780 86781 40c007 86779->86781 86783 40c01a 86780->86783 86784 40c02c 86780->86784 86791 409210 VariantClear 86781->86791 86792 409210 VariantClear 86783->86792 86787 41171a 75 API calls 86784->86787 86785 40c00f 86785->86774 86789 40c033 86787->86789 86788 40c023 86788->86774 86789->86774 86790->86778 86791->86785 86792->86788 86793 3f4f808 86808 3f4d458 86793->86808 86795 3f4f89e 86811 3f4f6f8 86795->86811 86797 3f4f8c7 CreateFileW 86799 3f4f91b 86797->86799 86801 3f4f916 86797->86801 86800 3f4f932 VirtualAlloc 86799->86800 86799->86801 86800->86801 86802 3f4f950 ReadFile 86800->86802 86802->86801 86803 3f4f96b 86802->86803 86804 3f4e6f8 13 API calls 86803->86804 86805 3f4f99e 86804->86805 86806 3f4f9c1 ExitProcess 86805->86806 86807 3f4f788 CreateProcessW 86805->86807 86806->86801 86807->86806 86814 3f508c8 GetPEB 86808->86814 86810 3f4dae3 86810->86795 86812 3f4f701 Sleep 86811->86812 86813 3f4f70f 86812->86813 86815 3f508f2 86814->86815 86815->86810

                                                                        Executed Functions

                                                                        Function 00409A40 Relevance: 32.2, APIs: 15, Strings: 2, Instructions: 2432COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _wcslen.LIBCMT ref: 00409A61
                                                                          • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                          • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                          • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                          • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                        • CharUpperBuffW.USER32(?,?), ref: 00409AF5
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharException@8ThrowUpper_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                        • String ID: 0vH$4RH
                                                                        • API String ID: 1143807570-2085553193
                                                                        • Opcode ID: 6ed877a5d1cb41e7463924ba79375fc69617cb0e7df98969b0dc710bcd39381e
                                                                        • Instruction ID: 7c8f52bff4b3ea9a641e6aac08ab5e1c8beb32691f0f21fab5f23224d73a3634
                                                                        • Opcode Fuzzy Hash: 6ed877a5d1cb41e7463924ba79375fc69617cb0e7df98969b0dc710bcd39381e
                                                                        • Instruction Fuzzy Hash: 34238170A043109FD724DF25D480A6BB7E1BF89304F54896EE84A9B391D739EC46CB9B
                                                                        Function 0040D6D0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 141windowCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetCurrentDirectoryW.KERNEL32(00000104,?,00000001,?,00000000), ref: 0040D6E5
                                                                          • Part of subcall function 00401F80: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Pi648je050.exe,00000104,?,?,?,?,00000000), ref: 00401FAD
                                                                          • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 00402078
                                                                          • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 0040208E
                                                                          • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 004020A4
                                                                          • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 004020BA
                                                                          • Part of subcall function 00401F80: _wcscpy.LIBCMT ref: 004020EF
                                                                        • IsDebuggerPresent.KERNEL32(?), ref: 0040D6F1
                                                                        • GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\Pi648je050.exe,00000104,?,004A7CF8,004A7CFC), ref: 0040D763
                                                                          • Part of subcall function 00401440: GetFullPathNameW.KERNEL32(?,00000104,?,00000000), ref: 00401483
                                                                        • SetCurrentDirectoryW.KERNEL32(?,00000001,C:\Users\user\Desktop\Pi648je050.exe,00000004), ref: 0040D7D6
                                                                        • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,004846D6,00000010), ref: 00431AAB
                                                                        • SetCurrentDirectoryW.KERNEL32(?,C:\Users\user\Desktop\Pi648je050.exe,00000004), ref: 00431B0E
                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,C:\Users\user\Desktop\Pi648je050.exe,00000004), ref: 00431B3F
                                                                        • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 00431B8B
                                                                        • ShellExecuteW.SHELL32(00000000), ref: 00431B92
                                                                          • Part of subcall function 004101F0: GetSysColorBrush.USER32(0000000F), ref: 004101F9
                                                                          • Part of subcall function 004101F0: LoadCursorW.USER32(00000000,00007F00), ref: 00410209
                                                                          • Part of subcall function 004101F0: LoadIconW.USER32(?,00000063), ref: 0041021F
                                                                          • Part of subcall function 004101F0: LoadIconW.USER32(?,000000A4), ref: 00410232
                                                                          • Part of subcall function 004101F0: LoadIconW.USER32(?,000000A2), ref: 00410245
                                                                          • Part of subcall function 004101F0: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041026A
                                                                          • Part of subcall function 004101F0: RegisterClassExW.USER32 ref: 004102C6
                                                                          • Part of subcall function 004103E0: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 00410415
                                                                          • Part of subcall function 004103E0: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 0041043E
                                                                          • Part of subcall function 004103E0: ShowWindow.USER32(?,00000000), ref: 00410454
                                                                          • Part of subcall function 004103E0: ShowWindow.USER32(?,00000000), ref: 0041045E
                                                                          • Part of subcall function 0040E1E0: _memset.LIBCMT ref: 0040E202
                                                                          • Part of subcall function 0040E1E0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E2C7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memset_wcscpy
                                                                        • String ID: @GH$@GH$C:\Users\user\Desktop\Pi648je050.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                                                        • API String ID: 2493088469-4173068584
                                                                        • Opcode ID: 1a0ed8742bd98226e3ba0f055742ccaca08136dd93b2b863f89549b94dfb798c
                                                                        • Instruction ID: f6e0ab4c143dd9a1f797559286fb6c41f0380d60009eb7dc722615656bf0e84e
                                                                        • Opcode Fuzzy Hash: 1a0ed8742bd98226e3ba0f055742ccaca08136dd93b2b863f89549b94dfb798c
                                                                        • Instruction Fuzzy Hash: 0341F731618341ABD320F7A19C49BAF3BA4AB96704F04493FF941672D1DBBC9949C72E
                                                                        Function 0040E470 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 165COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1254 40e470-40e500 call 40c060 GetVersionExW call 4021e0 call 40e600 call 40e620 1263 40e506-40e509 1254->1263 1264 42accc-42acd1 1254->1264 1267 40e540-40e555 call 40ee70 1263->1267 1268 40e50b-40e51c 1263->1268 1265 42acd3-42acdb 1264->1265 1266 42acdd-42ace0 1264->1266 1270 42ad12-42ad20 1265->1270 1271 42ace2-42aceb 1266->1271 1272 42aced-42acf0 1266->1272 1281 40e557-40e573 GetCurrentProcess call 40ee30 1267->1281 1282 40e579-40e5a8 1267->1282 1273 40e522-40e525 1268->1273 1274 42ac9b-42aca7 1268->1274 1280 42ad28-42ad2d GetSystemInfo 1270->1280 1271->1270 1272->1270 1278 42acf2-42ad06 1272->1278 1273->1267 1279 40e527-40e537 1273->1279 1276 42acb2-42acba 1274->1276 1277 42aca9-42acad 1274->1277 1276->1267 1277->1267 1283 42ad08-42ad0c 1278->1283 1284 42ad0e 1278->1284 1285 42acbf-42acc7 1279->1285 1286 40e53d 1279->1286 1288 42ad38-42ad3d GetSystemInfo 1280->1288 1281->1282 1295 40e575 1281->1295 1282->1288 1289 40e5ae-40e5c3 call 40eee0 1282->1289 1283->1270 1284->1270 1285->1267 1286->1267 1289->1280 1294 40e5c9-40e5db call 40eea0 GetNativeSystemInfo 1289->1294 1298 40e5e0-40e5ef 1294->1298 1299 40e5dd-40e5de FreeLibrary 1294->1299 1295->1282 1300 40e5f1-40e5f2 FreeLibrary 1298->1300 1301 40e5f4-40e5ff 1298->1301 1299->1298 1300->1301
                                                                        APIs
                                                                        • GetVersionExW.KERNEL32 ref: 0040E495
                                                                          • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                        • GetCurrentProcess.KERNEL32(?,?), ref: 0040E560
                                                                        • GetNativeSystemInfo.KERNELBASE(?,?), ref: 0040E5D3
                                                                        • FreeLibrary.KERNEL32(?), ref: 0040E5DE
                                                                        • FreeLibrary.KERNEL32(?), ref: 0040E5F2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_wcslen
                                                                        • String ID: pMH$#v
                                                                        • API String ID: 2923339712-1800489730
                                                                        • Opcode ID: 3f36deb7b7369dd68d3c05326faf84e57561e58110467ef3184d2bc56fc1d5cf
                                                                        • Instruction ID: 31d199e0849a18b4fe3a20375a839c17b1fda7a8e5a404adfed2e153d323e8b3
                                                                        • Opcode Fuzzy Hash: 3f36deb7b7369dd68d3c05326faf84e57561e58110467ef3184d2bc56fc1d5cf
                                                                        • Instruction Fuzzy Hash: D4612E71508792AEC311CB69C44425ABFE07B6A308F580E6EE48483A42D379E568C7AB
                                                                        Function 0040EB70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EB55,0040D86E), ref: 0040EB7B
                                                                        • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EB8D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: IsThemeActive$uxtheme.dll
                                                                        • API String ID: 2574300362-3542929980
                                                                        • Opcode ID: 9e55e894ab04f38af4b02d6559f2dae0f2ca0bab174211e780b997e8b6ae5f43
                                                                        • Instruction ID: e8120cabfd18d8fe06d2f96d8b82b2b5a4bcadd10797c678d2963416b1e4c3b8
                                                                        • Opcode Fuzzy Hash: 9e55e894ab04f38af4b02d6559f2dae0f2ca0bab174211e780b997e8b6ae5f43
                                                                        • Instruction Fuzzy Hash: 05D0C9B49407039AD7306F72C918B0A7BE4AB50342F204C3EF996A1694DBBCD0508B28
                                                                        Function 00410B90 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 167registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00410C44
                                                                        • __wsplitpath.LIBCMT ref: 00410C61
                                                                          • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                        • _wcsncat.LIBCMT ref: 00410C78
                                                                        • __wmakepath.LIBCMT ref: 00410C94
                                                                          • Part of subcall function 00413E3C: __wmakepath_s.LIBCMT ref: 00413E52
                                                                          • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                          • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                          • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                        • _wcscpy.LIBCMT ref: 00410CCC
                                                                        • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00020019,?), ref: 00410CE9
                                                                        • RegQueryValueExW.ADVAPI32 ref: 00429BE4
                                                                        • _wcscat.LIBCMT ref: 00429C43
                                                                        • _wcslen.LIBCMT ref: 00429C55
                                                                        • _wcslen.LIBCMT ref: 00429C66
                                                                        • _wcscat.LIBCMT ref: 00429C80
                                                                        • _wcsncpy.LIBCMT ref: 00429CC0
                                                                        • RegCloseKey.ADVAPI32(?), ref: 00429CDE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: _wcscat_wcslen$CloseException@8FileModuleNameOpenQueryThrowValue__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpystd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                        • String ID: Include$Software\AutoIt v3\AutoIt$\
                                                                        • API String ID: 1004883554-2276155026
                                                                        • Opcode ID: bd70d1de0bf944503d0c9583a27c2bfe501ff96b935e7e88766a5686d489513a
                                                                        • Instruction ID: ef4714a7fd58501e566ba693257e1f196c1b97611c18bc9c35ab262cfa7686fb
                                                                        • Opcode Fuzzy Hash: bd70d1de0bf944503d0c9583a27c2bfe501ff96b935e7e88766a5686d489513a
                                                                        • Instruction Fuzzy Hash: B961B3B1508340DFC300EF65EC8599BBBE8FB99704F44882EF544C3261EBB59948CB5A
                                                                        Function 004095C7 Relevance: 21.5, APIs: 14, Instructions: 539sleeptimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00409A40: _wcslen.LIBCMT ref: 00409A61
                                                                          • Part of subcall function 00409A40: CharUpperBuffW.USER32(?,?), ref: 00409AF5
                                                                        • Sleep.KERNEL32(0000000A), ref: 00409870
                                                                        • timeGetTime.WINMM ref: 00409880
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharSleepTimeUpper_wcslentime
                                                                        • String ID:
                                                                        • API String ID: 3219444185-0
                                                                        • Opcode ID: da6b74c52f7fd8fa7285d44dc66266380a963bd06260c315e722df216112258b
                                                                        • Instruction ID: 79dfb759edd1749a95aa3438e3198289cebfc990e9c1b7da565b255c5aac8c6d
                                                                        • Opcode Fuzzy Hash: da6b74c52f7fd8fa7285d44dc66266380a963bd06260c315e722df216112258b
                                                                        • Instruction Fuzzy Hash: D422F171608342ABC724DF64C984BABB7A0BF89304F14492FE54997392D77CEC45CB9A
                                                                        Function 004523CE Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 145COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: __fread_nolock$_fseek_wcscpy
                                                                        • String ID: FILE
                                                                        • API String ID: 3888824918-3121273764
                                                                        • Opcode ID: e8200e6015bbe3313da03f0c122791b2111f624a8fcd35516e511649d5e709ac
                                                                        • Instruction ID: c0f9aeb359a44d31a21a8716142a7f32772eb03c7b5129f1ec28ea3a2d041f76
                                                                        • Opcode Fuzzy Hash: e8200e6015bbe3313da03f0c122791b2111f624a8fcd35516e511649d5e709ac
                                                                        • Instruction Fuzzy Hash: D541EFB1504300BBD310EB55CC81FEB73A9AFC8718F54491EFA8457181F679E644C7AA
                                                                        Function 004102F0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetSysColorBrush.USER32 ref: 00410326
                                                                        • RegisterClassExW.USER32 ref: 00410359
                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,?), ref: 0041036A
                                                                        • InitCommonControlsEx.COMCTL32(0000000F,?,?,?,?,?,?), ref: 0041038A
                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,?,?,?,?,?), ref: 0041039A
                                                                        • LoadIconW.USER32(00400000,000000A9), ref: 004103B1
                                                                        • ImageList_ReplaceIcon.COMCTL32(00B07270,000000FF,00000000,?,?,?,?,?,?), ref: 004103C1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                        • API String ID: 2914291525-1005189915
                                                                        • Opcode ID: b078764552fc12f322907e2d646497bc841117f43cad8f480623bc49e689b681
                                                                        • Instruction ID: c8c51aded5b6d43d10953d3ded2c15c159303f3bf9a059b11759766ceadcbce4
                                                                        • Opcode Fuzzy Hash: b078764552fc12f322907e2d646497bc841117f43cad8f480623bc49e689b681
                                                                        • Instruction Fuzzy Hash: 9F2129B4518301AFD340DF64D888B4EBFF4FB89704F008A2EF685962A0E7B58144CF5A
                                                                        Function 004101F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 74windowregistryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetSysColorBrush.USER32(0000000F), ref: 004101F9
                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00410209
                                                                        • LoadIconW.USER32(?,00000063), ref: 0041021F
                                                                        • LoadIconW.USER32(?,000000A4), ref: 00410232
                                                                        • LoadIconW.USER32(?,000000A2), ref: 00410245
                                                                        • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041026A
                                                                        • RegisterClassExW.USER32 ref: 004102C6
                                                                          • Part of subcall function 004102F0: GetSysColorBrush.USER32 ref: 00410326
                                                                          • Part of subcall function 004102F0: RegisterClassExW.USER32 ref: 00410359
                                                                          • Part of subcall function 004102F0: RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,?), ref: 0041036A
                                                                          • Part of subcall function 004102F0: InitCommonControlsEx.COMCTL32(0000000F,?,?,?,?,?,?), ref: 0041038A
                                                                          • Part of subcall function 004102F0: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,?,?,?,?,?), ref: 0041039A
                                                                          • Part of subcall function 004102F0: LoadIconW.USER32(00400000,000000A9), ref: 004103B1
                                                                          • Part of subcall function 004102F0: ImageList_ReplaceIcon.COMCTL32(00B07270,000000FF,00000000,?,?,?,?,?,?), ref: 004103C1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                        • String ID: #$0$PGH
                                                                        • API String ID: 423443420-3673556320
                                                                        • Opcode ID: 1033d1e55498f891403c4089579710d7d6683e73571bc8446147a2c837657170
                                                                        • Instruction ID: 6be78a7d21e01e6533eb66d2751721d4fd39e3055bf34e10baa21603515e7cea
                                                                        • Opcode Fuzzy Hash: 1033d1e55498f891403c4089579710d7d6683e73571bc8446147a2c837657170
                                                                        • Instruction Fuzzy Hash: 60216DB5A18300AFD310CF59EC84A4A7FE4FB99710F00497FF648972A0D7B599408B99
                                                                        Function 00452574 Relevance: 13.7, APIs: 9, Instructions: 171COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • _fseek.LIBCMT ref: 004525DA
                                                                          • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004523ED
                                                                          • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 00452432
                                                                          • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045244F
                                                                          • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 0045247D
                                                                          • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045248E
                                                                          • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004524AB
                                                                          • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 004524D9
                                                                        • __fread_nolock.LIBCMT ref: 00452618
                                                                        • __fread_nolock.LIBCMT ref: 00452629
                                                                        • __fread_nolock.LIBCMT ref: 00452644
                                                                        • __fread_nolock.LIBCMT ref: 00452661
                                                                        • _fseek.LIBCMT ref: 0045267D
                                                                        • _malloc.LIBCMT ref: 00452689
                                                                        • _malloc.LIBCMT ref: 00452696
                                                                        • __fread_nolock.LIBCMT ref: 004526A7
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: __fread_nolock$_fseek_malloc_wcscpy
                                                                        • String ID:
                                                                        • API String ID: 1911931848-0
                                                                        • Opcode ID: 3570a21b3fd7755177810c9e6035fea9311faeeb4ffbf150b354229a8e607498
                                                                        • Instruction ID: daf5751c9f96f1f9c2235ce4d63c31b1673d17b5fb5ed0b9a51dc370059b243a
                                                                        • Opcode Fuzzy Hash: 3570a21b3fd7755177810c9e6035fea9311faeeb4ffbf150b354229a8e607498
                                                                        • Instruction Fuzzy Hash: 47514CB1A08340AFD310DF5AD881A9BF7E9FFC8704F40492EF68887241D77AE5448B5A
                                                                        Function 0040F450 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 126COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1344 40f450-40f45c call 425210 1347 40f460-40f478 1344->1347 1347->1347 1348 40f47a-40f4a8 call 413990 call 410f70 1347->1348 1353 40f4b0-40f4d1 call 4151b0 1348->1353 1356 40f531 1353->1356 1357 40f4d3-40f4da 1353->1357 1358 40f536-40f540 1356->1358 1359 40f4dc-40f4de 1357->1359 1360 40f4fd-40f517 call 41557c 1357->1360 1361 40f4e0-40f4e2 1359->1361 1364 40f51c-40f51f 1360->1364 1363 40f4e6-40f4ed 1361->1363 1365 40f521-40f52c 1363->1365 1366 40f4ef-40f4f2 1363->1366 1364->1353 1367 40f543-40f54e 1365->1367 1368 40f52e-40f52f 1365->1368 1369 42937a-4293a0 call 41557c call 4151b0 1366->1369 1370 40f4f8-40f4fb 1366->1370 1371 40f550-40f553 1367->1371 1372 40f555-40f560 1367->1372 1368->1366 1380 4293a5-4293c3 call 4151d0 1369->1380 1370->1360 1370->1361 1371->1366 1375 429372 1372->1375 1376 40f566-40f571 1372->1376 1375->1369 1378 429361-429367 1376->1378 1379 40f577-40f57a 1376->1379 1378->1363 1381 42936d 1378->1381 1379->1366 1380->1358 1381->1375
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: __fread_nolock_fseek_strcat
                                                                        • String ID: AU3!$EA06
                                                                        • API String ID: 3818483258-2658333250
                                                                        • Opcode ID: 61a815b4762265f9d00ad5303640aa958846bc8ab5516fbcebd88596bc1aced3
                                                                        • Instruction ID: a326fe91d6bb541f17a8cee8b09d92be642ba4032c5aa5fe266a96c6f27d1a6c
                                                                        • Opcode Fuzzy Hash: 61a815b4762265f9d00ad5303640aa958846bc8ab5516fbcebd88596bc1aced3
                                                                        • Instruction Fuzzy Hash: 2B416C7160C340ABC331DA24C841AEB77A59B95308F68087EF5C597683E578E44A876B
                                                                        Function 00410130 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 76COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1384 410130-410142 SHGetMalloc 1385 410148-410158 SHGetDesktopFolder 1384->1385 1386 42944f-429459 call 411691 1384->1386 1387 4101d1-4101e0 1385->1387 1388 41015a-410188 call 411691 1385->1388 1387->1386 1394 4101e6-4101ee 1387->1394 1396 4101c5-4101ce 1388->1396 1397 41018a-4101a1 SHGetPathFromIDListW 1388->1397 1396->1387 1398 4101a3-4101b1 call 411691 1397->1398 1399 4101b4-4101c0 1397->1399 1398->1399 1399->1396
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: _wcscpy$DesktopFolderFromListMallocPath
                                                                        • String ID: C:\Users\user\Desktop\Pi648je050.exe
                                                                        • API String ID: 192938534-3310814612
                                                                        • Opcode ID: 41672701d810a85b6866b378b1839c38d53fca73f5daf9d2a63f2dfb0070f590
                                                                        • Instruction ID: 2fe23ff91bf644c1e681f842d3c1e96d6f0f177144f23c1ad52f1bdc7517ad48
                                                                        • Opcode Fuzzy Hash: 41672701d810a85b6866b378b1839c38d53fca73f5daf9d2a63f2dfb0070f590
                                                                        • Instruction Fuzzy Hash: 822179B5604211AFC210EB64DC84DABB3ECEFC8704F14891DF94987210E739ED46CBA6
                                                                        Function 00401230 Relevance: 12.1, APIs: 8, Instructions: 83windowtimeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1402 401230-40123b 1403 401241-401272 call 4131f0 call 401be0 1402->1403 1404 4012c5-4012cd 1402->1404 1409 401274-401292 1403->1409 1410 4012ae-4012bf KillTimer SetTimer 1403->1410 1411 42aa61-42aa67 1409->1411 1412 401298-40129c 1409->1412 1410->1404 1415 42aa8b-42aaa7 Shell_NotifyIconW 1411->1415 1416 42aa69-42aa86 Shell_NotifyIconW 1411->1416 1413 4012a2-4012a8 1412->1413 1414 42aaac-42aab3 1412->1414 1413->1410 1417 42aaf8-42ab15 Shell_NotifyIconW 1413->1417 1418 42aad7-42aaf3 Shell_NotifyIconW 1414->1418 1419 42aab5-42aad2 Shell_NotifyIconW 1414->1419 1415->1410 1416->1410 1417->1410 1418->1410 1419->1410
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 00401257
                                                                          • Part of subcall function 00401BE0: _memset.LIBCMT ref: 00401C62
                                                                          • Part of subcall function 00401BE0: _wcsncpy.LIBCMT ref: 00401CA1
                                                                          • Part of subcall function 00401BE0: _wcscpy.LIBCMT ref: 00401CBD
                                                                          • Part of subcall function 00401BE0: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401CCF
                                                                        • KillTimer.USER32(?,?), ref: 004012B0
                                                                        • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012BF
                                                                        • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AA80
                                                                        • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AACC
                                                                        • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AB0F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: IconNotifyShell_$Timer_memset$Kill_wcscpy_wcsncpy
                                                                        • String ID:
                                                                        • API String ID: 1792922140-0
                                                                        • Opcode ID: a7115ab057bf29602ed6c82bb799c717f5f73d3545905a596edaeb05fb95c8cc
                                                                        • Instruction ID: 78dbdb20408675f5dda5a176dd8a03fc230073daf987e80dd157250a536ae6f7
                                                                        • Opcode Fuzzy Hash: a7115ab057bf29602ed6c82bb799c717f5f73d3545905a596edaeb05fb95c8cc
                                                                        • Instruction Fuzzy Hash: 56319670609642BFD319CB24D544B9BFBE8BF85304F04856EF488A3251C7789A19D7AB
                                                                        Function 03F4FA18 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1420 3f4fa18-3f4fac6 call 3f4d458 1423 3f4facd-3f4faf3 call 3f50928 CreateFileW 1420->1423 1426 3f4faf5 1423->1426 1427 3f4fafa-3f4fb0a 1423->1427 1428 3f4fc45-3f4fc49 1426->1428 1432 3f4fb11-3f4fb2b VirtualAlloc 1427->1432 1433 3f4fb0c 1427->1433 1430 3f4fc8b-3f4fc8e 1428->1430 1431 3f4fc4b-3f4fc4f 1428->1431 1434 3f4fc91-3f4fc98 1430->1434 1435 3f4fc51-3f4fc54 1431->1435 1436 3f4fc5b-3f4fc5f 1431->1436 1439 3f4fb32-3f4fb49 ReadFile 1432->1439 1440 3f4fb2d 1432->1440 1433->1428 1441 3f4fced-3f4fd02 1434->1441 1442 3f4fc9a-3f4fca5 1434->1442 1435->1436 1437 3f4fc61-3f4fc6b 1436->1437 1438 3f4fc6f-3f4fc73 1436->1438 1437->1438 1445 3f4fc75-3f4fc7f 1438->1445 1446 3f4fc83 1438->1446 1447 3f4fb50-3f4fb90 VirtualAlloc 1439->1447 1448 3f4fb4b 1439->1448 1440->1428 1443 3f4fd04-3f4fd0f VirtualFree 1441->1443 1444 3f4fd12-3f4fd1a 1441->1444 1449 3f4fca7 1442->1449 1450 3f4fca9-3f4fcb5 1442->1450 1443->1444 1445->1446 1446->1430 1451 3f4fb97-3f4fbb2 call 3f50b78 1447->1451 1452 3f4fb92 1447->1452 1448->1428 1449->1441 1453 3f4fcb7-3f4fcc7 1450->1453 1454 3f4fcc9-3f4fcd5 1450->1454 1460 3f4fbbd-3f4fbc7 1451->1460 1452->1428 1458 3f4fceb 1453->1458 1455 3f4fcd7-3f4fce0 1454->1455 1456 3f4fce2-3f4fce8 1454->1456 1455->1458 1456->1458 1458->1434 1461 3f4fbc9-3f4fbf8 call 3f50b78 1460->1461 1462 3f4fbfa-3f4fc0e call 3f50988 1460->1462 1461->1460 1468 3f4fc10 1462->1468 1469 3f4fc12-3f4fc16 1462->1469 1468->1428 1470 3f4fc22-3f4fc26 1469->1470 1471 3f4fc18-3f4fc1c CloseHandle 1469->1471 1472 3f4fc36-3f4fc3f 1470->1472 1473 3f4fc28-3f4fc33 VirtualFree 1470->1473 1471->1470 1472->1423 1472->1428 1473->1472
                                                                        APIs
                                                                        • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03F4FAE9
                                                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03F4FD0F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2144207818.0000000003F4D000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F4D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3f4d000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CreateFileFreeVirtual
                                                                        • String ID:
                                                                        • API String ID: 204039940-0
                                                                        • Opcode ID: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
                                                                        • Instruction ID: 85e5d184f66efc93082b2cb410e8da20b8c502de52bc1f651f3c956de09279ba
                                                                        • Opcode Fuzzy Hash: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
                                                                        • Instruction Fuzzy Hash: D4A11775E0020AEBDB14CFA4C994BEEBBB5FF48304F248599E605BB280D7759A81CB54
                                                                        Function 00414F10 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1474 414f10-414f2c 1475 414f4f 1474->1475 1476 414f2e-414f31 1474->1476 1478 414f51-414f55 1475->1478 1476->1475 1477 414f33-414f35 1476->1477 1479 414f37-414f46 call 417f23 1477->1479 1480 414f56-414f5b 1477->1480 1492 414f47-414f4c call 417ebb 1479->1492 1482 414f6a-414f6d 1480->1482 1483 414f5d-414f68 1480->1483 1486 414f7a-414f7c 1482->1486 1487 414f6f-414f77 call 4131f0 1482->1487 1483->1482 1485 414f8b-414f9e 1483->1485 1490 414fa0-414fa6 1485->1490 1491 414fa8 1485->1491 1486->1479 1489 414f7e-414f89 1486->1489 1487->1486 1489->1479 1489->1485 1494 414faf-414fb1 1490->1494 1491->1494 1492->1475 1496 4150a1-4150a4 1494->1496 1497 414fb7-414fbe 1494->1497 1496->1478 1499 414fc0-414fc5 1497->1499 1500 415004-415007 1497->1500 1499->1500 1503 414fc7 1499->1503 1501 415071-415072 call 41e6b1 1500->1501 1502 415009-41500d 1500->1502 1509 415077-41507b 1501->1509 1505 41500f-415018 1502->1505 1506 41502e-415035 1502->1506 1507 415102 1503->1507 1508 414fcd-414fd1 1503->1508 1510 415023-415028 1505->1510 1511 41501a-415021 1505->1511 1513 415037 1506->1513 1514 415039-41503c 1506->1514 1512 415106-41510f 1507->1512 1515 414fd3 1508->1515 1516 414fd5-414fd8 1508->1516 1509->1512 1517 415081-415085 1509->1517 1518 41502a-41502c 1510->1518 1511->1518 1512->1478 1513->1514 1519 415042-41504e call 41453a call 41ed9e 1514->1519 1520 4150d5-4150d9 1514->1520 1515->1516 1521 4150a9-4150af 1516->1521 1522 414fde-414fff call 41ee9b 1516->1522 1517->1520 1525 415087-415096 1517->1525 1518->1514 1542 415053-415058 1519->1542 1523 4150eb-4150fd call 417f23 1520->1523 1524 4150db-4150e8 call 4131f0 1520->1524 1526 4150b1-4150bd call 4131f0 1521->1526 1527 4150c0-4150d0 call 417f23 1521->1527 1533 415099-41509b 1522->1533 1523->1492 1524->1523 1525->1533 1526->1527 1527->1492 1533->1496 1533->1497 1543 415114-415118 1542->1543 1544 41505e-415061 1542->1544 1543->1512 1544->1507 1545 415067-41506f 1544->1545 1545->1533
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                                                                        • String ID:
                                                                        • API String ID: 3886058894-0
                                                                        • Opcode ID: b117a392f3759847975495debe7ea87102f8b7de0bc78f8cbc322732e1c6b221
                                                                        • Instruction ID: 085ef53bf2cba992f8731f00f2d52beda6aca72a1b803249d76dffc069a60243
                                                                        • Opcode Fuzzy Hash: b117a392f3759847975495debe7ea87102f8b7de0bc78f8cbc322732e1c6b221
                                                                        • Instruction Fuzzy Hash: CA510830900604EFCB208FA9C8445DFBBB5EFC5324F24825BF82596290D7799ED2CB99
                                                                        Function 00401BE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90windowCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1546 401be0-401bf5 1547 401bfb-401c12 call 4013a0 1546->1547 1548 401cde-401ce3 1546->1548 1551 42a9a0-42a9b0 LoadStringW 1547->1551 1552 401c18-401c34 call 4021e0 1547->1552 1555 42a9bb-42a9c8 call 40df50 1551->1555 1557 401c3a-401c3e 1552->1557 1558 42a9cd-42a9ea call 40d3b0 call 437a81 1552->1558 1562 401c53-401cd9 call 4131f0 call 41326a call 411691 Shell_NotifyIconW call 402620 1555->1562 1557->1555 1560 401c44-401c4e call 40d3b0 1557->1560 1558->1562 1570 42a9f0-42aa04 call 40d3b0 call 437a81 1558->1570 1560->1562 1562->1548
                                                                        APIs
                                                                        • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042A9B0
                                                                          • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                        • _memset.LIBCMT ref: 00401C62
                                                                        • _wcsncpy.LIBCMT ref: 00401CA1
                                                                        • _wcscpy.LIBCMT ref: 00401CBD
                                                                        • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401CCF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: IconLoadNotifyShell_String_memset_wcscpy_wcslen_wcsncpy
                                                                        • String ID: Line:
                                                                        • API String ID: 1620655955-1585850449
                                                                        • Opcode ID: b1e388f5f21e32c190c1b7412400e6ffb6374e41c1d48bdcdb7aece10813d053
                                                                        • Instruction ID: a4e7cf3abc31881c2b93aaae0beefbbd48c64772eea77d32b53e92a0700a02c6
                                                                        • Opcode Fuzzy Hash: b1e388f5f21e32c190c1b7412400e6ffb6374e41c1d48bdcdb7aece10813d053
                                                                        • Instruction Fuzzy Hash: 7431D47151C301ABD324EB11DC41BDB77E8AF94314F04493FF989521A1DB78AA49C79B
                                                                        Function 004103E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1579 4103e0-410461 CreateWindowExW * 2 ShowWindow * 2
                                                                        APIs
                                                                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 00410415
                                                                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 0041043E
                                                                        • ShowWindow.USER32(?,00000000), ref: 00410454
                                                                        • ShowWindow.USER32(?,00000000), ref: 0041045E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Window$CreateShow
                                                                        • String ID: AutoIt v3$edit
                                                                        • API String ID: 1584632944-3779509399
                                                                        • Opcode ID: 2f6e2284bb2ae2ba7cf4e865adc3bced08dc322388bda6343c860b78a8eff359
                                                                        • Instruction ID: daa3d4afae2654ee996124117597f48fa5c574a0ac4b96d00400a8ba476d7f73
                                                                        • Opcode Fuzzy Hash: 2f6e2284bb2ae2ba7cf4e865adc3bced08dc322388bda6343c860b78a8eff359
                                                                        • Instruction Fuzzy Hash: F3F0A975BE4310BAF6609754AC43F592B59A765F00F3445ABB700BF1D0D6E478408B9C
                                                                        Function 03F4F808 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1580 3f4f808-3f4f914 call 3f4d458 call 3f4f6f8 CreateFileW 1587 3f4f916 1580->1587 1588 3f4f91b-3f4f92b 1580->1588 1589 3f4f9cb-3f4f9d0 1587->1589 1591 3f4f932-3f4f94c VirtualAlloc 1588->1591 1592 3f4f92d 1588->1592 1593 3f4f950-3f4f967 ReadFile 1591->1593 1594 3f4f94e 1591->1594 1592->1589 1595 3f4f969 1593->1595 1596 3f4f96b-3f4f9a5 call 3f4f738 call 3f4e6f8 1593->1596 1594->1589 1595->1589 1601 3f4f9a7-3f4f9bc call 3f4f788 1596->1601 1602 3f4f9c1-3f4f9c9 ExitProcess 1596->1602 1601->1602 1602->1589
                                                                        APIs
                                                                          • Part of subcall function 03F4F6F8: Sleep.KERNELBASE(000001F4), ref: 03F4F709
                                                                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03F4F90A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2144207818.0000000003F4D000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F4D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3f4d000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CreateFileSleep
                                                                        • String ID: WEL6JCTUEZAV4ST
                                                                        • API String ID: 2694422964-1178688521
                                                                        • Opcode ID: b8bc68c380965f990556adb8cf716006b156708fb0ee50c97725481cc9298780
                                                                        • Instruction ID: 817176cd23393adb102f679d0a69f04b1ba16de996184c613d249bedaf0028a1
                                                                        • Opcode Fuzzy Hash: b8bc68c380965f990556adb8cf716006b156708fb0ee50c97725481cc9298780
                                                                        • Instruction Fuzzy Hash: 18516E71D14389EBEF10DBA4CD18BEEBBB9AF04300F004599E618BB2C0D7794A45CB65
                                                                        Function 00413A88 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __lock.LIBCMT ref: 00413AA6
                                                                          • Part of subcall function 00418407: __mtinitlocknum.LIBCMT ref: 0041841D
                                                                          • Part of subcall function 00418407: __amsg_exit.LIBCMT ref: 00418429
                                                                          • Part of subcall function 00418407: EnterCriticalSection.KERNEL32(?,?,?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001), ref: 00418431
                                                                        • ___sbh_find_block.LIBCMT ref: 00413AB1
                                                                        • ___sbh_free_block.LIBCMT ref: 00413AC0
                                                                        • RtlFreeHeap.NTDLL(00000000,00411739,0048C758,0000000C,004183E8,00000000,0048CA38,0000000C,00418422,00411739,?,?,004224D3,00000004,0048CCA0,0000000C), ref: 00413AF0
                                                                        • GetLastError.KERNEL32(?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001,00000214), ref: 00413B01
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                                        • String ID:
                                                                        • API String ID: 2714421763-0
                                                                        • Opcode ID: 1be655156b84d1756d47887b3dc267bc1ef03bd4322eaa0c22e254cdcea9361a
                                                                        • Instruction ID: 54fb22c17cbd059cfb8714ef359fce415cc636064f476ff80f42ef981757bf49
                                                                        • Opcode Fuzzy Hash: 1be655156b84d1756d47887b3dc267bc1ef03bd4322eaa0c22e254cdcea9361a
                                                                        • Instruction Fuzzy Hash: 7401A731A08301BADF206F71AC09BDF3B64AF00759F10052FF544A6182DB7D9AC19B9C
                                                                        Function 004734B7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 234COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: #v
                                                                        • API String ID: 0-554117064
                                                                        • Opcode ID: c2b84d901eedfcb5732c73c427cf3e6a40f349a1394e6728fcd5bdf3f2a5d4d9
                                                                        • Instruction ID: a1f682be926937ece900e9fcc50ccc13891f43ead78ba7c6857800eee9f0599c
                                                                        • Opcode Fuzzy Hash: c2b84d901eedfcb5732c73c427cf3e6a40f349a1394e6728fcd5bdf3f2a5d4d9
                                                                        • Instruction Fuzzy Hash: EC81D2756043009FC310EF65C985B6AB7E4EF84315F008D2EF988AB392D779E909CB96
                                                                        Function 0040F5E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040F580: _wcslen.LIBCMT ref: 0040F58A
                                                                          • Part of subcall function 0040F580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?), ref: 0040F5A3
                                                                          • Part of subcall function 0040F580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,-00000010,00000001,?,?,?,?), ref: 0040F5CC
                                                                        • _strcat.LIBCMT ref: 0040F603
                                                                          • Part of subcall function 0040F6A0: _memset.LIBCMT ref: 0040F6A8
                                                                          • Part of subcall function 0040F6D0: _strlen.LIBCMT ref: 0040F6D8
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide$_memset_strcat_strlen_wcslen
                                                                        • String ID: HH
                                                                        • API String ID: 1194219731-2761332787
                                                                        • Opcode ID: ee47fd20779ff5886c3c730aa44a1efa7791f275b5868e90dcef310a8da63108
                                                                        • Instruction ID: 1fd31f67f6889806bd2ce24d6488871f5ee50ddf162d20410a363c4a19aba518
                                                                        • Opcode Fuzzy Hash: ee47fd20779ff5886c3c730aa44a1efa7791f275b5868e90dcef310a8da63108
                                                                        • Instruction Fuzzy Hash: 022158B260825067C724EF7A9C8266EF7D8AF85308F148C3FF554D2282F638D555879A
                                                                        Function 03F4E6F8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateProcessW.KERNELBASE(?,00000000), ref: 03F4EF25
                                                                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03F4EF49
                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03F4EF6B
                                                                        • TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 03F4F274
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2144207818.0000000003F4D000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F4D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3f4d000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Process$ContextCreateMemoryReadTerminateThreadWow64
                                                                        • String ID:
                                                                        • API String ID: 572931308-0
                                                                        • Opcode ID: 16350fb524ce34433e5302bd6868933b0d815fd085ecdba905f917c129a37da2
                                                                        • Instruction ID: de14dfec1dfcefe0d9ed18988d6fbf6f5e876cc87afb70face277186fb7c5411
                                                                        • Opcode Fuzzy Hash: 16350fb524ce34433e5302bd6868933b0d815fd085ecdba905f917c129a37da2
                                                                        • Instruction Fuzzy Hash: 7D620934A142599BEB24CFA4C840BDEB776FF58300F1091A9D10DEB394E7799E81CB59
                                                                        Function 0040E1E0 Relevance: 6.1, APIs: 4, Instructions: 82windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 0040E202
                                                                        • Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E2C7
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: IconNotifyShell__memset
                                                                        • String ID:
                                                                        • API String ID: 928536360-0
                                                                        • Opcode ID: a8f79553875ba5cd412c6e6f6aef719f94b94a7ff7df26053db2d04cf48d3506
                                                                        • Instruction ID: 9c6d99eda8392314e00a4319cd3b9f491a6d528882fc0aac3328a2d60ab56ec1
                                                                        • Opcode Fuzzy Hash: a8f79553875ba5cd412c6e6f6aef719f94b94a7ff7df26053db2d04cf48d3506
                                                                        • Instruction Fuzzy Hash: FC318170608701DFD320DF25D845B97BBF8BB45304F00486EE99A93380E778A958CF5A
                                                                        Function 0041171A Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _malloc.LIBCMT ref: 00411734
                                                                          • Part of subcall function 004138BA: __FF_MSGBANNER.LIBCMT ref: 004138DD
                                                                          • Part of subcall function 004138BA: __NMSG_WRITE.LIBCMT ref: 004138E4
                                                                          • Part of subcall function 004138BA: RtlAllocateHeap.NTDLL(00000000,0041172A,?,?,?,?,00411739,?,00401C0B), ref: 00413931
                                                                        • std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                          • Part of subcall function 004116B0: std::exception::exception.LIBCMT ref: 004116BC
                                                                        • std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                        • __CxxThrowException@8.LIBCMT ref: 00411779
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                                                        • String ID:
                                                                        • API String ID: 1411284514-0
                                                                        • Opcode ID: ca7221cdd9cc9326792a0c346bb7c35cd30f9974032eaa45b6addcc39664c516
                                                                        • Instruction ID: c554e94cc15d94fff19a40754e7570613bf3612ee9c26c673f8185df9075a277
                                                                        • Opcode Fuzzy Hash: ca7221cdd9cc9326792a0c346bb7c35cd30f9974032eaa45b6addcc39664c516
                                                                        • Instruction Fuzzy Hash: 6FF0E23550060A66CF08B723EC06ADE3B649F11798B10403BFA20552F2DF6DADC9865C
                                                                        Function 0040F110 Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExW.KERNELBASE(80000001,0040F0EE,00000000,00000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F132
                                                                        • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,80000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F14F
                                                                        • RegCloseKey.KERNELBASE(00000000,?,?,00000000,00000000,80000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F159
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CloseOpenQueryValue
                                                                        • String ID:
                                                                        • API String ID: 3677997916-0
                                                                        • Opcode ID: 2fc94d7b08a1a7677ebb25c0c676948635cded20fa34e442ec21f1e1bf5971ab
                                                                        • Instruction ID: 6acd5c45b0bc896a902747136fbadff1bb775023c46fd22fba7b324c5144c726
                                                                        • Opcode Fuzzy Hash: 2fc94d7b08a1a7677ebb25c0c676948635cded20fa34e442ec21f1e1bf5971ab
                                                                        • Instruction Fuzzy Hash: 60F0BDB0204202ABD614DF54DD88E6BB7F9EF88704F10492DB585D7250D7B4A804CB26
                                                                        Function 0043526E Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _malloc.LIBCMT ref: 00435278
                                                                          • Part of subcall function 004138BA: __FF_MSGBANNER.LIBCMT ref: 004138DD
                                                                          • Part of subcall function 004138BA: __NMSG_WRITE.LIBCMT ref: 004138E4
                                                                          • Part of subcall function 004138BA: RtlAllocateHeap.NTDLL(00000000,0041172A,?,?,?,?,00411739,?,00401C0B), ref: 00413931
                                                                        • _malloc.LIBCMT ref: 00435288
                                                                        • _malloc.LIBCMT ref: 00435298
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: _malloc$AllocateHeap
                                                                        • String ID:
                                                                        • API String ID: 680241177-0
                                                                        • Opcode ID: d11b1792ef3d24f06ef5636d78d46cf58a843b0d423fa777cd48d8e801ebef30
                                                                        • Instruction ID: 30b75876ff52ae1c35022de4a6700901ba1db26c97f4d16f7fcf584af9a5a73f
                                                                        • Opcode Fuzzy Hash: d11b1792ef3d24f06ef5636d78d46cf58a843b0d423fa777cd48d8e801ebef30
                                                                        • Instruction Fuzzy Hash: E5F0A0B1500F0046E660AB3198457C7A2E09B14307F00186FB6855618ADA7C69C4CEAC
                                                                        Function 03F4F788 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 03F4F7E2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2144207818.0000000003F4D000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F4D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3f4d000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CreateProcess
                                                                        • String ID: D
                                                                        • API String ID: 963392458-2746444292
                                                                        • Opcode ID: a782293119ad2c684ee7f4e1b7c6ce7e54987cc35907e67b60f32668cf9ab6a9
                                                                        • Instruction ID: b2e63bdcb3b73c1ac7a585c572ed34d6334985c0ade2c14855989ce1ab88e809
                                                                        • Opcode Fuzzy Hash: a782293119ad2c684ee7f4e1b7c6ce7e54987cc35907e67b60f32668cf9ab6a9
                                                                        • Instruction Fuzzy Hash: 77011D7594030DABDB20EFE0CD49FFE7B7CAF44701F508549BA1A9A180FA7896088B61
                                                                        Function 03F4E6F5 Relevance: 3.4, APIs: 2, Instructions: 400processthreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateProcessW.KERNELBASE(?,00000000), ref: 03F4EF25
                                                                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03F4EF49
                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03F4EF6B
                                                                        • TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 03F4F274
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2144207818.0000000003F4D000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F4D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3f4d000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Process$ContextCreateMemoryReadTerminateThreadWow64
                                                                        • String ID:
                                                                        • API String ID: 572931308-0
                                                                        • Opcode ID: cb8aa3b624afa586da4b9f45ee7586089f10f6135755b787acfd1e3fdf7770d3
                                                                        • Instruction ID: 8137896e01119bf75acbb7bfc79e8c118db5a25999fadc34b563790cfbd68903
                                                                        • Opcode Fuzzy Hash: cb8aa3b624afa586da4b9f45ee7586089f10f6135755b787acfd1e3fdf7770d3
                                                                        • Instruction Fuzzy Hash: A112CD24E24658C6EB24DF64D8507DEB232FF68300F1090E9910DEB7A5E77A4F81CB5A
                                                                        Function 0040EFE0 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,?,0040DFD2,?,00000001,00403843,?), ref: 0040F00A
                                                                        • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000004,00000080,00000000,?,0040DFD2,?,00000001,00403843,?), ref: 004299D9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CreateFile
                                                                        • String ID:
                                                                        • API String ID: 823142352-0
                                                                        • Opcode ID: 7605a8ea73ac57d11bec7dd1d6207c313580f8ed20fa142c5c15d61e0266fbc2
                                                                        • Instruction ID: 855a981e3d87b0586b227f36a287a9e63fe5cd358b5bfab8de368ff291d46a89
                                                                        • Opcode Fuzzy Hash: 7605a8ea73ac57d11bec7dd1d6207c313580f8ed20fa142c5c15d61e0266fbc2
                                                                        • Instruction Fuzzy Hash: 67011D703803107AF2311F28AD5BF5632546B44B24F244B39FBD5BE2E2D2F86885970C
                                                                        Function 0041511A Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: __lock_file_memset
                                                                        • String ID:
                                                                        • API String ID: 26237723-0
                                                                        • Opcode ID: c74911371e76cb9dc4786cfdbe28690debad29cef5acae8c4501fea9e7903076
                                                                        • Instruction ID: c8a12bf2a45d0ac11074f8cac28b928f9e20b60047ac9024d749846706a082ab
                                                                        • Opcode Fuzzy Hash: c74911371e76cb9dc4786cfdbe28690debad29cef5acae8c4501fea9e7903076
                                                                        • Instruction Fuzzy Hash: 32012971C00609FBCF22AF65DC029DF3B31AF44714F04815BF82416261D7798AA2DF99
                                                                        Function 00414E94 Relevance: 3.0, APIs: 2, Instructions: 39COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                                          • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                                        • __lock_file.LIBCMT ref: 00414EE4
                                                                          • Part of subcall function 00415965: __lock.LIBCMT ref: 0041598A
                                                                        • __fclose_nolock.LIBCMT ref: 00414EEE
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: __decode_pointer__fclose_nolock__getptd_noexit__lock__lock_file
                                                                        • String ID:
                                                                        • API String ID: 717694121-0
                                                                        • Opcode ID: 6051778e024176e7de16a1974b8d1b3b80c3b8a23747dfcb666cdf4e7799d8f6
                                                                        • Instruction ID: 225a509e04b880138f2478077c57af59103cae2c072c29012e7845c0956b1514
                                                                        • Opcode Fuzzy Hash: 6051778e024176e7de16a1974b8d1b3b80c3b8a23747dfcb666cdf4e7799d8f6
                                                                        • Instruction Fuzzy Hash: DEF06270D0470499C721BB6A9802ADE7AB0AFC1338F21864FE479A72D1C77C46C29F5D
                                                                        Function 004098B8 Relevance: 3.0, APIs: 2, Instructions: 32windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • TranslateMessage.USER32(?), ref: 004098F6
                                                                        • DispatchMessageW.USER32(?), ref: 00409901
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Message$DispatchTranslate
                                                                        • String ID:
                                                                        • API String ID: 1706434739-0
                                                                        • Opcode ID: 743ba5b075e4e96b6aa8f27e888cbbcb244a1ef3297f43ff84cf2107d4412f6a
                                                                        • Instruction ID: 6b3a2aeb923af73eb4cdb1bab797699f2cf27729a5018e8568c19fb4e3feaf67
                                                                        • Opcode Fuzzy Hash: 743ba5b075e4e96b6aa8f27e888cbbcb244a1ef3297f43ff84cf2107d4412f6a
                                                                        • Instruction Fuzzy Hash: D4F05471114301AEDA24DBE58D41B5BB3A8AFD8700F408C2EBA51E61C1FBF8E404C76A
                                                                        Function 004098B6 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • TranslateMessage.USER32(?), ref: 004098F6
                                                                        • DispatchMessageW.USER32(?), ref: 00409901
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Message$DispatchTranslate
                                                                        • String ID:
                                                                        • API String ID: 1706434739-0
                                                                        • Opcode ID: fb629fc6ca96518639a0c0a81923e3da878f7f29ff55e6bd70df59113b88f2fd
                                                                        • Instruction ID: cc4909b6a78c34842ee59a7900970f574117f06624f4f9c7373c79b1fb9dfc76
                                                                        • Opcode Fuzzy Hash: fb629fc6ca96518639a0c0a81923e3da878f7f29ff55e6bd70df59113b88f2fd
                                                                        • Instruction Fuzzy Hash: DDF054B1114301AADA14DBE58D41B5BB3A4AF94740F408C2EBA11E52C1EBFCD504C71A
                                                                        Function 00410D40 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: ProtectVirtual
                                                                        • String ID:
                                                                        • API String ID: 544645111-0
                                                                        • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                        • Instruction ID: fb1d736feddc8336b94c661b4f3a99b04f66f7614ca83ae43ac4a02a862e88ab
                                                                        • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                        • Instruction Fuzzy Hash: 1331D574A00105DFC718DF99E490AAAFBA6FB49304B2486A6E409CB751D774EDC1CBC5
                                                                        Function 004092C0 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0d8ad4d875158e0120ed104e09085659f42b86f6d600f5d33fa38308f41241bf
                                                                        • Instruction ID: 573dba848690e0cdfd4c9be45b5663ff9194aa529e9341154cf92adfcd841cf8
                                                                        • Opcode Fuzzy Hash: 0d8ad4d875158e0120ed104e09085659f42b86f6d600f5d33fa38308f41241bf
                                                                        • Instruction Fuzzy Hash: 5E11C374200200ABC7249FAAD8D5F2A73A5AF45304B244C6FE845E7392D73CEC81EB5E
                                                                        Function 00401108 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DefWindowProcW.USER32(?,?,?,?), ref: 00401123
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: ProcWindow
                                                                        • String ID:
                                                                        • API String ID: 181713994-0
                                                                        • Opcode ID: 2bcff8431ba1ff294e2b1c33dceaa93ee25f984dfbecb3b506615433fd530346
                                                                        • Instruction ID: 72bdf1ad184d721e15e17473fba0dc1faec6c1a9a9d1f3fcb71c15abd8c9f185
                                                                        • Opcode Fuzzy Hash: 2bcff8431ba1ff294e2b1c33dceaa93ee25f984dfbecb3b506615433fd530346
                                                                        • Instruction Fuzzy Hash: FDF05436700118A7DF38995CE89ACFF632AD7ED350F418227FD152B3A6813C5C41966E
                                                                        Function 0041AA31 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0041AA46
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CreateHeap
                                                                        • String ID:
                                                                        • API String ID: 10892065-0
                                                                        • Opcode ID: 715419928b85d2867e9ba06f33a68846dd0d9c70f7b25bc38942ce62b1fa172d
                                                                        • Instruction ID: 99ddfbee892492b32903703907324a593b21f4d4a70cf9c354be63060b8faba1
                                                                        • Opcode Fuzzy Hash: 715419928b85d2867e9ba06f33a68846dd0d9c70f7b25bc38942ce62b1fa172d
                                                                        • Instruction Fuzzy Hash: 56D05E325543449EDF009F71AC087663FDCE788395F008836BC1CC6150E778C950CA08
                                                                        Function 00444343 Relevance: 1.5, APIs: 1, Instructions: 19fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00444326: SetFilePointerEx.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,?,0044434E,?,?,00429A83,?,00487174,00000003,0040DFEE,?), ref: 004442F3
                                                                        • WriteFile.KERNELBASE(?,?,00000001,?,00000000,?,?,00429A83,?,00487174,00000003,0040DFEE,?,?,00000001,00403843), ref: 00444362
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: File$PointerWrite
                                                                        • String ID:
                                                                        • API String ID: 539440098-0
                                                                        • Opcode ID: 35769b91a3a7bdb08b20991cec1574ff36ffa6c1adc4d20a0c17b9033c9b0ad0
                                                                        • Instruction ID: 4a339a6eb5dfef6003722c1615037f540bc53d76d7f4c43935d02bdd90bbdfc9
                                                                        • Opcode Fuzzy Hash: 35769b91a3a7bdb08b20991cec1574ff36ffa6c1adc4d20a0c17b9033c9b0ad0
                                                                        • Instruction Fuzzy Hash: 7CE09275104311AFD250DF54D944F9BB3F8AF88714F108D0EF59587241D7B4A9848BA6
                                                                        Function 0040116E Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DefWindowProcW.USER32(?,?,?,?), ref: 00401123
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: ProcWindow
                                                                        • String ID:
                                                                        • API String ID: 181713994-0
                                                                        • Opcode ID: 837c1f5b160989e4bc04331483680d437582dbd9ffcfcea34caefcb6c1da81af
                                                                        • Instruction ID: 4c36cba44089d0e03573cc5e8dee84df23505be31ebc2729507753268ee0d302
                                                                        • Opcode Fuzzy Hash: 837c1f5b160989e4bc04331483680d437582dbd9ffcfcea34caefcb6c1da81af
                                                                        • Instruction Fuzzy Hash: C3C08C72100008BB8700DE04EC44CFBB72CEBD8310700C20BBC0586201C230885097A1
                                                                        Function 00414E06 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: __wfsopen
                                                                        • String ID:
                                                                        • API String ID: 197181222-0
                                                                        • Opcode ID: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
                                                                        • Instruction ID: 6225ca515e7db1e5d7746fb8cf1e0ad45b41b4d1817cc5a1d8a93eb941133566
                                                                        • Opcode Fuzzy Hash: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
                                                                        • Instruction Fuzzy Hash: EDC09B7644010C77CF122943FC02E453F1997C0764F044011FB1C1D561D577D5619589
                                                                        Function 0040D900 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CloseHandle.KERNELBASE(00000000,?,0040DF8E), ref: 0040D91D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CloseHandle
                                                                        • String ID:
                                                                        • API String ID: 2962429428-0
                                                                        • Opcode ID: b0db0cc9728059d6acb69f925b284233246e7185417bf28957a0aabd78f307cc
                                                                        • Instruction ID: 397672216df932ca6c22f29d52987cd2165f63c791f69eb8015935d900cfb6d9
                                                                        • Opcode Fuzzy Hash: b0db0cc9728059d6acb69f925b284233246e7185417bf28957a0aabd78f307cc
                                                                        • Instruction Fuzzy Hash: 16E0DEB5900B019EC7318F6AE544416FBF8AEE46213248E2FD4E6D2A64D3B4A5898F54
                                                                        Function 03F4F6F4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNELBASE(000001F4), ref: 03F4F709
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2144207818.0000000003F4D000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F4D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3f4d000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Sleep
                                                                        • String ID:
                                                                        • API String ID: 3472027048-0
                                                                        • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                        • Instruction ID: 921c171e351b4773807de343936d12117a977f9d48089115a2330785eea348ad
                                                                        • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                        • Instruction Fuzzy Hash: 89E0BF7498020DEFDB00DFA8D6496DE7BB4EF04301F1005A1FD05D7680DB309E548A62
                                                                        Function 03F4F6F8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNELBASE(000001F4), ref: 03F4F709
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2144207818.0000000003F4D000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F4D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_3f4d000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Sleep
                                                                        • String ID:
                                                                        • API String ID: 3472027048-0
                                                                        • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                        • Instruction ID: ee8d5521768b471db2df10e650b198132cf79deec6a12a231b2cb09b2f74be18
                                                                        • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                        • Instruction Fuzzy Hash: 20E0E67498020DDFDB00DFB8D64969E7FF4EF04301F1001A1FD05D2280D6309D508A62

                                                                        Non-executed Functions

                                                                        Function 0047C08E Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 676windowkeyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C158
                                                                        • DefDlgProcW.USER32(?,0000004E,?,?,004A83D8,?,004A83D8,?), ref: 0047C173
                                                                        • GetKeyState.USER32(00000011), ref: 0047C1A4
                                                                        • GetKeyState.USER32(00000009), ref: 0047C1AD
                                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C1C0
                                                                        • GetKeyState.USER32(00000010), ref: 0047C1CA
                                                                        • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C1DE
                                                                        • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C20A
                                                                        • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C22D
                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047C2D6
                                                                        • SendMessageW.USER32 ref: 0047C2FB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$State$LongProcWindow
                                                                        • String ID: @GUI_DRAGID$F
                                                                        • API String ID: 1562745308-4164748364
                                                                        • Opcode ID: dcc01cbd87ddd492c2c278cbacd50e58f25e8ccd866e9ebab9dee97b514268e5
                                                                        • Instruction ID: f40edf6d5039c675f00343e7880f865f139be9e64e9b8d530a61de5f06f6045f
                                                                        • Opcode Fuzzy Hash: dcc01cbd87ddd492c2c278cbacd50e58f25e8ccd866e9ebab9dee97b514268e5
                                                                        • Instruction Fuzzy Hash: C6429F702042019FD714CF54C884FAB77A5EB89B04F548A6EFA48AB291DBB4EC45CB5A
                                                                        Function 004045E0 Relevance: 46.9, Strings: 35, Instructions: 3193COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: PF$'|G$*"D$*vG$+%F$0wE$2G$5CG$7eF$<HF$<G$ApG$DvE$GSG$IqE$K@G$LbF$MdF$NgF$PIF$YtG$^[F$_?G$b"D$i}G$j)F$kQG$lE$rTG$vjE$}eE$*F$3G$_G$wG
                                                                        • API String ID: 0-3772701627
                                                                        • Opcode ID: bb854585b2a8d25cf70b859c951904b6599901827447d171664d6ae6ba41e592
                                                                        • Instruction ID: b1e67458769bbea4a86cd8903524db5b6e79558e2e7ab8c51025fc7bd56032a7
                                                                        • Opcode Fuzzy Hash: bb854585b2a8d25cf70b859c951904b6599901827447d171664d6ae6ba41e592
                                                                        • Instruction Fuzzy Hash: 118366F1905B409FC351DFAAF984605BAE1F3AA3157A2857FC5088B731D7B8194A8F4C
                                                                        Function 004375B0 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 126threadkeyboardwindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetForegroundWindow.USER32(00000000,?,?,004448AF,?), ref: 004375B3
                                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004375D8
                                                                        • IsIconic.USER32(?), ref: 004375E1
                                                                        • ShowWindow.USER32(?,00000009,?,?,004448AF,?), ref: 004375EE
                                                                        • SetForegroundWindow.USER32(?), ref: 004375FD
                                                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00437615
                                                                        • GetCurrentThreadId.KERNEL32 ref: 00437619
                                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00437624
                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 00437632
                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 00437638
                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 0043763E
                                                                        • SetForegroundWindow.USER32(?), ref: 00437645
                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437654
                                                                        • keybd_event.USER32(00000012,00000000), ref: 0043765D
                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043766B
                                                                        • keybd_event.USER32(00000012,00000000), ref: 00437674
                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437682
                                                                        • keybd_event.USER32(00000012,00000000), ref: 0043768B
                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437699
                                                                        • keybd_event.USER32(00000012,00000000), ref: 004376A2
                                                                        • SetForegroundWindow.USER32(?), ref: 004376AD
                                                                        • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376CD
                                                                        • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376D3
                                                                        • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376D9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Thread$Window$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                        • String ID: Shell_TrayWnd
                                                                        • API String ID: 3778422247-2988720461
                                                                        • Opcode ID: ec12ba9e870cc2e5dd85ad52799cb15a6745d125a488419c4f0ebb71fc1ee38e
                                                                        • Instruction ID: 6108fbe056c1a000d5481f33e03d330ccc862392245923d3170deea12ea07584
                                                                        • Opcode Fuzzy Hash: ec12ba9e870cc2e5dd85ad52799cb15a6745d125a488419c4f0ebb71fc1ee38e
                                                                        • Instruction Fuzzy Hash: AC31A4712803157FE6245BA59D0EF7F3F9CEB48B51F10082EFA02EA1D1DAE458009B79
                                                                        Function 004461ED Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 227processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 0044621B
                                                                        • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,?,?,?,?,?,?,?), ref: 00446277
                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0044628A
                                                                        • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004462A4
                                                                        • GetProcessWindowStation.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004462BD
                                                                        • SetProcessWindowStation.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004462C8
                                                                        • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004462E4
                                                                        • _wcslen.LIBCMT ref: 0044639E
                                                                          • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                        • _wcsncpy.LIBCMT ref: 004463C7
                                                                        • LoadUserProfileW.USERENV(?,00000000,00000000,?,?,00000000,?,?,?,?), ref: 004463E7
                                                                        • CreateEnvironmentBlock.USERENV(?,?,00000000,00000000,?,?,00000000,?,?,?,?), ref: 00446408
                                                                        • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000,?,?,00000000,?), ref: 00446446
                                                                        • UnloadUserProfile.USERENV(?,?,?,?,?,?,?), ref: 00446483
                                                                        • CloseWindowStation.USER32(00000000,?,?,?,?), ref: 00446497
                                                                        • CloseDesktop.USER32(00000000,?,?,?,?), ref: 0044649E
                                                                        • SetProcessWindowStation.USER32(?,?,?,?,?), ref: 004464A9
                                                                        • CloseHandle.KERNEL32(?,?,?,?,?), ref: 004464B4
                                                                        • DestroyEnvironmentBlock.USERENV(?,?,?,?,?,?), ref: 004464C8
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_memset_wcslen_wcsncpy
                                                                        • String ID: $default$winsta0
                                                                        • API String ID: 2173856841-1027155976
                                                                        • Opcode ID: 46fbf0c91f7472a5aacc8247470ef491aaba77adfafaecf219e6b528db50d2b4
                                                                        • Instruction ID: eafd5d154f9bcf2590b8f8eb1e0f3d39b01f77f2fd200ee1cb9c7344d9c52646
                                                                        • Opcode Fuzzy Hash: 46fbf0c91f7472a5aacc8247470ef491aaba77adfafaecf219e6b528db50d2b4
                                                                        • Instruction Fuzzy Hash: DD819170208341AFE724DF65C848B6FBBE8AF89744F04491DF69097291DBB8D805CB6B
                                                                        Function 0044BD29 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\Pi648je050.exe,?,C:\Users\user\Desktop\Pi648je050.exe,004A8E80,C:\Users\user\Desktop\Pi648je050.exe,0040F3D2), ref: 0040FFCA
                                                                          • Part of subcall function 00436A1D: __wsplitpath.LIBCMT ref: 00436A45
                                                                          • Part of subcall function 00436A1D: __wsplitpath.LIBCMT ref: 00436A6C
                                                                          • Part of subcall function 00436A1D: __wcsicoll.LIBCMT ref: 00436A93
                                                                          • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                                                                        • _wcscat.LIBCMT ref: 0044BD96
                                                                        • _wcscat.LIBCMT ref: 0044BDBF
                                                                        • __wsplitpath.LIBCMT ref: 0044BDEC
                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 0044BE04
                                                                        • _wcscpy.LIBCMT ref: 0044BE73
                                                                        • _wcscat.LIBCMT ref: 0044BE85
                                                                        • _wcscat.LIBCMT ref: 0044BE97
                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 0044BEC3
                                                                        • DeleteFileW.KERNEL32(?), ref: 0044BED5
                                                                        • MoveFileW.KERNEL32(?,?), ref: 0044BEF5
                                                                        • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0C
                                                                        • DeleteFileW.KERNEL32(?), ref: 0044BF17
                                                                        • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2E
                                                                        • FindClose.KERNEL32(00000000), ref: 0044BF35
                                                                        • MoveFileW.KERNEL32(?,?), ref: 0044BF51
                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF66
                                                                        • FindClose.KERNEL32(00000000), ref: 0044BF7E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
                                                                        • String ID: \*.*
                                                                        • API String ID: 2188072990-1173974218
                                                                        • Opcode ID: 37b83e77465c63a9a0fc5a2f65b261a2e9867c78515d1bc57cb11e6e3b171851
                                                                        • Instruction ID: 14f7055b3521afb04026f42b490306401b0ba37f80ed0ea0ca267746d8cc4687
                                                                        • Opcode Fuzzy Hash: 37b83e77465c63a9a0fc5a2f65b261a2e9867c78515d1bc57cb11e6e3b171851
                                                                        • Instruction Fuzzy Hash: CA5166B2008344AAD720DBA4DC44FDF73E8AB85314F448D1EF68982141EB79D64CCBAA
                                                                        Function 0042039F Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 282timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __invoke_watson.LIBCMT ref: 004203A4
                                                                          • Part of subcall function 00417D93: _memset.LIBCMT ref: 00417DBB
                                                                          • Part of subcall function 00417D93: IsDebuggerPresent.KERNEL32(?,?,00000314), ref: 00417E6F
                                                                          • Part of subcall function 00417D93: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000314), ref: 00417E79
                                                                          • Part of subcall function 00417D93: UnhandledExceptionFilter.KERNEL32(?,?,?,00000314), ref: 00417E86
                                                                          • Part of subcall function 00417D93: GetCurrentProcess.KERNEL32(C0000417,?,?,00000314), ref: 00417EA1
                                                                          • Part of subcall function 00417D93: TerminateProcess.KERNEL32(00000000,?,?,00000314), ref: 00417EA8
                                                                        • __get_daylight.LIBCMT ref: 004203B0
                                                                        • __invoke_watson.LIBCMT ref: 004203BF
                                                                        • __get_daylight.LIBCMT ref: 004203CB
                                                                        • __invoke_watson.LIBCMT ref: 004203DA
                                                                        • ____lc_codepage_func.LIBCMT ref: 004203E2
                                                                        • _strlen.LIBCMT ref: 00420442
                                                                        • __malloc_crt.LIBCMT ref: 00420449
                                                                        • _strlen.LIBCMT ref: 0042045F
                                                                        • _strcpy_s.LIBCMT ref: 0042046D
                                                                        • __invoke_watson.LIBCMT ref: 00420482
                                                                        • GetTimeZoneInformation.KERNEL32(00496C28), ref: 004204AA
                                                                        • WideCharToMultiByte.KERNEL32(?,?,00496C2C,?,?,0000003F,?,?), ref: 00420528
                                                                        • WideCharToMultiByte.KERNEL32(?,?,00496C80,000000FF,?,0000003F,?,?,?,00496C2C,?,?,0000003F,?,?), ref: 0042055C
                                                                          • Part of subcall function 00413A88: __lock.LIBCMT ref: 00413AA6
                                                                          • Part of subcall function 00413A88: ___sbh_find_block.LIBCMT ref: 00413AB1
                                                                          • Part of subcall function 00413A88: ___sbh_free_block.LIBCMT ref: 00413AC0
                                                                          • Part of subcall function 00413A88: RtlFreeHeap.NTDLL(00000000,00411739,0048C758,0000000C,004183E8,00000000,0048CA38,0000000C,00418422,00411739,?,?,004224D3,00000004,0048CCA0,0000000C), ref: 00413AF0
                                                                          • Part of subcall function 00413A88: GetLastError.KERNEL32(?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001,00000214), ref: 00413B01
                                                                        • __invoke_watson.LIBCMT ref: 004205CC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: __invoke_watson$ByteCharExceptionFilterMultiProcessUnhandledWide__get_daylight_strlen$CurrentDebuggerErrorFreeHeapInformationLastPresentTerminateTimeZone____lc_codepage_func___sbh_find_block___sbh_free_block__lock__malloc_crt_memset_strcpy_s
                                                                        • String ID: S\
                                                                        • API String ID: 4084823496-393906132
                                                                        • Opcode ID: dc5610741a0148f7786b6b9dfa96f50a6ae589fbdbcd52e429fe3139d0279a48
                                                                        • Instruction ID: b357f19af7064e56bcdb8625987f67de7edc2332d57e558cb2e7b84f91b73af7
                                                                        • Opcode Fuzzy Hash: dc5610741a0148f7786b6b9dfa96f50a6ae589fbdbcd52e429fe3139d0279a48
                                                                        • Instruction Fuzzy Hash: 6A91D371E00125AFDB20EF65EC819AE7BE9EF55300B95003BF540A7253DA3C89828F5C
                                                                        Function 00434D50 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 114fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00434D75
                                                                        • __swprintf.LIBCMT ref: 00434D91
                                                                        • _wcslen.LIBCMT ref: 00434D9B
                                                                        • _wcslen.LIBCMT ref: 00434DB0
                                                                        • _wcslen.LIBCMT ref: 00434DC5
                                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 00434DD7
                                                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00434E0A
                                                                        • _memset.LIBCMT ref: 00434E27
                                                                        • _wcslen.LIBCMT ref: 00434E3C
                                                                        • _wcsncpy.LIBCMT ref: 00434E6F
                                                                        • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00434EA9
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00434EB4
                                                                        • RemoveDirectoryW.KERNEL32(?), ref: 00434EBB
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00434ECE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: _wcslen$CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                        • String ID: :$\$\??\%s
                                                                        • API String ID: 302090198-3457252023
                                                                        • Opcode ID: 1623bec2b974bb3ee5261838648fb58b2a9d6db5aa255760d49714c370e47f4e
                                                                        • Instruction ID: 730b2dca1b6b09bd6b76555d3316dee95f4818bcffb97f26f8f03165767cfd2f
                                                                        • Opcode Fuzzy Hash: 1623bec2b974bb3ee5261838648fb58b2a9d6db5aa255760d49714c370e47f4e
                                                                        • Instruction Fuzzy Hash: 30416676604340ABE330EB64DC49FEF73E8AFD8714F00891EF649921D1E7B4A645876A
                                                                        Function 00464422 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 193threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00444233: _wcslen.LIBCMT ref: 0044424E
                                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0046449E
                                                                        • GetLastError.KERNEL32 ref: 004644B4
                                                                        • GetCurrentThread.KERNEL32 ref: 004644C8
                                                                        • OpenThreadToken.ADVAPI32(00000000), ref: 004644CF
                                                                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 004644E0
                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 004644E7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: OpenProcess$CurrentThreadToken$ErrorLast_wcslen
                                                                        • String ID: SeDebugPrivilege
                                                                        • API String ID: 1312810259-2896544425
                                                                        • Opcode ID: bb2abcbadcb50e0008f3b1fe3e217bfa736f6ade076d8095da49bf04f95d98f8
                                                                        • Instruction ID: c3f5e6af55eb0da9fa74db60d4f5a84adac3a89a74612fbe59a223ef38337450
                                                                        • Opcode Fuzzy Hash: bb2abcbadcb50e0008f3b1fe3e217bfa736f6ade076d8095da49bf04f95d98f8
                                                                        • Instruction Fuzzy Hash: 0E51A171200201AFD710DF65DD85F5BB7A8AB84704F10892EFB44DB2C1D7B8E844CBAA
                                                                        Function 004037E0 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 359COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                        • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403871
                                                                        • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403887
                                                                        • __wsplitpath.LIBCMT ref: 004038B2
                                                                          • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                        • _wcscpy.LIBCMT ref: 004038C7
                                                                        • _wcscat.LIBCMT ref: 004038DC
                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 004038EC
                                                                          • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                          • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                          • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                          • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                          • Part of subcall function 00403F40: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,0040397D,?,?,00000010), ref: 00403F54
                                                                          • Part of subcall function 00403F40: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,00000010), ref: 00403F8B
                                                                        • _wcscpy.LIBCMT ref: 004039C2
                                                                        • _wcslen.LIBCMT ref: 00403A53
                                                                        • _wcslen.LIBCMT ref: 00403AAA
                                                                        Strings
                                                                        • Unterminated string, xrefs: 0042B9BA
                                                                        • _, xrefs: 00403B48
                                                                        • #include depth exceeded. Make sure there are no recursive includes, xrefs: 0042B87B
                                                                        • Error opening the file, xrefs: 0042B8AC
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpy$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_wcscatstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                        • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                                                                        • API String ID: 4115725249-188983378
                                                                        • Opcode ID: 03e6ea20781e53ba093b2e4e1cf17e7e885813b4a055a64ca381d3f5bd1a9c3d
                                                                        • Instruction ID: dca64db042171ec5605b2d10b6a92a42a2076cc25022adee7b8115af8a15fc96
                                                                        • Opcode Fuzzy Hash: 03e6ea20781e53ba093b2e4e1cf17e7e885813b4a055a64ca381d3f5bd1a9c3d
                                                                        • Instruction Fuzzy Hash: 16D1D5B15083019AD710EF65C841AEB77E8AF95308F04492FF5C563292DB78DA49C7AB
                                                                        Function 00434BEE Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 00434C12
                                                                        • GetFileAttributesW.KERNEL32(?), ref: 00434C4F
                                                                        • SetFileAttributesW.KERNEL32(?,?), ref: 00434C65
                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00434C77
                                                                        • FindClose.KERNEL32(00000000), ref: 00434C88
                                                                        • FindClose.KERNEL32(00000000), ref: 00434C9C
                                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 00434CB7
                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00434CFE
                                                                        • SetCurrentDirectoryW.KERNEL32(0048A090), ref: 00434D22
                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00434D2A
                                                                        • FindClose.KERNEL32(00000000), ref: 00434D35
                                                                        • FindClose.KERNEL32(00000000), ref: 00434D43
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                        • String ID: *.*
                                                                        • API String ID: 1409584000-438819550
                                                                        • Opcode ID: 55a9fa3bdb603958be151e0ad833d8004315071fb05557dfda8e1c4e562a15c1
                                                                        • Instruction ID: 399dbb17912f16e5170155dcc5475d9346bc7ba5aa4a4c8a0ea4d4714b2c7a66
                                                                        • Opcode Fuzzy Hash: 55a9fa3bdb603958be151e0ad833d8004315071fb05557dfda8e1c4e562a15c1
                                                                        • Instruction Fuzzy Hash: 4141D8726042086BD710EF64DC45AEFB3A8AAC9311F14592FFD54C3280EB79E915C7B9
                                                                        Function 00444078 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 94timesleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Timetime$Sleep
                                                                        • String ID: BUTTON
                                                                        • API String ID: 4176159691-3405671355
                                                                        • Opcode ID: c9fcf2e0d9fa6a0073e84c27d550d5c6e5d49d4b0adb2218bf3fff485548fdb5
                                                                        • Instruction ID: 32c89cc89acb3c111fc3cc5f781edb0c57d51ec263d79eeef99f8852f1a29925
                                                                        • Opcode Fuzzy Hash: c9fcf2e0d9fa6a0073e84c27d550d5c6e5d49d4b0adb2218bf3fff485548fdb5
                                                                        • Instruction Fuzzy Hash: CB21B7723843016BE330DB74FD4DF5A7B94A7A5B51F244876F600E6290D7A5D442876C
                                                                        Function 00445DD3 Relevance: 18.2, APIs: 12, Instructions: 179COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004392BC: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 004392DE
                                                                          • Part of subcall function 004392BC: GetLastError.KERNEL32 ref: 004392E4
                                                                          • Part of subcall function 004392BC: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0043930B
                                                                          • Part of subcall function 0043928B: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004392A5
                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,00000004,?,?,?,?), ref: 00445E4B
                                                                        • _memset.LIBCMT ref: 00445E61
                                                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00445E83
                                                                        • GetLengthSid.ADVAPI32(?), ref: 00445E92
                                                                        • GetAce.ADVAPI32(?,00000000,?,?,00000018), ref: 00445EDE
                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00445EFB
                                                                        • GetLengthSid.ADVAPI32(?,?,00000018), ref: 00445F11
                                                                        • GetLengthSid.ADVAPI32(?,00000008,?,?,00000000,?,00000000), ref: 00445F39
                                                                        • CopySid.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00445F40
                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?,?,00000000,?,00000000), ref: 00445F6E
                                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000,?,00000000,?,00000000), ref: 00445F8B
                                                                        • SetUserObjectSecurity.USER32(?,?,?), ref: 00445FA0
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                        • String ID:
                                                                        • API String ID: 3490752873-0
                                                                        • Opcode ID: b11fc48791dee11005ef1ac308328aec1e94b5ee495351b15ab77ecbbd68b2cc
                                                                        • Instruction ID: 491154c1e478dcf6c9ac3cbca3c2c9e2645d4ee7bbdc2abf5fae4ada557f6fe4
                                                                        • Opcode Fuzzy Hash: b11fc48791dee11005ef1ac308328aec1e94b5ee495351b15ab77ecbbd68b2cc
                                                                        • Instruction Fuzzy Hash: 85519D71108301ABD610DF61CD84E6FB7E9AFC9B04F04491EFA869B242D778E909C76B
                                                                        Function 0047A999 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 288comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OleInitialize.OLE32(00000000), ref: 0047AA03
                                                                        • CLSIDFromProgID.OLE32(00000000,?), ref: 0047AA27
                                                                        • CoCreateInstance.OLE32(?,00000000,00000005,004829C0,?), ref: 0047AAAA
                                                                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0047AB6B
                                                                        • _memset.LIBCMT ref: 0047AB7C
                                                                        • _wcslen.LIBCMT ref: 0047AC68
                                                                        • _memset.LIBCMT ref: 0047ACCD
                                                                        • CoCreateInstanceEx.OLE32 ref: 0047AD06
                                                                        • CoSetProxyBlanket.OLE32(004829D0,?,?,?,?,?,?,00000800), ref: 0047AD53
                                                                        Strings
                                                                        • NULL Pointer assignment, xrefs: 0047AD84
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CreateInitializeInstance_memset$BlanketFromProgProxySecurity_wcslen
                                                                        • String ID: NULL Pointer assignment
                                                                        • API String ID: 1588287285-2785691316
                                                                        • Opcode ID: 40e9c8eb680feb4042e694522f3113d29542bf103086fe34e1494599e09369de
                                                                        • Instruction ID: 16786b45dbc5194aa398acfc0f0ff3b91b98a178c64a073a91da7f4e0cb75f58
                                                                        • Opcode Fuzzy Hash: 40e9c8eb680feb4042e694522f3113d29542bf103086fe34e1494599e09369de
                                                                        • Instruction Fuzzy Hash: 54B10DB15083409FD320EF65C881B9FB7E8BBC8744F108E2EF58997291D7759948CB66
                                                                        Function 004364AA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 79shutdownCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 004364B9
                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 004364C0
                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004364D6
                                                                        • AdjustTokenPrivileges.ADVAPI32 ref: 004364FE
                                                                        • GetLastError.KERNEL32 ref: 00436504
                                                                        • ExitWindowsEx.USER32(?,00000000), ref: 00436527
                                                                        • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00436557
                                                                        • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 0043656A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                                                                        • String ID: SeShutdownPrivilege
                                                                        • API String ID: 2938487562-3733053543
                                                                        • Opcode ID: 9f228ad1da6a4c81f8cb5394189ecc1147849337ed66d96e43b1ced3868a671c
                                                                        • Instruction ID: b625d7910520021a286729d09db348b3c4b0b131b75d5259d4bd29649b467962
                                                                        • Opcode Fuzzy Hash: 9f228ad1da6a4c81f8cb5394189ecc1147849337ed66d96e43b1ced3868a671c
                                                                        • Instruction Fuzzy Hash: E021D5B02803017FF7149B64DD4AF6B3398EB48B10F948829FE09852D2D6BDE844973D
                                                                        Function 0043614F Relevance: 16.6, APIs: 11, Instructions: 103COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __swprintf.LIBCMT ref: 00436162
                                                                        • __swprintf.LIBCMT ref: 00436176
                                                                          • Part of subcall function 0041353A: __woutput_l.LIBCMT ref: 0041358F
                                                                        • __wcsicoll.LIBCMT ref: 00436185
                                                                        • FindResourceW.KERNEL32(?,?,0000000E), ref: 004361A6
                                                                        • LoadResource.KERNEL32(?,00000000), ref: 004361AE
                                                                        • LockResource.KERNEL32(00000000), ref: 004361B5
                                                                        • FindResourceW.KERNEL32(?,?,00000003), ref: 004361DA
                                                                        • LoadResource.KERNEL32(?,00000000), ref: 004361E4
                                                                        • SizeofResource.KERNEL32(?,00000000), ref: 004361F0
                                                                        • LockResource.KERNEL32(?), ref: 004361FD
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll__woutput_l
                                                                        • String ID:
                                                                        • API String ID: 2406429042-0
                                                                        • Opcode ID: c1b2c305ea449a9eaa2c50be24a6d356ee30b865a6e7eb3c9e4c44cc17d92184
                                                                        • Instruction ID: 79d88324f8a28cdfdddc37bd7103cac5134eefaeeaedb246b69d205017f9fa0d
                                                                        • Opcode Fuzzy Hash: c1b2c305ea449a9eaa2c50be24a6d356ee30b865a6e7eb3c9e4c44cc17d92184
                                                                        • Instruction Fuzzy Hash: 82313432104210BFD700EF64ED88EAF77A9FB89304F00882BFA4196150E778D940CB68
                                                                        Function 0045D517 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 91COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNEL32(00000001), ref: 0045D522
                                                                        • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D593
                                                                        • GetLastError.KERNEL32 ref: 0045D59D
                                                                        • SetErrorMode.KERNEL32(?), ref: 0045D629
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Error$Mode$DiskFreeLastSpace
                                                                        • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                        • API String ID: 4194297153-14809454
                                                                        • Opcode ID: 49e0e17e9479d30b414134c7f78092e00673ae1a45d158f41d80208550ba4cb8
                                                                        • Instruction ID: 49a1caac5541b587bc648ef7caa6256b54369420b38b3993b587487a6931f65b
                                                                        • Opcode Fuzzy Hash: 49e0e17e9479d30b414134c7f78092e00673ae1a45d158f41d80208550ba4cb8
                                                                        • Instruction Fuzzy Hash: BA31AD75A083009FC310EF55D98090BB7E1AF89315F448D6FF94997362D778E9068B6A
                                                                        Function 0047AD92 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 251comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MkParseDisplayName.OLE32(?,00000000,?,?), ref: 0047AF0F
                                                                          • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                                          • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                                          • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                                          • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                                        • OleInitialize.OLE32(00000000), ref: 0047AE06
                                                                          • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                          • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                        • _wcslen.LIBCMT ref: 0047AE18
                                                                        • CreateBindCtx.OLE32(00000000,?), ref: 0047AEC2
                                                                        • CLSIDFromProgID.OLE32(00000000,?,?), ref: 0047AFCC
                                                                        • GetActiveObject.OLEAUT32(?,00000000,?), ref: 0047AFF9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CopyVariant$_wcslen$ActiveBindCreateDisplayErrorFromInitializeLastNameObjectParseProg_wcscpy
                                                                        • String ID: HH
                                                                        • API String ID: 1915432386-2761332787
                                                                        • Opcode ID: e5cc958d5f324366fbee3d2ecbe33304f19c15b46d8e68c756c5eb73bbadfcb0
                                                                        • Instruction ID: 7e3b4e38c6064d991530b19baaff212313fd3e9d55f264e0ba959e8ba912c45c
                                                                        • Opcode Fuzzy Hash: e5cc958d5f324366fbee3d2ecbe33304f19c15b46d8e68c756c5eb73bbadfcb0
                                                                        • Instruction Fuzzy Hash: 6C915C71604301ABD710EB65CC85F9BB3E8AFC8714F10892EF64597291EB78E909CB5A
                                                                        Function 0044ED9A Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 448COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: DEFINE$`$h$h
                                                                        • API String ID: 0-4194577831
                                                                        • Opcode ID: 924177e0c3576f85a96b78a37b3c3cedf46843da4e7c3acb3e3d7f55582469aa
                                                                        • Instruction ID: b1cbab3e2140d6a963e4b85c5b61650905c2e88cbb7a9c7ccaf19de07e543520
                                                                        • Opcode Fuzzy Hash: 924177e0c3576f85a96b78a37b3c3cedf46843da4e7c3acb3e3d7f55582469aa
                                                                        • Instruction Fuzzy Hash: 9802A1715083818FE725CF29C88076BBBE2BFD5304F28896EE89587342D779D849CB56
                                                                        Function 0046483C Relevance: 10.6, APIs: 7, Instructions: 103networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • socket.WSOCK32(00000002,00000001,00000006,?,00000000), ref: 004648B0
                                                                        • WSAGetLastError.WSOCK32(00000000,00000002,00000001,00000006,?,00000000), ref: 004648BE
                                                                        • bind.WSOCK32(00000000,?,00000010,00000002,00000001,00000006,?,00000000), ref: 004648DA
                                                                        • WSAGetLastError.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000006,?,00000000), ref: 004648E6
                                                                        • closesocket.WSOCK32(00000000,00000000,00000000,00000000,00000005,00000000,?,00000010,00000002,00000001,00000006,?,00000000), ref: 0046492D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$bindclosesocketsocket
                                                                        • String ID:
                                                                        • API String ID: 2609815416-0
                                                                        • Opcode ID: f055706b1daf61e2065e9fedb91be4565bf8eae27f8502184711caae908a2a6c
                                                                        • Instruction ID: d240999dee57073d64b91b26c15bb406cb7727aead8f71c00845428af50f987f
                                                                        • Opcode Fuzzy Hash: f055706b1daf61e2065e9fedb91be4565bf8eae27f8502184711caae908a2a6c
                                                                        • Instruction Fuzzy Hash: C731CB712002009BD710FF2ADC81B6BB3E8EF85724F144A5FF594A72D2D779AC85876A
                                                                        Function 0043701F Relevance: 10.6, APIs: 7, Instructions: 76processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00437043
                                                                        • Process32FirstW.KERNEL32(00000000,00000002), ref: 00437050
                                                                        • Process32NextW.KERNEL32(00000000,?), ref: 00437075
                                                                        • __wsplitpath.LIBCMT ref: 004370A5
                                                                          • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                        • _wcscat.LIBCMT ref: 004370BA
                                                                        • __wcsicoll.LIBCMT ref: 004370C8
                                                                        • CloseHandle.KERNEL32(00000000,?), ref: 00437105
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                                        • String ID:
                                                                        • API String ID: 2547909840-0
                                                                        • Opcode ID: fd838752e9d0606085fad0ec29118efadb7b5f17250a81beb0a2f2c9513d2e10
                                                                        • Instruction ID: d866d71778569fbbd99b025f777f77cc3db9ba9c83dfb601fa45888e96c7797d
                                                                        • Opcode Fuzzy Hash: fd838752e9d0606085fad0ec29118efadb7b5f17250a81beb0a2f2c9513d2e10
                                                                        • Instruction Fuzzy Hash: 9C21A7B20083819BD735DB55C881BEFB7E8BB99304F00491EF5C947241EB79A589CB6A
                                                                        Function 00452126 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 127filesleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                        • FindFirstFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0045217E
                                                                        • Sleep.KERNEL32(0000000A,?,?,00000000), ref: 004521B2
                                                                        • FindNextFileW.KERNEL32(?,?,?,00000000), ref: 004522AC
                                                                        • FindClose.KERNEL32(?,?,00000000), ref: 004522C3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Find$File$CloseFirstNextSleep_wcslen
                                                                        • String ID: *.*
                                                                        • API String ID: 2693929171-438819550
                                                                        • Opcode ID: 17936c38af85c1dbfc3d1ebbd0b26446ca2a596e07a4ad84d79ac0689e190811
                                                                        • Instruction ID: e6452ff64139cddd5fd774ab19bf2199aa97b2a19dc0f7115334900b47d689b2
                                                                        • Opcode Fuzzy Hash: 17936c38af85c1dbfc3d1ebbd0b26446ca2a596e07a4ad84d79ac0689e190811
                                                                        • Instruction Fuzzy Hash: BD419D756083409FC314DF25C984A9FB7E4BF86305F04491FF98993291DBB8E949CB5A
                                                                        Function 0046C5D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69clipboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenClipboard.USER32(?), ref: 0046C635
                                                                        • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046C643
                                                                        • GetClipboardData.USER32(0000000D), ref: 0046C64F
                                                                        • CloseClipboard.USER32 ref: 0046C65D
                                                                        • GlobalLock.KERNEL32(00000000), ref: 0046C688
                                                                        • CloseClipboard.USER32 ref: 0046C692
                                                                        • IsClipboardFormatAvailable.USER32(00000001), ref: 0046C6D5
                                                                        • GetClipboardData.USER32(00000001), ref: 0046C6DD
                                                                        • GlobalLock.KERNEL32(00000000), ref: 0046C6EE
                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0046C726
                                                                        • CloseClipboard.USER32 ref: 0046C866
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Clipboard$CloseGlobal$AvailableDataFormatLock$OpenUnlock
                                                                        • String ID: HH
                                                                        • API String ID: 589737431-2761332787
                                                                        • Opcode ID: 76419e0badb028214ed7bad9e924c36871e80023f9f647d131bfc03e45e064d3
                                                                        • Instruction ID: 5556deb4c8197336e1b92b5e2a85e957832ef7964462d916cb468ff193882e13
                                                                        • Opcode Fuzzy Hash: 76419e0badb028214ed7bad9e924c36871e80023f9f647d131bfc03e45e064d3
                                                                        • Instruction Fuzzy Hash: 7301F5762042005FC300AFB9ED45B6A7BA4EF59704F04097FF980A72C1EBB1E915C7AA
                                                                        Function 00436431 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __wcsicoll.LIBCMT ref: 0043643C
                                                                        • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 00436452
                                                                        • __wcsicoll.LIBCMT ref: 00436466
                                                                        • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043647C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: __wcsicollmouse_event
                                                                        • String ID: DOWN
                                                                        • API String ID: 1033544147-711622031
                                                                        • Opcode ID: 8e71a22f1bb6dc727f393f419cee3c46fab46d9365d91d475c80ba63e0095046
                                                                        • Instruction ID: 8a73d33e481528181e274ae5662561dddcd8f7088196b39fde8242b6fe69d79f
                                                                        • Opcode Fuzzy Hash: 8e71a22f1bb6dc727f393f419cee3c46fab46d9365d91d475c80ba63e0095046
                                                                        • Instruction Fuzzy Hash: 75E0927558872039FC4036253C02FFB174CAB66796F018116FE00D1291EA586D865BBD
                                                                        Function 004741BB Relevance: 7.6, APIs: 5, Instructions: 137networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004647A2: inet_addr.WSOCK32(?), ref: 004647C7
                                                                        • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 00474213
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00474233
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLastinet_addrsocket
                                                                        • String ID:
                                                                        • API String ID: 4170576061-0
                                                                        • Opcode ID: c11ce247c64ee683b380b6a697379cd3ea863651eb179087c325b129d43524e0
                                                                        • Instruction ID: 44a7e99483396e6262e636993c5e510db402c36a24f0b6146f21617b09e75fab
                                                                        • Opcode Fuzzy Hash: c11ce247c64ee683b380b6a697379cd3ea863651eb179087c325b129d43524e0
                                                                        • Instruction Fuzzy Hash: B6412C7164030067E720BB3A8C83F5A72D89F40728F144D5EF954BB2C3D6BAAD45475D
                                                                        Function 00456354 Relevance: 7.6, APIs: 5, Instructions: 127keyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCursorPos.USER32(004A83D8), ref: 0045636A
                                                                        • ScreenToClient.USER32(004A83D8,?), ref: 0045638A
                                                                        • GetAsyncKeyState.USER32(?), ref: 004563D0
                                                                        • GetAsyncKeyState.USER32(?), ref: 004563DC
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00456430
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: AsyncState$ClientCursorLongScreenWindow
                                                                        • String ID:
                                                                        • API String ID: 3539004672-0
                                                                        • Opcode ID: 8b6f1a7d11e91e3692d621cb91ecba55955a7a9a0de246f0cd2a62484a80ce0b
                                                                        • Instruction ID: 0eacbf52c9ff4b21db6d2500407d28a57be55752a0539e191fb639d8ee6a043b
                                                                        • Opcode Fuzzy Hash: 8b6f1a7d11e91e3692d621cb91ecba55955a7a9a0de246f0cd2a62484a80ce0b
                                                                        • Instruction Fuzzy Hash: 8E416071108341ABD724DF55CD84EBBB7E9EF86725F540B0EB8A543281C734A848CB6A
                                                                        Function 004772DE Relevance: 7.6, APIs: 5, Instructions: 67windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                                                                        • IsWindowVisible.USER32 ref: 00477314
                                                                        • IsWindowEnabled.USER32 ref: 00477324
                                                                        • GetForegroundWindow.USER32(?,?,?,00000001,?,?), ref: 00477331
                                                                        • IsIconic.USER32 ref: 0047733F
                                                                        • IsZoomed.USER32 ref: 0047734D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                        • String ID:
                                                                        • API String ID: 292994002-0
                                                                        • Opcode ID: 1c24098bd8cb9da3f496229370c910df04dc27541171caa4f2956f9c30b83eee
                                                                        • Instruction ID: c753cb395bd8887e5e04db90522a3107d7308fd2cfa588f53a4db7a4177bc043
                                                                        • Opcode Fuzzy Hash: 1c24098bd8cb9da3f496229370c910df04dc27541171caa4f2956f9c30b83eee
                                                                        • Instruction Fuzzy Hash: 351172327041119BE3209B26DD05B9FB7A8AF91310F05882EFC49E7250D7B8EC42D7A9
                                                                        Function 00436D2D Relevance: 7.6, APIs: 5, Instructions: 52filetimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000,76233220,00000000,00000000,00442E95,?,?,?), ref: 00436D4F
                                                                        • SetFileTime.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00436D8C
                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00436D93
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: File$CloseCreateHandleTime
                                                                        • String ID:
                                                                        • API String ID: 3397143404-0
                                                                        • Opcode ID: 17e11168520f802dddbe8c477e19047108492bf153e6cd976562f268bfda3e60
                                                                        • Instruction ID: bce1a9391340f9688fe0750810cd2cb1b104417d8b3c1e96578cdf6de8724fbd
                                                                        • Opcode Fuzzy Hash: 17e11168520f802dddbe8c477e19047108492bf153e6cd976562f268bfda3e60
                                                                        • Instruction Fuzzy Hash: A4F0C83634132077E5301A69AC8DFCF276CABDAB32F20452EF741A61C083D51445977D
                                                                        Function 0044EBBC Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 551COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: _strncmp
                                                                        • String ID: ACCEPT$^$h
                                                                        • API String ID: 909875538-4263704089
                                                                        • Opcode ID: adbbb77bd847cefbadd23aa8e42bde8f813033e7c46a43322acc698efb747d92
                                                                        • Instruction ID: 72a2cba82410d8b1d90f72ff5cad5771b474d57714a55a9933f2c727144888ce
                                                                        • Opcode Fuzzy Hash: adbbb77bd847cefbadd23aa8e42bde8f813033e7c46a43322acc698efb747d92
                                                                        • Instruction Fuzzy Hash: AE22A0746083818FE725CF29C48076BBBE2BFC9304F24896EE8D587351D779984ACB56
                                                                        Function 0040D7F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _set_new_mode.LIBCMT ref: 0040D88C
                                                                        • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040D8B9
                                                                        • FreeLibrary.KERNEL32(?), ref: 0040D8CE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: FreeInfoLibraryParametersSystem_set_new_mode
                                                                        • String ID: #v
                                                                        • API String ID: 1188159508-554117064
                                                                        • Opcode ID: 06ca62d5f0ac41005a4bed089aefec56480100fd5cca74c1e28fe2d3c932602c
                                                                        • Instruction ID: 2b4412acdce639bfbf0f9e0c9ecf3f694f94d165ded01d265c3c64edb54a61d9
                                                                        • Opcode Fuzzy Hash: 06ca62d5f0ac41005a4bed089aefec56480100fd5cca74c1e28fe2d3c932602c
                                                                        • Instruction Fuzzy Hash: C2215EB19183009FC700EF56D88150ABBE4FB98354F44497EF849A72A2D735A945CB9A
                                                                        Function 00446566 Relevance: 5.9, Strings: 4, Instructions: 868COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: ERCP$VUUU$VUUU$VUUU
                                                                        • API String ID: 0-2165971703
                                                                        • Opcode ID: fe5f619ecbbb89e409f3ebcf557090f4afc22d0cdf4dbad8df8e547bb5c0b5b7
                                                                        • Instruction ID: 514654dd073cfe12bfc68f6c44a091d7a3824994b709b832431b3f3de6bbd106
                                                                        • Opcode Fuzzy Hash: fe5f619ecbbb89e409f3ebcf557090f4afc22d0cdf4dbad8df8e547bb5c0b5b7
                                                                        • Instruction Fuzzy Hash: 5562D3716087818BE734CF18C8807ABB7E1EBC6314F154A2FE49986390E779D949CB5B
                                                                        Function 0045C999 Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045C9BE
                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0045CA1B
                                                                        • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CA4A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Find$File$CloseFirstNext
                                                                        • String ID:
                                                                        • API String ID: 3541575487-0
                                                                        • Opcode ID: cd42767256c3935660832567e39f7af9e021373ba4cf75ddba00705dd7020de4
                                                                        • Instruction ID: 18858b47483a38653cd59612877c1399ad483e9f26b014a4aa46912757e3bc7b
                                                                        • Opcode Fuzzy Hash: cd42767256c3935660832567e39f7af9e021373ba4cf75ddba00705dd7020de4
                                                                        • Instruction Fuzzy Hash: EC41CE756003009FC720EF79D880A9BB3E4FF89315F208A6EED698B391D775A844CB95
                                                                        Function 00436ADE Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileAttributesW.KERNEL32(00000001,00000000), ref: 00436AEF
                                                                        • FindFirstFileW.KERNEL32(00000001,?), ref: 00436B00
                                                                        • FindClose.KERNEL32(00000000), ref: 00436B13
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: FileFind$AttributesCloseFirst
                                                                        • String ID:
                                                                        • API String ID: 48322524-0
                                                                        • Opcode ID: 9dc85b775151a348b3ed896f2b5842869c214baa03f23a1e311506cc1954de59
                                                                        • Instruction ID: 417b6d6de692ea6945bae3bf725251b28653fd5bce93257cef0f58e2a105c1b1
                                                                        • Opcode Fuzzy Hash: 9dc85b775151a348b3ed896f2b5842869c214baa03f23a1e311506cc1954de59
                                                                        • Instruction Fuzzy Hash: 23E02236804418678600AB7CAC0C4EE779CDB0A335F100B96FE38C21D0D775A9408FEA
                                                                        Function 00443390 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __time64.LIBCMT ref: 004433A2
                                                                          • Part of subcall function 00414CEF: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,004341DB,00000000,?,0044248A,?,?,?,0048B850), ref: 00414CFA
                                                                          • Part of subcall function 00414CEF: __aulldiv.LIBCMT ref: 00414D1A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Time$FileSystem__aulldiv__time64
                                                                        • String ID: rJ
                                                                        • API String ID: 2893107130-1865492326
                                                                        • Opcode ID: e603e75d0767fd135478995c8e8d26e9f594f0c4df67822259ddb38eb763753e
                                                                        • Instruction ID: ebc1a5536eae3429eadb0b33e849de59894c076497330b79c1ff8485d89898ec
                                                                        • Opcode Fuzzy Hash: e603e75d0767fd135478995c8e8d26e9f594f0c4df67822259ddb38eb763753e
                                                                        • Instruction Fuzzy Hash: B721A2336205108BF321CF36CC41652B7E7EBE0314F268A6AE4A5973C5CA797906CB98
                                                                        Function 00443391 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __time64.LIBCMT ref: 004433A2
                                                                          • Part of subcall function 00414CEF: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,004341DB,00000000,?,0044248A,?,?,?,0048B850), ref: 00414CFA
                                                                          • Part of subcall function 00414CEF: __aulldiv.LIBCMT ref: 00414D1A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Time$FileSystem__aulldiv__time64
                                                                        • String ID: rJ
                                                                        • API String ID: 2893107130-1865492326
                                                                        • Opcode ID: e8e365b2ab883cc854990c78a2143569adcb81f7322f31e235de15ec19987b7e
                                                                        • Instruction ID: 4b4e0c3debee0a45c2bc781276f994e79ac96c452fb6cf924f1e6ade5adf298d
                                                                        • Opcode Fuzzy Hash: e8e365b2ab883cc854990c78a2143569adcb81f7322f31e235de15ec19987b7e
                                                                        • Instruction Fuzzy Hash: E82187336345108BF321CF36CC4165277E3EBE0314B258B6AD4A5973C5CA797906CB88
                                                                        Function 0044289D Relevance: 3.1, APIs: 2, Instructions: 82networkfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetQueryDataAvailable.WININET(?,?,?,?,00000000,00000000), ref: 004428C2
                                                                        • InternetReadFile.WININET(?,00000000,?,?), ref: 004428F9
                                                                          • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Internet$AvailableDataErrorFileLastQueryRead
                                                                        • String ID:
                                                                        • API String ID: 901099227-0
                                                                        • Opcode ID: c5651eff999419169b46b76971b5abcb261cf656e183e849eb3ab7268b4b60d7
                                                                        • Instruction ID: 2c15810e60b1cb59304632cc8162977c32d0240baa2dcf3c2cd6ef22f942a6bb
                                                                        • Opcode Fuzzy Hash: c5651eff999419169b46b76971b5abcb261cf656e183e849eb3ab7268b4b60d7
                                                                        • Instruction Fuzzy Hash: 452174B12043016BF220EF56DD45FAFB3E8ABD4715F40492EF285A6180D7B8E949C76A
                                                                        Function 0045DD7C Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045DDA1
                                                                        • FindClose.KERNEL32(00000000), ref: 0045DDDD
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Find$CloseFileFirst
                                                                        • String ID:
                                                                        • API String ID: 2295610775-0
                                                                        • Opcode ID: eac1d012b3ae473636f11b903683455954ec17c127a785734040b224e9a5f79e
                                                                        • Instruction ID: 3577cc1601137e614a3334ffa73c6d258275d41fe8d72aaca367a27ef3e2a016
                                                                        • Opcode Fuzzy Hash: eac1d012b3ae473636f11b903683455954ec17c127a785734040b224e9a5f79e
                                                                        • Instruction Fuzzy Hash: DE11E5766002049FD710EF6ADC89A5AF7E5EF84325F10892EF958D7281CB75E8048B94
                                                                        Function 0047CBF0 Relevance: 2.9, Strings: 2, Instructions: 418COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 0vH$HH
                                                                        • API String ID: 0-728391547
                                                                        • Opcode ID: 96d535d6e61c6cd6e5d21badf476ce2a2faa32e114d6f0ae27a3d334794412dd
                                                                        • Instruction ID: 538a6706abcc28c04bdc151be30d2aa4e2083a8dfdfa6c30a7857f36827e6882
                                                                        • Opcode Fuzzy Hash: 96d535d6e61c6cd6e5d21badf476ce2a2faa32e114d6f0ae27a3d334794412dd
                                                                        • Instruction Fuzzy Hash: 60E1BE725143109FC310EF25C881A9FB7E5AFC4708F108D2EF589AB281D779E946CB9A
                                                                        Function 0040F890 Relevance: 2.1, APIs: 1, Instructions: 589COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: _memset
                                                                        • String ID:
                                                                        • API String ID: 2102423945-0
                                                                        • Opcode ID: b8def19716de174921965326585c8a0a0c2eba4d3f226f62ebfac136bfb84777
                                                                        • Instruction ID: fac722ae1e10b3ad9494cda40f9fb3e9e62b3c26aea04ddfc6562ea9d2065ebb
                                                                        • Opcode Fuzzy Hash: b8def19716de174921965326585c8a0a0c2eba4d3f226f62ebfac136bfb84777
                                                                        • Instruction Fuzzy Hash: C512B4B7B983194FDB48DEE4DCC169573E1FB98304F09A43C9A15C7306F6E8AA094794
                                                                        Function 0047E1FA Relevance: 2.0, APIs: 1, Instructions: 499COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DefDlgProcW.USER32(?,?,?,?,004A83D8,?), ref: 0047E22C
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Proc
                                                                        • String ID:
                                                                        • API String ID: 2346855178-0
                                                                        • Opcode ID: 4f476b527310cd4595d6f2246be334f82b87c4d4a511bc9a4ae10ad49a3a576c
                                                                        • Instruction ID: e1c03c818efbd3cbf3664a0c3e659178dbc9a05004c0f073233894ce1d713c90
                                                                        • Opcode Fuzzy Hash: 4f476b527310cd4595d6f2246be334f82b87c4d4a511bc9a4ae10ad49a3a576c
                                                                        • Instruction Fuzzy Hash: 4EB1E63330602429E114916BBC88EBFBB9CD7D677BB208B7FF142C1582DB5B6425A179
                                                                        Function 0045A259 Relevance: 1.5, APIs: 1, Instructions: 21keyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • BlockInput.USER32(00000001), ref: 0045A272
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: BlockInput
                                                                        • String ID:
                                                                        • API String ID: 3456056419-0
                                                                        • Opcode ID: f8b7596c9daf0cf449ec099d4cdbafb4be693b9bdeaa48314d03f681346fce8b
                                                                        • Instruction ID: 5d782454ef4d0180448527013755d2523f66e5fc327f68786c1d80a86620ac83
                                                                        • Opcode Fuzzy Hash: f8b7596c9daf0cf449ec099d4cdbafb4be693b9bdeaa48314d03f681346fce8b
                                                                        • Instruction Fuzzy Hash: D2E04F752043019BC700EF71C545A5BB7E4AF94314F108C6EF845A7351D775AC45CB66
                                                                        Function 0043916A Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 0043918E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: LogonUser
                                                                        • String ID:
                                                                        • API String ID: 1244722697-0
                                                                        • Opcode ID: 365ca9639b26e9c6c56151d88f527b1e4ffaee0f54dfd66c8778d151900be7f4
                                                                        • Instruction ID: 63114e5cfb2c4979e73f5d19eacf740c811f86df1a08bc2cb556a5e36cce81ff
                                                                        • Opcode Fuzzy Hash: 365ca9639b26e9c6c56151d88f527b1e4ffaee0f54dfd66c8778d151900be7f4
                                                                        • Instruction Fuzzy Hash: 8DD0ECB52686066FD204CB24D846E2B77E9A7C4701F008A0CB196D2280C670D805CA32
                                                                        Function 004711D2 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: NameUser
                                                                        • String ID:
                                                                        • API String ID: 2645101109-0
                                                                        • Opcode ID: b783c70369e54a54257db95ea8fbffa2a0b511f3d9d58af1a6b6f1143851980f
                                                                        • Instruction ID: 8011c19b6c32d183c263453b2018abc548473ce9ed5616c99acac4896e71f792
                                                                        • Opcode Fuzzy Hash: b783c70369e54a54257db95ea8fbffa2a0b511f3d9d58af1a6b6f1143851980f
                                                                        • Instruction Fuzzy Hash: F6E08C322083058FC310EF55F8405ABB390EB94311F004C3FE64AA2191DA79920EDFAB
                                                                        Function 0042202E Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetUnhandledExceptionFilter.KERNEL32(Function_00021FEC), ref: 00422033
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: ExceptionFilterUnhandled
                                                                        • String ID:
                                                                        • API String ID: 3192549508-0
                                                                        • Opcode ID: 299f58dbcf75cd09f1fee721c9404e411c3f17cf80a1a40ae63587de51767455
                                                                        • Instruction ID: 3275b40964251646410af8875a24301f93fa315c26af6adae0ca3d0f7a721f84
                                                                        • Opcode Fuzzy Hash: 299f58dbcf75cd09f1fee721c9404e411c3f17cf80a1a40ae63587de51767455
                                                                        • Instruction Fuzzy Hash: CD9002743511144A4A011BB16E5D90925D46A586067920875B411C4064DB9840019619
                                                                        Function 00412C38 Relevance: .4, Instructions: 384COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                                                        • Instruction ID: b3f199f19983f506b623bfe7955a95149e6efe4e98ce3416cc40fa12ddcf4508
                                                                        • Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                                                        • Instruction Fuzzy Hash: 46D19073C0A9B30A8735812D42582BFEE626FD578131EC3E29CD07F38AD26B5DA195D4
                                                                        Function 00412818 Relevance: .4, Instructions: 378COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                                                                        • Instruction ID: c47bdb3f9c9e38c5d46ddb9e43dedaf70276048770aeb58bd274f21c588a824b
                                                                        • Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                                                                        • Instruction Fuzzy Hash: 1CD19073D1A9B30A8735852D42581AFEE626FD578031EC3E2CCD07F38AD16B5DA191D4
                                                                        Function 0041240C Relevance: .4, Instructions: 361COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                                                        • Instruction ID: ac15b8da1a4b082d71a0b082c8349c97121379a14580263daf363e6ab8f75410
                                                                        • Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                                                        • Instruction Fuzzy Hash: 87C18173C0A9B30A8736812D42641AFEE626FD579031FC3E2CCD47F38A91AB5DA195D4
                                                                        Function 00412038 Relevance: .4, Instructions: 351COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                                                                        • Instruction ID: aa957cafbedeae1199dea6a597ba911d219650f283d164fb65797e90308ef47b
                                                                        • Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                                                                        • Instruction Fuzzy Hash: 5FC18E73D0A9B30A8735812D42581AFEE626FD578031EC3E28CE46F38ED26F5DA195D4
                                                                        Function 00410D10 Relevance: .0, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 304d221b5688423ebfa6c473264aec07cdb78ae451f757bdd5acbbf2c1e92ad4
                                                                        • Instruction ID: b8cfd58d412160527e66ace840abba843d94ac3f5b06779728c9fe736b8606cc
                                                                        • Opcode Fuzzy Hash: 304d221b5688423ebfa6c473264aec07cdb78ae451f757bdd5acbbf2c1e92ad4
                                                                        • Instruction Fuzzy Hash: ECD012F621844146F33144D866C0BD100437344310FB58C276005CEBC1C0DDECD6C229
                                                                        Function 00459384 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 480filewindowcomCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DeleteObject.GDI32(?), ref: 004593D7
                                                                        • DeleteObject.GDI32(?), ref: 004593F1
                                                                        • DestroyWindow.USER32(?), ref: 00459407
                                                                        • GetDesktopWindow.USER32 ref: 0045942A
                                                                        • GetWindowRect.USER32(00000000), ref: 00459431
                                                                        • SetRect.USER32(50000001,00000000,00000000,000001F4,?), ref: 00459568
                                                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00459577
                                                                        • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,?,?,50000001,?,?,00000000,00000000), ref: 004595BB
                                                                        • GetClientRect.USER32(00000000,?), ref: 004595C8
                                                                        • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00459615
                                                                        • CreateFileW.KERNEL32(00000000,?,80000000,00000000,00000000,00000003,00000000,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459635
                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459654
                                                                        • GlobalAlloc.KERNEL32(00000002,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 0045965F
                                                                        • GlobalLock.KERNEL32(00000000), ref: 00459668
                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459678
                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0045967F
                                                                        • CloseHandle.KERNEL32(00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459686
                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,50000001,?,?,00000000,00000000,00000000), ref: 00459694
                                                                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,00482A20,000001F4), ref: 004596AD
                                                                        • GlobalFree.KERNEL32(00000000), ref: 004596C0
                                                                        • CopyImage.USER32(000000FF,00000000,00000000,00000000,00002000), ref: 004596EF
                                                                        • SendMessageW.USER32(00000000,00000172,00000000,000000FF), ref: 00459712
                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,50000001,?,?,00000000,00000000,00000000), ref: 0045973D
                                                                        • ShowWindow.USER32(?,00000004,?,50000001,?,?,00000000,00000000,00000000), ref: 0045974B
                                                                        • CreateWindowExW.USER32(00000000,static,00000000,?,?,0000000B,0000000B,?,?,?,00000000,00000000), ref: 0045979C
                                                                        • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004597AD
                                                                        • GetStockObject.GDI32(00000011), ref: 004597B7
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 004597BF
                                                                        • GetTextFaceW.GDI32(00000000,00000040,00000190,?,50000001,?,?,00000000,00000000,00000000), ref: 004597CD
                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004597D6
                                                                        • DeleteDC.GDI32(00000000), ref: 004597E1
                                                                        • _wcslen.LIBCMT ref: 00459800
                                                                        • _wcscpy.LIBCMT ref: 0045981F
                                                                        • CreateFontW.GDI32(?,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,00000190), ref: 004598BB
                                                                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004598D0
                                                                        • GetDC.USER32(?), ref: 004598DE
                                                                        • SelectObject.GDI32(00000000,?), ref: 004598EE
                                                                        • SelectObject.GDI32(00000000,?), ref: 00459919
                                                                        • ReleaseDC.USER32(?,00000000), ref: 00459925
                                                                        • MoveWindow.USER32(?,0000000B,?,?,?,00000001), ref: 00459943
                                                                        • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,00000190), ref: 00459951
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                                                                        • String ID: $AutoIt v3$DISPLAY$static
                                                                        • API String ID: 4040870279-2373415609
                                                                        • Opcode ID: d6fd8d7be04635d93ea84c38fc4cb072183cdb5133bdcfdddae5d23db1010fc6
                                                                        • Instruction ID: fce7466cc8f2b4b34a2e278d60cb4f704f90ff1017bfb666dbfc83d8aba9d67a
                                                                        • Opcode Fuzzy Hash: d6fd8d7be04635d93ea84c38fc4cb072183cdb5133bdcfdddae5d23db1010fc6
                                                                        • Instruction Fuzzy Hash: 3F028C70204301EFD714DF64DE89F2BB7A8AB84705F104A2DFA45AB2D2D7B4E805CB69
                                                                        Function 00441E05 Relevance: 49.8, APIs: 33, Instructions: 276COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetSysColor.USER32(00000012), ref: 00441E64
                                                                        • SetTextColor.GDI32(?,?), ref: 00441E6C
                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00441E83
                                                                        • GetSysColor.USER32(0000000F), ref: 00441E8F
                                                                        • SetBkColor.GDI32(?,?), ref: 00441EAA
                                                                        • SelectObject.GDI32(?,?), ref: 00441EBA
                                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 00441EF0
                                                                        • GetSysColor.USER32(00000010), ref: 00441EF8
                                                                        • CreateSolidBrush.GDI32(00000000), ref: 00441EFF
                                                                        • FrameRect.USER32(?,?,00000000), ref: 00441F10
                                                                        • DeleteObject.GDI32(?), ref: 00441F1B
                                                                        • InflateRect.USER32(?,000000FE,000000FE), ref: 00441F75
                                                                        • FillRect.USER32(?,?,?), ref: 00441FB6
                                                                          • Part of subcall function 00433D5C: GetSysColor.USER32(0000000E), ref: 00433D81
                                                                          • Part of subcall function 00433D5C: SetTextColor.GDI32(?,00000000), ref: 00433D89
                                                                          • Part of subcall function 00433D5C: GetSysColorBrush.USER32(0000000F), ref: 00433DBF
                                                                          • Part of subcall function 00433D5C: GetSysColor.USER32(0000000F), ref: 00433DCB
                                                                          • Part of subcall function 00433D5C: GetSysColor.USER32(00000011), ref: 00433DEB
                                                                          • Part of subcall function 00433D5C: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00433DFD
                                                                          • Part of subcall function 00433D5C: SelectObject.GDI32(?,00000000), ref: 00433E0D
                                                                          • Part of subcall function 00433D5C: SetBkColor.GDI32(?,?), ref: 00433E19
                                                                          • Part of subcall function 00433D5C: SelectObject.GDI32(?,?), ref: 00433E29
                                                                          • Part of subcall function 00433D5C: InflateRect.USER32(?,000000FF,000000FF), ref: 00433E54
                                                                          • Part of subcall function 00433D5C: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00433E73
                                                                          • Part of subcall function 00433D5C: GetWindowLongW.USER32 ref: 00433E8A
                                                                          • Part of subcall function 00433D5C: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00433EAC
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                                                                        • String ID:
                                                                        • API String ID: 69173610-0
                                                                        • Opcode ID: 8d7e9eb6a1476829fb4e0a957564412aa33fdc92885306090b82eefa456b01e4
                                                                        • Instruction ID: 0b0c06e318eae1aa70623bc76f746578ebcda4f465cb69034399d4c57c44293d
                                                                        • Opcode Fuzzy Hash: 8d7e9eb6a1476829fb4e0a957564412aa33fdc92885306090b82eefa456b01e4
                                                                        • Instruction Fuzzy Hash: BBB14D71508300AFD314DF64DD88A6FB7F8FB88720F504A2DF996922A0D774E845CB66
                                                                        Function 00403E50 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 236COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: __wcsnicmp
                                                                        • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                                                                        • API String ID: 1038674560-3360698832
                                                                        • Opcode ID: c74d0d52908dbbec4f5022c33a9c4844136c2b84c95de0bb8b15b994b6f8f789
                                                                        • Instruction ID: b6083b7aed1673b33e689ff2aa7e8f17f47d7310e90ec65f4167159f85ee96f3
                                                                        • Opcode Fuzzy Hash: c74d0d52908dbbec4f5022c33a9c4844136c2b84c95de0bb8b15b994b6f8f789
                                                                        • Instruction Fuzzy Hash: 5A611471B4071076EA306A229C46FAB735CDF14345F50052FFC01A628BE7ADDA4A86EE
                                                                        Function 00433D5C Relevance: 42.2, APIs: 28, Instructions: 198windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetSysColor.USER32(0000000E), ref: 00433D81
                                                                        • SetTextColor.GDI32(?,00000000), ref: 00433D89
                                                                        • GetSysColor.USER32(00000012), ref: 00433DA3
                                                                        • SetTextColor.GDI32(?,?), ref: 00433DAB
                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00433DBF
                                                                        • GetSysColor.USER32(0000000F), ref: 00433DCB
                                                                        • CreateSolidBrush.GDI32(?), ref: 00433DD4
                                                                        • GetSysColor.USER32(00000011), ref: 00433DEB
                                                                        • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00433DFD
                                                                        • SelectObject.GDI32(?,00000000), ref: 00433E0D
                                                                        • SetBkColor.GDI32(?,?), ref: 00433E19
                                                                        • SelectObject.GDI32(?,?), ref: 00433E29
                                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 00433E54
                                                                        • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00433E73
                                                                        • GetWindowLongW.USER32 ref: 00433E8A
                                                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00433EAC
                                                                        • GetWindowTextW.USER32(00000000,00000000,00000105), ref: 00433EE1
                                                                        • InflateRect.USER32(?,000000FD,000000FD), ref: 00433F13
                                                                        • DrawFocusRect.USER32(?,?), ref: 00433F1F
                                                                        • GetSysColor.USER32(00000011), ref: 00433F2E
                                                                        • SetTextColor.GDI32(?,00000000), ref: 00433F36
                                                                        • DrawTextW.USER32(?,?,000000FF,?,?), ref: 00433F4E
                                                                        • SelectObject.GDI32(?,?), ref: 00433F63
                                                                        • DeleteObject.GDI32(?), ref: 00433F70
                                                                        • SelectObject.GDI32(?,?), ref: 00433F78
                                                                        • DeleteObject.GDI32(00000000), ref: 00433F7B
                                                                        • SetTextColor.GDI32(?,?), ref: 00433F83
                                                                        • SetBkColor.GDI32(?,?), ref: 00433F8F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                        • String ID:
                                                                        • API String ID: 1582027408-0
                                                                        • Opcode ID: aa49e6287f5c8eaa4963889518cb643ef6cff4134c3562cc94785d6825a4d511
                                                                        • Instruction ID: aa454ab644ffbff4d2185aee23397a25bdbdaef3ad5a75b83a3ebbbeed3afe32
                                                                        • Opcode Fuzzy Hash: aa49e6287f5c8eaa4963889518cb643ef6cff4134c3562cc94785d6825a4d511
                                                                        • Instruction Fuzzy Hash: 53710570508340AFD304DF68DD88A6FBBF9FF89711F104A2DFA5592290D7B4E9418B6A
                                                                        Function 0046C604 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 216clipboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenClipboard.USER32(?), ref: 0046C635
                                                                        • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046C643
                                                                        • GetClipboardData.USER32(0000000D), ref: 0046C64F
                                                                        • CloseClipboard.USER32 ref: 0046C65D
                                                                        • GlobalLock.KERNEL32(00000000), ref: 0046C688
                                                                        • CloseClipboard.USER32 ref: 0046C692
                                                                        • IsClipboardFormatAvailable.USER32(00000001), ref: 0046C6D5
                                                                        • GetClipboardData.USER32(00000001), ref: 0046C6DD
                                                                        • GlobalLock.KERNEL32(00000000), ref: 0046C6EE
                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0046C726
                                                                        • CloseClipboard.USER32 ref: 0046C866
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Clipboard$CloseGlobal$AvailableDataFormatLock$OpenUnlock
                                                                        • String ID: HH
                                                                        • API String ID: 589737431-2761332787
                                                                        • Opcode ID: 1f8588b948bb152d659cc961560e711d284fc80ef968a1445fa6f6d22cce4332
                                                                        • Instruction ID: ccec0c76267f611a980a6192e38ed766f4c6ddce8b7f15b38bc446a2cb1d96e7
                                                                        • Opcode Fuzzy Hash: 1f8588b948bb152d659cc961560e711d284fc80ef968a1445fa6f6d22cce4332
                                                                        • Instruction Fuzzy Hash: 4D61E5722003019BD310EF65DD86B5E77A8EF54715F00483EFA41E72D1EBB5D9048BAA
                                                                        Function 0045657D Relevance: 38.8, APIs: 19, Strings: 3, Instructions: 287windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCursorPos.USER32(?), ref: 00456692
                                                                        • GetDesktopWindow.USER32 ref: 004566AA
                                                                        • GetWindowRect.USER32(00000000), ref: 004566B1
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0045670D
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00456720
                                                                        • DestroyWindow.USER32(?), ref: 00456731
                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456779
                                                                        • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00456797
                                                                        • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567C0
                                                                        • SendMessageW.USER32(?,00000421,?,?), ref: 004567D8
                                                                        • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 004567EE
                                                                        • IsWindowVisible.USER32(?), ref: 00456812
                                                                        • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 0045682E
                                                                        • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 00456843
                                                                        • GetWindowRect.USER32(?,?), ref: 0045685C
                                                                        • MonitorFromPoint.USER32(?,?,00000002), ref: 00456880
                                                                        • GetMonitorInfoW.USER32 ref: 00456894
                                                                        • CopyRect.USER32(?,?), ref: 004568A8
                                                                        • SendMessageW.USER32(?,00000412,00000000), ref: 0045690A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Window$MessageSend$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                                                                        • String ID: ($,$tooltips_class32
                                                                        • API String ID: 541082891-3320066284
                                                                        • Opcode ID: 25380f5391d2fe641591a116f81b43842710cc101ecbbf85cfa067c854d9f55a
                                                                        • Instruction ID: 3987ef5f26dee50c6234681dd74380f3ee0746d74ffcadc96223edc745891050
                                                                        • Opcode Fuzzy Hash: 25380f5391d2fe641591a116f81b43842710cc101ecbbf85cfa067c854d9f55a
                                                                        • Instruction Fuzzy Hash: 33B18EB0604341AFD714DF64C984B6BB7E5EF88704F408D2DF989A7292D778E848CB5A
                                                                        Function 00454DAA Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 203windowlibraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _wcslen.LIBCMT ref: 00454DCF
                                                                        • _wcslen.LIBCMT ref: 00454DE2
                                                                        • __wcsicoll.LIBCMT ref: 00454DEF
                                                                        • _wcslen.LIBCMT ref: 00454E04
                                                                        • __wcsicoll.LIBCMT ref: 00454E11
                                                                        • _wcslen.LIBCMT ref: 00454E24
                                                                        • __wcsicoll.LIBCMT ref: 00454E31
                                                                          • Part of subcall function 004115D0: __wcsicmp_l.LIBCMT ref: 00411657
                                                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00454E65
                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,?,?,?,?,?,?,?,00000000), ref: 00454E79
                                                                        • LoadImageW.USER32(00000000,00000000,?,00000001,?,?), ref: 00454EB7
                                                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00454EFB
                                                                        • LoadImageW.USER32(00000000,00000000,?,00000001,?,?), ref: 00454F2C
                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00454F37
                                                                        • ExtractIconExW.SHELL32(?,00000000,00000000,?,00000001), ref: 00454F94
                                                                        • DestroyIcon.USER32(?), ref: 00454FA2
                                                                        • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00454FC0
                                                                        • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00454FCC
                                                                        • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00454FF1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Load$Image_wcslen$__wcsicoll$IconLibraryMessageSend$DestroyExtractFreeMoveWindow__wcsicmp_l
                                                                        • String ID: .dll$.exe$.icl$#v
                                                                        • API String ID: 2511167534-1852478350
                                                                        • Opcode ID: 3f138871eb6b7f703bfd118eaab481945a2915db6d26b5ab3e2ea40d00a2935e
                                                                        • Instruction ID: 777b7c61fe84a0ac0f88e3bb9536c5d4e291b97e4b5026f6b39318954af55ba4
                                                                        • Opcode Fuzzy Hash: 3f138871eb6b7f703bfd118eaab481945a2915db6d26b5ab3e2ea40d00a2935e
                                                                        • Instruction Fuzzy Hash: D461D9711043016AE620DF659D85F7B73ECEF84B0AF00481EFE81D5182E7B9A989C77A
                                                                        Function 00436B3A Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 190COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00436B4E
                                                                        • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000), ref: 00436B73
                                                                        • _wcslen.LIBCMT ref: 00436B79
                                                                        • _wcscpy.LIBCMT ref: 00436B9F
                                                                        • _wcscat.LIBCMT ref: 00436BC0
                                                                        • VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00436BE7
                                                                        • _wcscat.LIBCMT ref: 00436C2A
                                                                        • _wcscat.LIBCMT ref: 00436C31
                                                                        • __wcsicoll.LIBCMT ref: 00436C4B
                                                                        • _wcsncpy.LIBCMT ref: 00436C62
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
                                                                        • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                        • API String ID: 1503153545-1459072770
                                                                        • Opcode ID: 1bca29e3adc21336a21f3c01565ed382529ec8d4b1eae201a388b16e544b708b
                                                                        • Instruction ID: f4118b49cd66f9fee818cdfc0bae26735a4a754b0a3131160812af9443992caa
                                                                        • Opcode Fuzzy Hash: 1bca29e3adc21336a21f3c01565ed382529ec8d4b1eae201a388b16e544b708b
                                                                        • Instruction Fuzzy Hash: B54115B264020137D200B7269C83EFF735CDE99715F54091FFE45A2253FA2EA69642BE
                                                                        Function 00452788 Relevance: 34.8, APIs: 23, Instructions: 344COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004431E0: __time64.LIBCMT ref: 004431EA
                                                                        • _fseek.LIBCMT ref: 004527FC
                                                                        • __wsplitpath.LIBCMT ref: 0045285C
                                                                        • _wcscpy.LIBCMT ref: 00452871
                                                                        • _wcscat.LIBCMT ref: 00452886
                                                                        • __wsplitpath.LIBCMT ref: 004528B0
                                                                        • _wcscat.LIBCMT ref: 004528C8
                                                                        • _wcscat.LIBCMT ref: 004528DD
                                                                        • __fread_nolock.LIBCMT ref: 00452914
                                                                        • __fread_nolock.LIBCMT ref: 00452925
                                                                        • __fread_nolock.LIBCMT ref: 00452944
                                                                        • __fread_nolock.LIBCMT ref: 00452955
                                                                        • __fread_nolock.LIBCMT ref: 00452976
                                                                        • __fread_nolock.LIBCMT ref: 00452987
                                                                        • __fread_nolock.LIBCMT ref: 00452998
                                                                        • __fread_nolock.LIBCMT ref: 004529A9
                                                                          • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004523ED
                                                                          • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 00452432
                                                                          • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045244F
                                                                          • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 0045247D
                                                                          • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045248E
                                                                          • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004524AB
                                                                          • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 004524D9
                                                                        • __fread_nolock.LIBCMT ref: 00452A39
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                                                                        • String ID:
                                                                        • API String ID: 2054058615-0
                                                                        • Opcode ID: 983239acf030dd5dbcb525efe1f3094d5bf78e470c43ee0c462dc16c64ee25c2
                                                                        • Instruction ID: 66779ec6e5012556871fefb3c18d5d4f0449fb8b445ab61f685bb60241e2a5ae
                                                                        • Opcode Fuzzy Hash: 983239acf030dd5dbcb525efe1f3094d5bf78e470c43ee0c462dc16c64ee25c2
                                                                        • Instruction Fuzzy Hash: 16C14EB2508340ABD320DF65C881EEBB7E8EFC9714F444D2FF68987241E6799544CBA6
                                                                        Function 004559A8 Relevance: 33.7, APIs: 18, Strings: 1, Instructions: 401COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 0
                                                                        • API String ID: 0-4108050209
                                                                        • Opcode ID: b9da739ef4394ef292cf8eb25369925a80ec30f337521dada9f854f90e9bbf21
                                                                        • Instruction ID: a4e6889c8706d2a682ad3cc8acca51b009283e1ae9b51da70db0806919efebf9
                                                                        • Opcode Fuzzy Hash: b9da739ef4394ef292cf8eb25369925a80ec30f337521dada9f854f90e9bbf21
                                                                        • Instruction Fuzzy Hash: 95C104723403416BF3209B64DC46FBBB794EB95321F04453FFA45D62C1EBBA9409876A
                                                                        Function 00448759 Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetWindowPos.USER32(004A83D8,00000000,00000000,00000000,00000000,00000000,00000013,004A83D8,?,?), ref: 0044880A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Window
                                                                        • String ID: 0
                                                                        • API String ID: 2353593579-4108050209
                                                                        • Opcode ID: ca380a5f1b7b22306afb7d181ee8588f63c71b92ae7430e038360cbc2591eaeb
                                                                        • Instruction ID: 13976ff69904029c6bcd7d6129a783336058688c161485e0dcc644b2654616cc
                                                                        • Opcode Fuzzy Hash: ca380a5f1b7b22306afb7d181ee8588f63c71b92ae7430e038360cbc2591eaeb
                                                                        • Instruction Fuzzy Hash: 94B19DB02443419FF324CF14C889BABBBE4EB89744F14491EF991972D1DBB8E845CB5A
                                                                        Function 0044A0EA Relevance: 31.7, APIs: 21, Instructions: 196windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetSysColor.USER32 ref: 0044A11D
                                                                        • GetClientRect.USER32(?,?), ref: 0044A18D
                                                                        • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A1A6
                                                                        • GetWindowDC.USER32(?), ref: 0044A1B3
                                                                        • GetPixel.GDI32(00000000,?,?), ref: 0044A1C6
                                                                        • ReleaseDC.USER32(?,00000000), ref: 0044A1D6
                                                                        • GetSysColor.USER32(0000000F), ref: 0044A1EC
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0044A207
                                                                        • GetSysColor.USER32(0000000F), ref: 0044A216
                                                                        • GetSysColor.USER32(00000005), ref: 0044A21E
                                                                        • GetWindowDC.USER32 ref: 0044A277
                                                                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A28A
                                                                        • GetPixel.GDI32(00000000,?,00000000), ref: 0044A29F
                                                                        • GetPixel.GDI32(00000000,00000000,?), ref: 0044A2B4
                                                                        • GetPixel.GDI32(00000000,?,?), ref: 0044A2D0
                                                                        • ReleaseDC.USER32(?,00000000), ref: 0044A2D8
                                                                        • SetTextColor.GDI32(00000000,?), ref: 0044A2F6
                                                                        • SetBkMode.GDI32(00000000,00000001), ref: 0044A30A
                                                                        • GetStockObject.GDI32(00000005), ref: 0044A312
                                                                        • SetBkColor.GDI32(00000000,00000000), ref: 0044A328
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                                                                        • String ID:
                                                                        • API String ID: 1744303182-0
                                                                        • Opcode ID: c697551d262e08263a45fd1ab6b47457a8b4de30e4a023901e5f3e03e0b3260a
                                                                        • Instruction ID: f407f88e1fc9bdd08975b2e96734b256c85d8f08b0ead5e1f8dbf5832e348edb
                                                                        • Opcode Fuzzy Hash: c697551d262e08263a45fd1ab6b47457a8b4de30e4a023901e5f3e03e0b3260a
                                                                        • Instruction Fuzzy Hash: AD6148315442016BE3209B388C88BBFB7A4FB49324F54079EF9A8973D0D7B99C51D76A
                                                                        Function 0046884B Relevance: 31.6, APIs: 6, Strings: 12, Instructions: 113COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: __wcsicoll$__wcsnicmp
                                                                        • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                        • API String ID: 790654849-1810252412
                                                                        • Opcode ID: 3ef763bd77a89c14e9ef14da431a542ecfa9ee53dca0875bc5fd58ba0035de2e
                                                                        • Instruction ID: 1b62209f2aa4de5792947d5a3aa61dcd1c874d3672784017b8f4b2c72f71c34c
                                                                        • Opcode Fuzzy Hash: 3ef763bd77a89c14e9ef14da431a542ecfa9ee53dca0875bc5fd58ba0035de2e
                                                                        • Instruction Fuzzy Hash: 7A3193B1644301A7CA00FA61DC83F5B73A85F54759F100A3FB955B61D6FA6CEA0C862F
                                                                        Function 0046CAAA Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 229COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: >>>AUTOIT SCRIPT<<<$\
                                                                        • API String ID: 0-1896584978
                                                                        • Opcode ID: 044f2c4ecf877d2b2fc48157703a0e30c53185d3f7c6c17f150f9ffb4993ef22
                                                                        • Instruction ID: e6fbcda15cb9520e0e34bfac0f9750edaedb1b44b840e2dcfb1a2c219c195b9a
                                                                        • Opcode Fuzzy Hash: 044f2c4ecf877d2b2fc48157703a0e30c53185d3f7c6c17f150f9ffb4993ef22
                                                                        • Instruction Fuzzy Hash: 907186B2504300ABC720EB65C885FEBB3E8AF94714F148D1FF58997142E679E648C75A
                                                                        Function 00476A8A Relevance: 27.3, APIs: 18, Instructions: 332COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: InitVariant
                                                                        • String ID:
                                                                        • API String ID: 1927566239-0
                                                                        • Opcode ID: 0ce8a0180f427c6633dd7a645a706da8f2470da33a28fd12fcc8bbcffff15558
                                                                        • Instruction ID: b17386a2766a1a739d91313a8bf0106a5dd250ff49ec0cac6ee5761d63536315
                                                                        • Opcode Fuzzy Hash: 0ce8a0180f427c6633dd7a645a706da8f2470da33a28fd12fcc8bbcffff15558
                                                                        • Instruction Fuzzy Hash: 87A1F5766146019FC300EF65D88499FB7AAFF85315F408D3EFA49C3211D77AD4098BAA
                                                                        Function 0046D6EB Relevance: 26.7, APIs: 6, Strings: 9, Instructions: 474COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                        • GetForegroundWindow.USER32(?,?), ref: 0046D7C1
                                                                        • GetForegroundWindow.USER32 ref: 0046DBA4
                                                                        • IsWindow.USER32(?), ref: 0046DBDE
                                                                        • GetDesktopWindow.USER32 ref: 0046DCB5
                                                                        • EnumChildWindows.USER32(00000000), ref: 0046DCBC
                                                                        • EnumWindows.USER32(00460772,?), ref: 0046DCC4
                                                                          • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Window$EnumForegroundWindows_wcslen$ChildDesktop
                                                                        • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                                        • API String ID: 1322021666-1919597938
                                                                        • Opcode ID: f0ae0bd5c84c8fbd9fa80e8b17a650ade3f6139d63811c55da114ce2128ba9af
                                                                        • Instruction ID: 252cd24da08a8cddfda52e39780f3f39bafd894638fb43d2866a45805a666b3e
                                                                        • Opcode Fuzzy Hash: f0ae0bd5c84c8fbd9fa80e8b17a650ade3f6139d63811c55da114ce2128ba9af
                                                                        • Instruction Fuzzy Hash: 96F1C571D143409BCB00EF61C881EAB73A4BF95308F44496FF9456B286E77DE909CB6A
                                                                        Function 0043737D Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 83windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: __wcsicoll$IconLoad
                                                                        • String ID: blank$info$question$stop$warning
                                                                        • API String ID: 2485277191-404129466
                                                                        • Opcode ID: 5bed60ec3368b378429e4d7d86c3e9ed6cb6a0c6f582f3c961ebbe10ae210b10
                                                                        • Instruction ID: 3fdcc892c2a25cebf9aff257507665a297d4e16c4260cb8f6e9492a672fb13e0
                                                                        • Opcode Fuzzy Hash: 5bed60ec3368b378429e4d7d86c3e9ed6cb6a0c6f582f3c961ebbe10ae210b10
                                                                        • Instruction Fuzzy Hash: CB2128B6B08301A7D610A725BC05FDF27489FA8365F004C2BF941E2283F3A8A45583BD
                                                                        Function 00428604 Relevance: 25.8, APIs: 17, Instructions: 306stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CompareStringW.KERNEL32(?,?,004832AC,00000001,004832AC,00000001), ref: 00428611
                                                                        • GetLastError.KERNEL32(?,?,004832AC,00000001,004832AC,00000001), ref: 00428627
                                                                        • strncnt.LIBCMT ref: 00428646
                                                                        • strncnt.LIBCMT ref: 0042865A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: strncnt$CompareErrorLastString
                                                                        • String ID:
                                                                        • API String ID: 1776594460-0
                                                                        • Opcode ID: 16ce8c3a65625fd7540c51b5c1254bfa478756f7f63d0819a38d9cd03b2976a4
                                                                        • Instruction ID: 056e5a993d73ec50dc3c8e072878bb631c9b69e1f80941a2a69bbd8adeb14d7f
                                                                        • Opcode Fuzzy Hash: 16ce8c3a65625fd7540c51b5c1254bfa478756f7f63d0819a38d9cd03b2976a4
                                                                        • Instruction Fuzzy Hash: 0DA1B131B01225AFDF219F61EC41AAF7BB6AF94340FA4402FF81196251DF3D8891CB58
                                                                        Function 004545C9 Relevance: 25.7, APIs: 17, Instructions: 198windowtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadIconW.USER32(?,00000063), ref: 004545DA
                                                                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004545EC
                                                                        • SetWindowTextW.USER32(?,?), ref: 00454606
                                                                        • GetDlgItem.USER32(?,000003EA), ref: 0045461F
                                                                        • SetWindowTextW.USER32(00000000,?), ref: 00454626
                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00454637
                                                                        • SetWindowTextW.USER32(00000000,?), ref: 0045463E
                                                                        • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00454663
                                                                        • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 0045467D
                                                                        • GetWindowRect.USER32(?,?), ref: 00454688
                                                                        • SetWindowTextW.USER32(?,?), ref: 004546FD
                                                                        • GetDesktopWindow.USER32 ref: 00454708
                                                                        • GetWindowRect.USER32(00000000), ref: 0045470F
                                                                        • MoveWindow.USER32(?,?,00000000,?,?,00000000), ref: 00454760
                                                                        • GetClientRect.USER32(?,?), ref: 0045476F
                                                                        • PostMessageW.USER32(?,00000005,00000000,?), ref: 0045479E
                                                                        • SetTimer.USER32(?,0000040A,?,00000000), ref: 004547E9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                        • String ID:
                                                                        • API String ID: 3869813825-0
                                                                        • Opcode ID: d6d25c813e590b752cbfd9858452ff05e3d443d6a6ce6916d89e520ab15b373f
                                                                        • Instruction ID: 4e77de65cc6986e78e6be143d0a4b9e7f39e78804b6f4fc71fe9e35dfcfd5046
                                                                        • Opcode Fuzzy Hash: d6d25c813e590b752cbfd9858452ff05e3d443d6a6ce6916d89e520ab15b373f
                                                                        • Instruction Fuzzy Hash: 8C616D71604701AFD320DF68CD88F2BB7E8AB88709F004E1DF98697691D7B8E849CB55
                                                                        Function 00458D1C Relevance: 25.6, APIs: 17, Instructions: 112COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadCursorW.USER32(00000000,00007F8A), ref: 00458D2D
                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00458D3A
                                                                        • LoadCursorW.USER32(00000000,00007F03), ref: 00458D47
                                                                        • LoadCursorW.USER32(00000000,00007F8B), ref: 00458D54
                                                                        • LoadCursorW.USER32(00000000,00007F01), ref: 00458D61
                                                                        • LoadCursorW.USER32(00000000,00007F81), ref: 00458D6E
                                                                        • LoadCursorW.USER32(00000000,00007F88), ref: 00458D7B
                                                                        • LoadCursorW.USER32(00000000,00007F80), ref: 00458D88
                                                                        • LoadCursorW.USER32(00000000,00007F86), ref: 00458D95
                                                                        • LoadCursorW.USER32(00000000,00007F83), ref: 00458DA2
                                                                        • LoadCursorW.USER32(00000000,00007F85), ref: 00458DAF
                                                                        • LoadCursorW.USER32(00000000,00007F82), ref: 00458DBC
                                                                        • LoadCursorW.USER32(00000000,00007F84), ref: 00458DC9
                                                                        • LoadCursorW.USER32(00000000,00007F04), ref: 00458DD6
                                                                        • LoadCursorW.USER32(00000000,00007F02), ref: 00458DE3
                                                                        • LoadCursorW.USER32(00000000,00007F89), ref: 00458DF0
                                                                        • GetCursorInfo.USER32 ref: 00458E03
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Cursor$Load$Info
                                                                        • String ID:
                                                                        • API String ID: 2577412497-0
                                                                        • Opcode ID: 0c78b259ae472df09145ddf792cd37f85d2c816b82f1d484569203a38ef646a1
                                                                        • Instruction ID: 36b4ee280ed0253346847529aeb00c95e660e1b7f2a6688567eec4957a26740b
                                                                        • Opcode Fuzzy Hash: 0c78b259ae472df09145ddf792cd37f85d2c816b82f1d484569203a38ef646a1
                                                                        • Instruction Fuzzy Hash: D9311671E4C3156AE7509F758C5AB1BBEE0AF40B54F004D2FF2889F2D1DAB9E4448B86
                                                                        Function 00469681 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 253windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 004696CC
                                                                        • GetFocus.USER32 ref: 004696E0
                                                                        • GetDlgCtrlID.USER32(00000000), ref: 004696EB
                                                                        • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046973F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessagePost$CtrlFocus
                                                                        • String ID: 0
                                                                        • API String ID: 1534620443-4108050209
                                                                        • Opcode ID: a7e7dd4ad94bd17b8779821b2562c3e74f4a4d43059232d4a161c8df91f382bc
                                                                        • Instruction ID: 7d80af5808d25915b866e76daf530f36ef8b085de22dc1c7fc8dbb607ae8adb7
                                                                        • Opcode Fuzzy Hash: a7e7dd4ad94bd17b8779821b2562c3e74f4a4d43059232d4a161c8df91f382bc
                                                                        • Instruction Fuzzy Hash: 1591E1B1604301ABD710DF14D884BABB7A8FB89714F004A1EF99497391E7B4DC49CBAB
                                                                        Function 004680EB Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 204windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 00468107
                                                                        • GetMenuItemInfoW.USER32(?,00000007,00000000,?), ref: 00468190
                                                                        • GetMenuItemCount.USER32(?), ref: 00468227
                                                                        • DeleteMenu.USER32(?,00000005,00000000), ref: 004682B8
                                                                        • DeleteMenu.USER32(?,00000004,00000000), ref: 004682C1
                                                                        • DeleteMenu.USER32(?,00000006,00000000,?,00000004,00000000), ref: 004682CA
                                                                        • DeleteMenu.USER32(00000000,00000003,00000000,?,00000006,00000000,?,00000004,00000000), ref: 004682D3
                                                                        • GetMenuItemCount.USER32 ref: 004682DC
                                                                        • SetMenuItemInfoW.USER32 ref: 00468317
                                                                        • GetCursorPos.USER32(00000000), ref: 00468322
                                                                        • SetForegroundWindow.USER32(?), ref: 0046832D
                                                                        • TrackPopupMenuEx.USER32(?,00000000,00000000,00000006,?,00000000,?,?,00000006,00000000,?,00000004,00000000), ref: 00468345
                                                                        • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468352
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                        • String ID: 0
                                                                        • API String ID: 3993528054-4108050209
                                                                        • Opcode ID: d5573be1ba1a613c106f8e764602a2d45d8b266f51cd1eb04f60dea375430468
                                                                        • Instruction ID: a450cccb4b36e122d1eca3afa35c85d1e57e2007e4dd5bc50ce81cada7f4397f
                                                                        • Opcode Fuzzy Hash: d5573be1ba1a613c106f8e764602a2d45d8b266f51cd1eb04f60dea375430468
                                                                        • Instruction Fuzzy Hash: 3C71C070648301ABE3309B14CC49F5BB7E8BF86724F244B0EF5A5563D1DBB9A8458B1B
                                                                        Function 0046F2B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 185windowfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DragQueryPoint.SHELL32(?,?), ref: 0046F2DA
                                                                          • Part of subcall function 00441CB4: ClientToScreen.USER32(00000000,?), ref: 00441CDE
                                                                          • Part of subcall function 00441CB4: GetWindowRect.USER32(?,?), ref: 00441D5A
                                                                          • Part of subcall function 00441CB4: PtInRect.USER32(?,?,?), ref: 00441D6F
                                                                        • SendMessageW.USER32(?), ref: 0046F34C
                                                                        • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0046F355
                                                                        • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0046F37F
                                                                        • _wcscat.LIBCMT ref: 0046F3BC
                                                                        • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0046F3D1
                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 0046F3E3
                                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 0046F3F1
                                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 0046F40E
                                                                        • DragFinish.SHELL32(?), ref: 0046F414
                                                                        • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0046F4FC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Drag$Query$FileRect$ClientFinishPointProcScreenWindow_wcscat
                                                                        • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                        • API String ID: 4085615965-3440237614
                                                                        • Opcode ID: e6dc8860684545ee98a9b737372e313d8034606243f87d3f07a4344f64e9a130
                                                                        • Instruction ID: d92027b63b9478c52a8b17f069484fb886a707b260a555cedefccfc898d4b85d
                                                                        • Opcode Fuzzy Hash: e6dc8860684545ee98a9b737372e313d8034606243f87d3f07a4344f64e9a130
                                                                        • Instruction Fuzzy Hash: 596170716043009BD700EF54D885E5FB7A8FFC9714F104A2EF99097291D7B8A949CBAA
                                                                        Function 0044B988 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 73COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: __wcsicoll
                                                                        • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                                                                        • API String ID: 3832890014-4202584635
                                                                        • Opcode ID: 3f0b73fdde0a53fb0a00575eab05b85141dd4a2dcfcc4ab19f269ee93bd0b8a8
                                                                        • Instruction ID: bf73cd225697d97a5a257e466bf5c8c79b4efa22739c650e03c6b1f9c6e9338c
                                                                        • Opcode Fuzzy Hash: 3f0b73fdde0a53fb0a00575eab05b85141dd4a2dcfcc4ab19f269ee93bd0b8a8
                                                                        • Instruction Fuzzy Hash: 1D01616160562122FE11322A7C03BDF15898F5139AF14447BFC05F1282FF4DDA8692EE
                                                                        Function 00466999 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 312COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 004669C4
                                                                        • _wcsncpy.LIBCMT ref: 00466A21
                                                                        • _wcsncpy.LIBCMT ref: 00466A4D
                                                                          • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                          • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                        • _wcstok.LIBCMT ref: 00466A90
                                                                          • Part of subcall function 004142A3: __getptd.LIBCMT ref: 004142A9
                                                                        • _wcstok.LIBCMT ref: 00466B3F
                                                                        • _wcscpy.LIBCMT ref: 00466BC8
                                                                        • GetOpenFileNameW.COMDLG32(00000058), ref: 00466CFE
                                                                        • _wcslen.LIBCMT ref: 00466D1D
                                                                        • _memset.LIBCMT ref: 00466BEE
                                                                          • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                        • _wcslen.LIBCMT ref: 00466D4B
                                                                        • GetSaveFileNameW.COMDLG32(00000058), ref: 00466D9E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: _wcslen$FileName_memset_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                                                                        • String ID: X$HH
                                                                        • API String ID: 3021350936-1944015008
                                                                        • Opcode ID: 148ffd08a53066c169799d7010fd2328abbb1436974d200da898f01e024381e3
                                                                        • Instruction ID: 73e83d7ea4d12cbe09e247b0b8120e99e9ae8af51722f6ce2f45a1bbad6557a4
                                                                        • Opcode Fuzzy Hash: 148ffd08a53066c169799d7010fd2328abbb1436974d200da898f01e024381e3
                                                                        • Instruction Fuzzy Hash: D1C1B2715043408BC714EF65C981A9FB3E4BF84304F15892FF949AB292EB78E905CB9B
                                                                        Function 0045F48E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 226windowsleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 0045F4AE
                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045F519
                                                                        • SetMenuItemInfoW.USER32(00000008,00000004,00000000,?), ref: 0045F556
                                                                        • Sleep.KERNEL32(000001F4,?,?,00000000,?), ref: 0045F568
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: InfoItemMenu$Sleep_memset
                                                                        • String ID: 0
                                                                        • API String ID: 1504565804-4108050209
                                                                        • Opcode ID: b2eb264578549714347dca4c6cc1c63db220fd8d89572d1a81e0d1d82c6caf25
                                                                        • Instruction ID: 9e8996cb251b45e9fd8013479734a73363ce4640cf951279a7d2fdadd0934edb
                                                                        • Opcode Fuzzy Hash: b2eb264578549714347dca4c6cc1c63db220fd8d89572d1a81e0d1d82c6caf25
                                                                        • Instruction Fuzzy Hash: E171E3711043406BD3109F54DD48FABBBE8EBD5306F04086FFD8587252D6B9A94EC76A
                                                                        Function 004556F8 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 216COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DestroyWindow.USER32(?,004A83D8,?), ref: 00455800
                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 00455847
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Window$CreateDestroy
                                                                        • String ID: ,$tooltips_class32
                                                                        • API String ID: 1109047481-3856767331
                                                                        • Opcode ID: 0ca5ab61cf6a2cad142a114e1c8ac043728d1bef212d4075191e352a737c6d07
                                                                        • Instruction ID: af4df8b80438f92fd5356fe82daba85812243c44dff517d7eb602cf52e2cfce3
                                                                        • Opcode Fuzzy Hash: 0ca5ab61cf6a2cad142a114e1c8ac043728d1bef212d4075191e352a737c6d07
                                                                        • Instruction Fuzzy Hash: BF719075244704AFE320DB28CC85F7B77E4EB89700F50491EFA8197391E6B5E905CB59
                                                                        Function 0045CBCC Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _wcsncpy.LIBCMT ref: 0045CCFA
                                                                        • __wsplitpath.LIBCMT ref: 0045CD3C
                                                                        • _wcscat.LIBCMT ref: 0045CD51
                                                                        • _wcscat.LIBCMT ref: 0045CD63
                                                                        • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000104,?), ref: 0045CD78
                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,00000104,?), ref: 0045CD8C
                                                                          • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                                                                        • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDD0
                                                                        • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDE6
                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDF8
                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0045CE08
                                                                        • _wcscpy.LIBCMT ref: 0045CE14
                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CE5A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                                                                        • String ID: *.*
                                                                        • API String ID: 1153243558-438819550
                                                                        • Opcode ID: 5bfa431d4ef7075d2dc920e4199facb1e2714bc7465ef22df03346902ac9b5e5
                                                                        • Instruction ID: 4b7f18f3392d5c51d0b0bcfc25b88d1348604f1c1aa494fd035d881d108a9fe9
                                                                        • Opcode Fuzzy Hash: 5bfa431d4ef7075d2dc920e4199facb1e2714bc7465ef22df03346902ac9b5e5
                                                                        • Instruction Fuzzy Hash: 0561E5B61043419FD731EF54C885AEBB7E4EB84305F44882FED8983242D67D998E879E
                                                                        Function 0045510D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 115windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 00455127
                                                                        • GetMenuItemInfoW.USER32 ref: 00455146
                                                                        • DeleteMenu.USER32(?,?,00000000), ref: 004551B2
                                                                        • DeleteMenu.USER32(?,?,00000000), ref: 004551C8
                                                                        • GetMenuItemCount.USER32(?), ref: 004551D9
                                                                        • SetMenu.USER32(?,00000000), ref: 004551E7
                                                                        • DestroyMenu.USER32(?,?,00000000), ref: 004551F4
                                                                        • DrawMenuBar.USER32 ref: 00455207
                                                                        • DeleteObject.GDI32(?), ref: 0045564E
                                                                        • DeleteObject.GDI32(?), ref: 0045565C
                                                                        • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                        • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow_memset
                                                                        • String ID: 0
                                                                        • API String ID: 1663942905-4108050209
                                                                        • Opcode ID: 9367fca2e423954c8e95e5664296e443175f4f0a3dc8af8de701f007cae6aaa4
                                                                        • Instruction ID: b4bdd7d0bd4ee66815c45afb4cba49e6688c1fb7c5fb2b704b87d0eb3faa17d4
                                                                        • Opcode Fuzzy Hash: 9367fca2e423954c8e95e5664296e443175f4f0a3dc8af8de701f007cae6aaa4
                                                                        • Instruction Fuzzy Hash: F4413B70600A01AFD715DF24D9A8B6B77A8BF44302F40891DFD49CB292DB78EC44CBA9
                                                                        Function 00415C25 Relevance: 22.7, APIs: 15, Instructions: 236COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: __get_daylight__invoke_watson$__gmtime64_s$__getptd_noexit
                                                                        • String ID:
                                                                        • API String ID: 1481289235-0
                                                                        • Opcode ID: 0c2ddcf2cfad548662a25bd64df7f8cdb197bd458fe0989c9b03f034f06c5664
                                                                        • Instruction ID: 11750150b5911b8a2d77b888e51b7102539fbc40f42687a9f62e69b5342e6946
                                                                        • Opcode Fuzzy Hash: 0c2ddcf2cfad548662a25bd64df7f8cdb197bd458fe0989c9b03f034f06c5664
                                                                        • Instruction Fuzzy Hash: 8461B372B00B15DBD724AB69DC81AEB73E99F84324F14452FF011D7682EB78DA808B58
                                                                        Function 0046FB53 Relevance: 22.7, APIs: 15, Instructions: 176windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 0046FB61
                                                                        • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 0046FB7A
                                                                        • SendMessageW.USER32 ref: 0046FBAF
                                                                        • SendMessageW.USER32 ref: 0046FBE2
                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001), ref: 0046FC1B
                                                                        • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0046FC3E
                                                                        • ImageList_Create.COMCTL32(00000020,00000020,00000021,?,00000001), ref: 0046FC51
                                                                        • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 0046FC73
                                                                        • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0046FC97
                                                                        • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0046FCA5
                                                                        • SendMessageW.USER32 ref: 0046FD00
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$IconImageList_$CreateExtractReplace
                                                                        • String ID:
                                                                        • API String ID: 2632138820-0
                                                                        • Opcode ID: 84d296b218fe0245d687438722339ecf4745b7249032fe4bb2113eafbff2dc59
                                                                        • Instruction ID: f8b2170a3f6480226351c2682443129a31dd3945ebd2779c8b18a40e734619f9
                                                                        • Opcode Fuzzy Hash: 84d296b218fe0245d687438722339ecf4745b7249032fe4bb2113eafbff2dc59
                                                                        • Instruction Fuzzy Hash: A461BF70208305AFD320DF14DC85F5BB7E4FB89B14F10492EFA85972D1E7B4A8498B66
                                                                        Function 00433BAC Relevance: 22.6, APIs: 15, Instructions: 79COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadCursorW.USER32(00000000,00007F89), ref: 00433BC7
                                                                        • LoadCursorW.USER32(00000000,00007F8A), ref: 00433BDE
                                                                        • LoadCursorW.USER32(00000000,00007F03), ref: 00433BF5
                                                                        • LoadCursorW.USER32(00000000,00007F8B), ref: 00433C0C
                                                                        • LoadCursorW.USER32(00000000,00007F01), ref: 00433C23
                                                                        • LoadCursorW.USER32(00000000,00007F88), ref: 00433C3A
                                                                        • LoadCursorW.USER32(00000000,00007F86), ref: 00433C51
                                                                        • LoadCursorW.USER32(00000000,00007F83), ref: 00433C68
                                                                        • LoadCursorW.USER32(00000000,00007F85), ref: 00433C7F
                                                                        • LoadCursorW.USER32(00000000,00007F82), ref: 00433C96
                                                                        • LoadCursorW.USER32(00000000,00007F84), ref: 00433CAD
                                                                        • LoadCursorW.USER32(00000000,00007F04), ref: 00433CC4
                                                                        • LoadCursorW.USER32(00000000,00007F02), ref: 00433CDB
                                                                        • LoadCursorW.USER32(00000000,00000000), ref: 00433CEF
                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00433D06
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CursorLoad
                                                                        • String ID:
                                                                        • API String ID: 3238433803-0
                                                                        • Opcode ID: a9ae3fa102d058121485b558102ae55493db0c8a3ed3723cc80ee02977cbc66e
                                                                        • Instruction ID: acd63d7325575073817552101614e6badc0a76bef24473f745c9da0ba21645f6
                                                                        • Opcode Fuzzy Hash: a9ae3fa102d058121485b558102ae55493db0c8a3ed3723cc80ee02977cbc66e
                                                                        • Instruction Fuzzy Hash: 6D310E3058C302FFE7504F50EE0AB1C36A0BB48B47F008C7DF64AA62E0E6F055009B9A
                                                                        Function 00460ABB Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 00460AF5
                                                                        • _wcslen.LIBCMT ref: 00460B00
                                                                        • __swprintf.LIBCMT ref: 00460B9E
                                                                        • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00460C11
                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 00460C8E
                                                                        • GetDlgCtrlID.USER32(?), ref: 00460CE6
                                                                        • GetWindowRect.USER32(?,?), ref: 00460D21
                                                                        • GetParent.USER32(?), ref: 00460D40
                                                                        • ScreenToClient.USER32(00000000), ref: 00460D47
                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 00460DBE
                                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 00460DFB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                                                                        • String ID: %s%u
                                                                        • API String ID: 1899580136-679674701
                                                                        • Opcode ID: 263ba601bdfcacdbc09c0537f08939095875f2576dae1f9512caffb95b688f0a
                                                                        • Instruction ID: ed0b46c26cbb3f928a943cd91895a09858176ee0e89b0f6962e21683ef9d2041
                                                                        • Opcode Fuzzy Hash: 263ba601bdfcacdbc09c0537f08939095875f2576dae1f9512caffb95b688f0a
                                                                        • Instruction Fuzzy Hash: 3AA1CD722043019BDB14DF54C884BEB73A8FF84714F04892EFD889B245E778E946CBA6
                                                                        Function 0047D5F6 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 210COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CoTaskMemFree.OLE32(?), ref: 0047D6D3
                                                                          • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                        • StringFromCLSID.OLE32(?,?), ref: 0047D6B5
                                                                          • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                          • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                        • StringFromIID.OLE32(?,?), ref: 0047D7F0
                                                                        • CoTaskMemFree.OLE32(?), ref: 0047D80A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: FreeFromStringTask_wcslen$_wcscpy
                                                                        • String ID: 0vH$CLSID\$Interface\$ProgID$ToolBoxBitmap32$inprocserver32$localserver32$HH
                                                                        • API String ID: 2485709727-934586222
                                                                        • Opcode ID: 94ff36e8c5adf47d5d15ad8c3baf2c81511e2686fb9cf3bb874d512fd4cd8d9e
                                                                        • Instruction ID: 9b1d76abf7044590dd80f2c514dab21f357569e7696d0ed80310904c07b122bf
                                                                        • Opcode Fuzzy Hash: 94ff36e8c5adf47d5d15ad8c3baf2c81511e2686fb9cf3bb874d512fd4cd8d9e
                                                                        • Instruction Fuzzy Hash: 63714BB5614201AFC304EF25C981D5BB3F8BF88704F108A2EF5599B351DB78E905CB6A
                                                                        Function 0045DB3E Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 181COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: _wcscpy$Folder_memset$BrowseDesktopFromInitializeListMallocPathUninitialize
                                                                        • String ID: HH
                                                                        • API String ID: 3381189665-2761332787
                                                                        • Opcode ID: cbd34bb05af2b60d6becc686f20e38c9c02ad4ea561bbadf99ecd2e28994155d
                                                                        • Instruction ID: 9856a5a3be2a6f4b6f15ab218c20ab076772672eb14c4daba281b2e598c2a196
                                                                        • Opcode Fuzzy Hash: cbd34bb05af2b60d6becc686f20e38c9c02ad4ea561bbadf99ecd2e28994155d
                                                                        • Instruction Fuzzy Hash: E1619AB59043009FC320EF65C88499BB7E9BFC8704F048E1EF98987252D775E849CB6A
                                                                        Function 00434506 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDC.USER32(00000000), ref: 00434585
                                                                        • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00434590
                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 0043459B
                                                                        • SelectObject.GDI32(00000000,?), ref: 004345A9
                                                                        • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00434618
                                                                        • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00434665
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                                                                        • String ID: (
                                                                        • API String ID: 3300687185-3887548279
                                                                        • Opcode ID: 440148b18d84eb95ba181de3259d53385060cfec68f9b8a73670629712acb2fa
                                                                        • Instruction ID: a007e7ec8c3f390601fcb6226b5fc218b62818acb39bbc9fe8cd9ddeb27b86ed
                                                                        • Opcode Fuzzy Hash: 440148b18d84eb95ba181de3259d53385060cfec68f9b8a73670629712acb2fa
                                                                        • Instruction Fuzzy Hash: E4514871508345AFD310CF69C884B6BBBE9EF8A310F14881DFA9687390D7B5E844CB66
                                                                        Function 0045E41B Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 150COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E463
                                                                          • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                        • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E480
                                                                        • __swprintf.LIBCMT ref: 0045E4D9
                                                                        • _printf.LIBCMT ref: 0045E595
                                                                        • _printf.LIBCMT ref: 0045E5B7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: LoadString_printf$__swprintf_wcslen
                                                                        • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR $HH
                                                                        • API String ID: 3590180749-2894483878
                                                                        • Opcode ID: ef66654f81976a0e6a78d75721240b4b5dad2d0c7f05b7bb9659983eace5fa73
                                                                        • Instruction ID: 42a5c2f6345f2e10047da6565a111f96cfad8617a22bea28fc44504b1d19b7ce
                                                                        • Opcode Fuzzy Hash: ef66654f81976a0e6a78d75721240b4b5dad2d0c7f05b7bb9659983eace5fa73
                                                                        • Instruction Fuzzy Hash: 9F51A171518345ABD324EF91CC41DAF77A8AF84754F04093FF94463292EB78EE488B6A
                                                                        Function 0046F90E Relevance: 21.1, APIs: 14, Instructions: 147windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0046F911
                                                                        • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 0046F929
                                                                        • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 0046F942
                                                                        • DeleteObject.GDI32(?), ref: 0046F950
                                                                        • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,00000000,00000000,00000000,00002010,?,000000F0), ref: 0046F95E
                                                                        • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0046F9A8
                                                                        • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 0046F9C1
                                                                        • DeleteObject.GDI32(?), ref: 0046F9CF
                                                                        • DestroyIcon.USER32(?,?,000000F7,00000001,00000000,?,00000001,00000000,00000000,00002010), ref: 0046F9DD
                                                                        • ExtractIconExW.SHELL32(?,?,?,000000FF,00000001), ref: 0046FA1D
                                                                        • DestroyIcon.USER32(?), ref: 0046FA4F
                                                                        • SendMessageW.USER32(?,000000F7,00000001,?), ref: 0046FA5A
                                                                        • DeleteObject.GDI32(?), ref: 0046FA68
                                                                        • DestroyIcon.USER32(?,?,000000F7,00000001,?), ref: 0046FA76
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Icon$Destroy$DeleteMessageObjectSend$ImageLoad$ExtractLongWindow
                                                                        • String ID:
                                                                        • API String ID: 3412594756-0
                                                                        • Opcode ID: f692dd120a8e9e8c350368ee646f6d7ebba10fee5470a76da8eaf9bc85602db5
                                                                        • Instruction ID: 2b127e2e725f503062080ad48664a75956f0b49bd2ac624c91da1236fc619d99
                                                                        • Opcode Fuzzy Hash: f692dd120a8e9e8c350368ee646f6d7ebba10fee5470a76da8eaf9bc85602db5
                                                                        • Instruction Fuzzy Hash: BD41B575344301ABE7209B65ED45B6B7398EB44711F00083EFA85A7381DBB9E809C76A
                                                                        Function 0045D971 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 140COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0045335B: CharLowerBuffW.USER32(?,?,?,0045D9DB,?,?,?), ref: 0045336E
                                                                          • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                                                                        • GetDriveTypeW.KERNEL32 ref: 0045DA30
                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DA76
                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DAAB
                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DADF
                                                                          • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: SendString$_wcslen$BuffCharDriveLowerType
                                                                        • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                        • API String ID: 4013263488-4113822522
                                                                        • Opcode ID: b9e44105478404289108567262d296c88e7101013f7783f6c7bd148379995db0
                                                                        • Instruction ID: 78e8968fe3d68f28a61334a0544e46eb3ade7c09d07056eb4a028b8014bab4f9
                                                                        • Opcode Fuzzy Hash: b9e44105478404289108567262d296c88e7101013f7783f6c7bd148379995db0
                                                                        • Instruction Fuzzy Hash: 86516E71604300ABD710EF55CC85F5EB3E4AF88714F14496EF985AB2D2D7B8E908CB5A
                                                                        Function 00435A35 Relevance: 21.1, APIs: 14, Instructions: 136timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: _wcslen$_wcsncpy$LocalTime__wcstoi64
                                                                        • String ID:
                                                                        • API String ID: 228034949-0
                                                                        • Opcode ID: d55b35800c2a6f74fd0df3de6656c0821778ac1c15f087543c4dc83ec7dd6154
                                                                        • Instruction ID: c9113392db11e6d0b84b7dcaf0f9983ae7bcdcfbf3325debe08446cd55f13bc3
                                                                        • Opcode Fuzzy Hash: d55b35800c2a6f74fd0df3de6656c0821778ac1c15f087543c4dc83ec7dd6154
                                                                        • Instruction Fuzzy Hash: 874194B181435066DA10FF6AC8479DFB3A8EF89314F84495FF945D3162E378E64883AA
                                                                        Function 004334CA Relevance: 21.1, APIs: 14, Instructions: 132filecommemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,?,0046FAD5), ref: 004334F4
                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043350F
                                                                        • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043351A
                                                                        • GlobalLock.KERNEL32(00000000), ref: 00433523
                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 00433533
                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0043353A
                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 00433541
                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043354F
                                                                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,00482A20,?), ref: 00433568
                                                                        • GlobalFree.KERNEL32(00000000), ref: 0043357B
                                                                        • GetObjectW.GDI32(?,00000018,?), ref: 004335A6
                                                                        • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004335DB
                                                                        • DeleteObject.GDI32(?), ref: 00433603
                                                                        • SendMessageW.USER32(?,00000172,00000000,?), ref: 0043361B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                        • String ID:
                                                                        • API String ID: 3969911579-0
                                                                        • Opcode ID: c8af0a6d34b3156cf5dea3d494721158f709963105dd3e2632bd1b1f7de041f4
                                                                        • Instruction ID: 5aed18668fdc988692497ed4484016cc97142e8c7c748bcd34b77a3330007e11
                                                                        • Opcode Fuzzy Hash: c8af0a6d34b3156cf5dea3d494721158f709963105dd3e2632bd1b1f7de041f4
                                                                        • Instruction Fuzzy Hash: 70410471204210AFD710DF64DC88F6BBBE8FB89711F10492DFA45972A0D7B5A941CBAA
                                                                        Function 00445A77 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 73windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetParent.USER32 ref: 00445A8D
                                                                        • GetClassNameW.USER32(00000000,?,00000100), ref: 00445AA0
                                                                        • __wcsicoll.LIBCMT ref: 00445AC4
                                                                        • __wcsicoll.LIBCMT ref: 00445AE0
                                                                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445B3D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: __wcsicoll$ClassMessageNameParentSend
                                                                        • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                        • API String ID: 3125838495-3381328864
                                                                        • Opcode ID: 6f6f70247b4827d2a410ddc22f410c306ecb8b2e46d0c95c17204de523c723c4
                                                                        • Instruction ID: 9ea7b4bfd8e333fc3d4c3d1cc69785ca983c3453aa66f955cff8de8c622a02b1
                                                                        • Opcode Fuzzy Hash: 6f6f70247b4827d2a410ddc22f410c306ecb8b2e46d0c95c17204de523c723c4
                                                                        • Instruction Fuzzy Hash: F011E9B1B40301BBFF10B6659C46EAF739CDF94759F00081BFD44E6182F6ACA9458769
                                                                        Function 00479921 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 314COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CopyVariant$ErrorLast
                                                                        • String ID: Conversion of parameters failed$NULL Pointer assignment$Not an Object type
                                                                        • API String ID: 2286883814-4206948668
                                                                        • Opcode ID: 2f6e4bc4aaf8f7a3794965dba448b56a5b6575b3b05f264a778baa01eb75d6f6
                                                                        • Instruction ID: 5c76bcf0434180a49ef26f8382d3619d889c8a8ee3f63882ad125ac36acecb62
                                                                        • Opcode Fuzzy Hash: 2f6e4bc4aaf8f7a3794965dba448b56a5b6575b3b05f264a778baa01eb75d6f6
                                                                        • Instruction Fuzzy Hash: 4EA1F0B1644300ABD620EB25CC81EABB3E9FBC4704F10891EF65987251D779E945CBAA
                                                                        Function 00475D8B Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 194COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0045335B: CharLowerBuffW.USER32(?,?,?,0045D9DB,?,?,?), ref: 0045336E
                                                                          • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                                                                        • GetDriveTypeW.KERNEL32(?,?,00000061), ref: 00475EEC
                                                                        • _wcscpy.LIBCMT ref: 00475F18
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                                                                        • String ID: a$all$cdrom$fixed$network$ramdisk$removable$unknown$HH
                                                                        • API String ID: 3052893215-4176887700
                                                                        • Opcode ID: 531685fb0cf90d6ae2ec3f9560420c3d557b818d2d0e5f32259ad5e7ccb69ffd
                                                                        • Instruction ID: 30c0e749cffa51fc832ec364bb88d57898ea161693411a08ebb212f54f1b1ce2
                                                                        • Opcode Fuzzy Hash: 531685fb0cf90d6ae2ec3f9560420c3d557b818d2d0e5f32259ad5e7ccb69ffd
                                                                        • Instruction Fuzzy Hash: E951E5716047009BC710EF51D981B9BB3D4AB85705F108C2FF948AB382D7B9DE09879B
                                                                        Function 004582BF Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 165registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • StringFromIID.OLE32(?,?,00000003,?,?,00000000), ref: 004582E5
                                                                          • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                          • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                          • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                        • CoTaskMemFree.OLE32(?,00000000), ref: 00458335
                                                                        • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 00458351
                                                                        • RegQueryValueExW.ADVAPI32 ref: 00458381
                                                                        • CLSIDFromString.OLE32(00000000,?), ref: 004583AF
                                                                        • RegQueryValueExW.ADVAPI32 ref: 004583E8
                                                                        • LoadRegTypeLib.OLEAUT32(?,?), ref: 00458486
                                                                          • Part of subcall function 00413F97: __wtof_l.LIBCMT ref: 00413FA1
                                                                        • RegCloseKey.ADVAPI32(?), ref: 004584BA
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: FromQueryStringValue_wcslen$CloseFreeLoadOpenTaskType__wtof_l_wcscpy
                                                                        • String ID: Version$\TypeLib$interface\
                                                                        • API String ID: 656856066-939221531
                                                                        • Opcode ID: fae0be2ce993580ee9701cb6b1f6a998fde8705fa16d3e1feab2af977247b743
                                                                        • Instruction ID: 73379605cfaaf105ee685c6daddaf2c4824f5dc828714578f474d0d05c7db838
                                                                        • Opcode Fuzzy Hash: fae0be2ce993580ee9701cb6b1f6a998fde8705fa16d3e1feab2af977247b743
                                                                        • Instruction Fuzzy Hash: 19513B715083059BD310EF55D944A6FB3E8FFC8B08F004A2DF985A7251EA78DD09CB9A
                                                                        Function 0045E62E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 155COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E676
                                                                          • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                        • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E69A
                                                                        • __swprintf.LIBCMT ref: 0045E6EE
                                                                        • _printf.LIBCMT ref: 0045E7A9
                                                                        • _printf.LIBCMT ref: 0045E7D2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: LoadString_printf$__swprintf_wcslen
                                                                        • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                        • API String ID: 3590180749-2354261254
                                                                        • Opcode ID: fd3ade05fede2dfa3d14bccfacac15f81e3d16141c85e45952f832d3a26197ce
                                                                        • Instruction ID: 835382aeb01427732dc6b750cf2ba574ed77461063debdd42288bdc21f9728b4
                                                                        • Opcode Fuzzy Hash: fd3ade05fede2dfa3d14bccfacac15f81e3d16141c85e45952f832d3a26197ce
                                                                        • Instruction Fuzzy Hash: B051D5715143019BD324FB51CC41EAF77A8AF84354F14093FF94563292DB78AE49CB6A
                                                                        Function 004580E1 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 136registryshareCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                        • _memset.LIBCMT ref: 00458194
                                                                        • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004581D6
                                                                        • RegConnectRegistryW.ADVAPI32(?,80000002,00000000), ref: 004581F4
                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,00000000), ref: 00458219
                                                                        • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,?), ref: 00458248
                                                                        • CLSIDFromString.OLE32(00000000,?), ref: 00458279
                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 0045828F
                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00458296
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset_wcslen
                                                                        • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                        • API String ID: 2255324689-22481851
                                                                        • Opcode ID: 40f125b4ffe5f12493adc0cb93ab67eb911e8c28f62e3d79c4190a4fe5521cad
                                                                        • Instruction ID: 0916ae95de1959dc40878de41837780f7e862baf069d4d5c3429810960799c2e
                                                                        • Opcode Fuzzy Hash: 40f125b4ffe5f12493adc0cb93ab67eb911e8c28f62e3d79c4190a4fe5521cad
                                                                        • Instruction Fuzzy Hash: 4A4190725083019BD320EF54C845B5FB7E8AF84714F044D2EFA8577291DBB8E949CB9A
                                                                        Function 004584D6 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 105registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExW.ADVAPI32(80000000,interface,00000000,00020019,?), ref: 00458513
                                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00458538
                                                                        • RegCloseKey.ADVAPI32(?), ref: 00458615
                                                                          • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                        • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,000001FE,interface\), ref: 0045858A
                                                                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000028), ref: 004585A8
                                                                        • __wcsicoll.LIBCMT ref: 004585D6
                                                                        • IIDFromString.OLE32(?,?,?,?), ref: 004585EB
                                                                        • RegCloseKey.ADVAPI32(?), ref: 004585F8
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CloseOpen$EnumFromQueryStringValue__wcsicoll_wcslen
                                                                        • String ID: ($interface$interface\
                                                                        • API String ID: 2231185022-3327702407
                                                                        • Opcode ID: f3ba987632fb2ab980929a1e8c26c1d4f1068388d2a95cb25d4e52b6d927b3fe
                                                                        • Instruction ID: 2ed788c9a442d2de66cb2a0eaf665167c450c6ff9570aaff4df7cfaf3afbbce1
                                                                        • Opcode Fuzzy Hash: f3ba987632fb2ab980929a1e8c26c1d4f1068388d2a95cb25d4e52b6d927b3fe
                                                                        • Instruction Fuzzy Hash: CE317271204305ABE710DF54DD85F6BB3E8FB84744F10492DF685A6191EAB8E908C76A
                                                                        Function 00436582 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 79networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WSAStartup.WSOCK32(00000101,?), ref: 004365A5
                                                                        • gethostname.WSOCK32(00000100,00000100,00000101,?), ref: 004365BC
                                                                        • gethostbyname.WSOCK32(00000101,00000100,00000100,00000101,?), ref: 004365C6
                                                                        • _wcscpy.LIBCMT ref: 004365F5
                                                                        • WSACleanup.WSOCK32 ref: 004365FD
                                                                        • inet_ntoa.WSOCK32(00000100,?), ref: 00436624
                                                                        • _strcat.LIBCMT ref: 0043662F
                                                                        • _wcscpy.LIBCMT ref: 00436644
                                                                        • WSACleanup.WSOCK32(?,?,?,?,?,?,00000100,?), ref: 00436652
                                                                        • _wcscpy.LIBCMT ref: 00436666
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: _wcscpy$Cleanup$Startup_strcatgethostbynamegethostnameinet_ntoa
                                                                        • String ID: 0.0.0.0
                                                                        • API String ID: 2691793716-3771769585
                                                                        • Opcode ID: 65646d0c3f70c30576c3209c49215e1e6413ca059fa52035c9da78ad10046a0d
                                                                        • Instruction ID: 29d249c793a1599df1911ffab6ed89036a29d54f41df1114d8fa63e2d2305339
                                                                        • Opcode Fuzzy Hash: 65646d0c3f70c30576c3209c49215e1e6413ca059fa52035c9da78ad10046a0d
                                                                        • Instruction Fuzzy Hash: 5C21D4726003016BD620FB269C42FFF33A89FD4318F54492FF64456242EABDD58983AB
                                                                        Function 00416B12 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048C968,0000000C,00416C4D,00000000,00000000,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416B24
                                                                        • __crt_waiting_on_module_handle.LIBCMT ref: 00416B2F
                                                                          • Part of subcall function 0041177F: Sleep.KERNEL32(000003E8,?,?,00416A38,KERNEL32.DLL,?,00411B0C,?,00413973,00411739,?,?,00411739,?,00401C0B), ref: 0041178B
                                                                          • Part of subcall function 0041177F: GetModuleHandleW.KERNEL32(00411739,?,?,00416A38,KERNEL32.DLL,?,00411B0C,?,00413973,00411739,?,?,00411739,?,00401C0B), ref: 00411794
                                                                        • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00416B58
                                                                        • GetProcAddress.KERNEL32(00411739,DecodePointer), ref: 00416B68
                                                                        • __lock.LIBCMT ref: 00416B8A
                                                                        • InterlockedIncrement.KERNEL32(00EA60FF), ref: 00416B97
                                                                        • __lock.LIBCMT ref: 00416BAB
                                                                        • ___addlocaleref.LIBCMT ref: 00416BC9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
                                                                        • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                                                                        • API String ID: 1028249917-2843748187
                                                                        • Opcode ID: 149215eb9963fdce733e6eee9b7d54027110d9b9ecd285c2a82fe369659baa59
                                                                        • Instruction ID: dfb830706c011728ae11a8c0f52cb2fa371409e71f4acd403326aacb15a29bdd
                                                                        • Opcode Fuzzy Hash: 149215eb9963fdce733e6eee9b7d54027110d9b9ecd285c2a82fe369659baa59
                                                                        • Instruction Fuzzy Hash: 4E119671944701AFD720EF76C905B9EBBE0AF00714F10495FE469A6391DB78A580CB1D
                                                                        Function 0044920C Relevance: 18.2, APIs: 12, Instructions: 243windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,00000000,000000FF,?), ref: 0044931D
                                                                        • SendMessageW.USER32(?,0045BBB0,00000000,00000000), ref: 0044932D
                                                                        • CharNextW.USER32(?,?,?,?,0045BBB0,00000000,00000000,?,?), ref: 00449361
                                                                        • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449375
                                                                        • SendMessageW.USER32(?,00000402,?), ref: 0044941C
                                                                        • SendMessageW.USER32(004A83D8,000000C2,00000001,?), ref: 004494A0
                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449515
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$CharNext
                                                                        • String ID:
                                                                        • API String ID: 1350042424-0
                                                                        • Opcode ID: 5fd89deb92f75c0e0d7406111af65340a6b95ffecf1ba9c2db83920ef449de6e
                                                                        • Instruction ID: cf19a455924c4199ae2d31ef2e344bdd2865620a2145bd440d1f5c61272ee54d
                                                                        • Opcode Fuzzy Hash: 5fd89deb92f75c0e0d7406111af65340a6b95ffecf1ba9c2db83920ef449de6e
                                                                        • Instruction Fuzzy Hash: 5D81B5312083019BE720DF15DC85FBBB7E4EBD9B20F00492EFA54962C0D7B99946D766
                                                                        Function 00453B94 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetKeyboardState.USER32(?,?,00000000), ref: 00453C0D
                                                                        • SetKeyboardState.USER32(?), ref: 00453C5A
                                                                        • GetAsyncKeyState.USER32(000000A0), ref: 00453C82
                                                                        • GetKeyState.USER32(000000A0), ref: 00453C99
                                                                        • GetAsyncKeyState.USER32(000000A1), ref: 00453CC9
                                                                        • GetKeyState.USER32(000000A1), ref: 00453CDA
                                                                        • GetAsyncKeyState.USER32(00000011), ref: 00453D07
                                                                        • GetKeyState.USER32(00000011), ref: 00453D15
                                                                        • GetAsyncKeyState.USER32(00000012), ref: 00453D3F
                                                                        • GetKeyState.USER32(00000012), ref: 00453D4D
                                                                        • GetAsyncKeyState.USER32(0000005B), ref: 00453D77
                                                                        • GetKeyState.USER32(0000005B), ref: 00453D85
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: State$Async$Keyboard
                                                                        • String ID:
                                                                        • API String ID: 541375521-0
                                                                        • Opcode ID: 439544d7db57c6269f5a832870b7215b314e2d5ec2fc8731d7b6f8ebe45629c5
                                                                        • Instruction ID: 09d2c23b2f41f951af40c960ff4fa7a39ed3d74d48f5bb091813d5d41b5bf946
                                                                        • Opcode Fuzzy Hash: 439544d7db57c6269f5a832870b7215b314e2d5ec2fc8731d7b6f8ebe45629c5
                                                                        • Instruction Fuzzy Hash: BD5108311497C42AF731EF6048217A7BBE45F52782F488D5EE9C107283E619AB0C976B
                                                                        Function 00437DB1 Relevance: 18.2, APIs: 12, Instructions: 180COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDlgItem.USER32(?,00000001), ref: 00437DD7
                                                                        • GetWindowRect.USER32(00000000,?), ref: 00437DE9
                                                                        • MoveWindow.USER32(00000000,0000000A,?,?,?,00000000), ref: 00437E5C
                                                                        • GetDlgItem.USER32(?,00000002), ref: 00437E70
                                                                        • GetWindowRect.USER32(00000000,?), ref: 00437E82
                                                                        • MoveWindow.USER32(00000000,?,00000000,?,?,00000000), ref: 00437EDB
                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00437EEA
                                                                        • GetWindowRect.USER32(00000000,?), ref: 00437EFC
                                                                        • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00437F46
                                                                        • GetDlgItem.USER32(?,000003EA), ref: 00437F55
                                                                        • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 00437F6E
                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00437F78
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Window$ItemMoveRect$Invalidate
                                                                        • String ID:
                                                                        • API String ID: 3096461208-0
                                                                        • Opcode ID: 85b2574db82c4a067caaf632f6dab2f3668a9f7fdedc9eb4d1c33f4a9692aa02
                                                                        • Instruction ID: 6334a21bf5495bf578199e0a0c43900503e40640961724061e29feeedb49a886
                                                                        • Opcode Fuzzy Hash: 85b2574db82c4a067caaf632f6dab2f3668a9f7fdedc9eb4d1c33f4a9692aa02
                                                                        • Instruction Fuzzy Hash: 46511CB16083069FC318DF68DD85A2BB7E9ABC8300F144A2DF985D3391E6B4ED058B95
                                                                        Function 00436879 Relevance: 18.1, APIs: 12, Instructions: 115COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                        • String ID:
                                                                        • API String ID: 136442275-0
                                                                        • Opcode ID: 8bb1124220d8f68122d0f1a8633f784f40ed2a0c71bdd1f95919e960fb23027d
                                                                        • Instruction ID: e47e2093bf76b35e8f1fec89578fc46911e8a4506192668d3a16ce6d5165f020
                                                                        • Opcode Fuzzy Hash: 8bb1124220d8f68122d0f1a8633f784f40ed2a0c71bdd1f95919e960fb23027d
                                                                        • Instruction Fuzzy Hash: 744124B2408345ABC235E754C885EEF73ECABD8314F44891EB68D42141EB796688C7A7
                                                                        Function 0046B39A Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 401registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B479
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: ConnectRegistry_wcslen
                                                                        • String ID: HH
                                                                        • API String ID: 535477410-2761332787
                                                                        • Opcode ID: cc03a81e182be6ba1e7ee8022fe76587c4fcfc5607386b983ff95d826003d501
                                                                        • Instruction ID: 7a368be733395892e28f24b11b3b05e85d853a2cd395d98498a1c99032eed9d9
                                                                        • Opcode Fuzzy Hash: cc03a81e182be6ba1e7ee8022fe76587c4fcfc5607386b983ff95d826003d501
                                                                        • Instruction Fuzzy Hash: 63E171B1604200ABC714EF28C981F1BB7E4EF88704F148A1EF685DB381D779E945CB9A
                                                                        Function 00460473 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 004604B5
                                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 004604F1
                                                                        • _wcslen.LIBCMT ref: 00460502
                                                                        • CharUpperBuffW.USER32(?,00000000), ref: 00460510
                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 00460589
                                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 004605C2
                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 00460606
                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 0046063E
                                                                        • GetWindowRect.USER32(?,?), ref: 004606AD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen
                                                                        • String ID: ThumbnailClass
                                                                        • API String ID: 4123061591-1241985126
                                                                        • Opcode ID: d81b9eb1014bf0c552f647121340d293adfb5e43e55e37c5a686eb3c785bede7
                                                                        • Instruction ID: b645ef8d54a60b7d8a856e9fdf4d8999e4c56e3b903fe9b51be5921097eabf2a
                                                                        • Opcode Fuzzy Hash: d81b9eb1014bf0c552f647121340d293adfb5e43e55e37c5a686eb3c785bede7
                                                                        • Instruction Fuzzy Hash: 3F91B0715043019FDB14DF24C884BAB77A8EF84715F04896FFD85AA281E778E905CBAB
                                                                        Function 0046F50B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 157windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00456354: GetCursorPos.USER32(004A83D8), ref: 0045636A
                                                                          • Part of subcall function 00456354: ScreenToClient.USER32(004A83D8,?), ref: 0045638A
                                                                          • Part of subcall function 00456354: GetAsyncKeyState.USER32(?), ref: 004563D0
                                                                          • Part of subcall function 00456354: GetAsyncKeyState.USER32(?), ref: 004563DC
                                                                        • DefDlgProcW.USER32(?,00000205,?,?,004A83D8,00000000,00000001,004A83D8,?), ref: 0046F55F
                                                                        • ImageList_DragLeave.COMCTL32(00000000,004A83D8,00000000,00000001,004A83D8,?), ref: 0046F57D
                                                                        • ImageList_EndDrag.COMCTL32 ref: 0046F583
                                                                        • ReleaseCapture.USER32 ref: 0046F589
                                                                        • SetWindowTextW.USER32(?,00000000), ref: 0046F620
                                                                        • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0046F630
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                                                                        • String ID: @GUI_DRAGFILE$@GUI_DROPID$HH
                                                                        • API String ID: 2483343779-2060113733
                                                                        • Opcode ID: 5127d0ffcd17cb1bef4f2f1971358f36b919fc832d8745dd5c7fc1032c5585dd
                                                                        • Instruction ID: 4b94e37398fb4c0e8bf176de98e3888209b69965db7f8e5b86c8cb252d1f017b
                                                                        • Opcode Fuzzy Hash: 5127d0ffcd17cb1bef4f2f1971358f36b919fc832d8745dd5c7fc1032c5585dd
                                                                        • Instruction Fuzzy Hash: EB5106716043119BD700DF18DC85FAF77A5EB89310F04492EF941973A2DB789D49CBAA
                                                                        Function 0046FD7F Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 143windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 0046FD8A
                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,004A83D8,?), ref: 0046FDF0
                                                                        • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 0046FE0E
                                                                        • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,004A83D8,?), ref: 0046FE20
                                                                        • SendMessageW.USER32(?,0000113E,00000000,?), ref: 0046FEA5
                                                                        • SendMessageW.USER32(?,0000113F,00000000,?), ref: 0046FEDF
                                                                        • GetClientRect.USER32(?,?), ref: 0046FEF2
                                                                        • RedrawWindow.USER32(?,?,00000000,00000000), ref: 0046FF02
                                                                        • DestroyIcon.USER32(?), ref: 0046FFCC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                                                                        • String ID: 2
                                                                        • API String ID: 1331449709-450215437
                                                                        • Opcode ID: 0839cb131ab93339cce718f32a9fb856b385d6e902e652cc812f2dbbb554e4d7
                                                                        • Instruction ID: e79942d1a0196d9b5e30c5c178d8ccafd59c9ae1e7fac48b8759c586c5a3b44e
                                                                        • Opcode Fuzzy Hash: 0839cb131ab93339cce718f32a9fb856b385d6e902e652cc812f2dbbb554e4d7
                                                                        • Instruction Fuzzy Hash: EB51AC702043019FD320CF44D885BAABBE5FB88700F04487EE684872A2D7B5A849CB5A
                                                                        Function 00450E7D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DestroyWindow.USER32(?,?,?,?,?,?,00000000,static,00000000,00000000,?,?,00000000,00000000,?,00000000), ref: 00450EE1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: DestroyWindow
                                                                        • String ID: static
                                                                        • API String ID: 3375834691-2160076837
                                                                        • Opcode ID: 88f11647011456fbb04f7235260bd1d02a964e72c1c4e3b3fb6640230c73d37f
                                                                        • Instruction ID: 4605c95b1b006c90d65e271c0fdf07f62d21d56273c2870bf7f2e3decf5281c5
                                                                        • Opcode Fuzzy Hash: 88f11647011456fbb04f7235260bd1d02a964e72c1c4e3b3fb6640230c73d37f
                                                                        • Instruction Fuzzy Hash: 4531B572200300BBD7109B64DC45F6BB3A8EBC9711F204A2EFA50D72C0D7B4E8048B69
                                                                        Function 004393E2 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 109threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32(00000008,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439409
                                                                        • OpenThreadToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?), ref: 0043940C
                                                                        • GetCurrentProcess.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?), ref: 0043941D
                                                                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?), ref: 00439420
                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,SeAssignPrimaryTokenPrivilege,?), ref: 0043945B
                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,SeIncreaseQuotaPrivilege,?), ref: 00439474
                                                                        • _memcmp.LIBCMT ref: 004394A9
                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004394F8
                                                                        Strings
                                                                        • SeIncreaseQuotaPrivilege, xrefs: 0043946A
                                                                        • SeAssignPrimaryTokenPrivilege, xrefs: 00439455
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Process$CurrentLookupOpenPrivilegeTokenValue$CloseHandleThread_memcmp
                                                                        • String ID: SeAssignPrimaryTokenPrivilege$SeIncreaseQuotaPrivilege
                                                                        • API String ID: 1446985595-805462909
                                                                        • Opcode ID: 7b5964ebc210eec24af21402e2b7f40e95def761f5b1447ed6d44f65f7ea18b7
                                                                        • Instruction ID: 628aaead06b6f58e004e5b45c2ed9710a22b4d2b921ab75b424857e8fd72c9d6
                                                                        • Opcode Fuzzy Hash: 7b5964ebc210eec24af21402e2b7f40e95def761f5b1447ed6d44f65f7ea18b7
                                                                        • Instruction Fuzzy Hash: DB31A371508312ABC710DF21CD41AAFB7E8FB99704F04591EF98193240E7B8DD4ACBAA
                                                                        Function 0045D83D Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 86COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNEL32(00000001), ref: 0045D848
                                                                        • GetDriveTypeW.KERNEL32(?,?), ref: 0045D8A3
                                                                        • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D94A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode$DriveType
                                                                        • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$HH
                                                                        • API String ID: 2907320926-41864084
                                                                        • Opcode ID: f2537af69be7bdfb8cd077d5fba63d09357e4425d7c4eca9e5473fe3d57dd33a
                                                                        • Instruction ID: d4cab332979e247f8c2da9788294718902473fa09eb5ff996f03d25688ce9cbb
                                                                        • Opcode Fuzzy Hash: f2537af69be7bdfb8cd077d5fba63d09357e4425d7c4eca9e5473fe3d57dd33a
                                                                        • Instruction Fuzzy Hash: C7318B75A083008FC310EF65E48481EB7A1AFC8315F648D2FF945A7362C779D9068BAB
                                                                        Function 00467214 Relevance: 16.8, APIs: 11, Instructions: 313COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 004672E6
                                                                        • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 0046735D
                                                                        • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467375
                                                                        • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 004673ED
                                                                        • SafeArrayGetVartype.OLEAUT32(CE8B7824,?), ref: 00467418
                                                                        • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467445
                                                                        • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 0046746A
                                                                        • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 00467559
                                                                        • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 0046748A
                                                                          • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                          • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                          • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                        • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467571
                                                                        • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 004675E4
                                                                          • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: ArraySafe$Data$AccessUnaccess$Exception@8ThrowVartype_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                        • String ID:
                                                                        • API String ID: 1932665248-0
                                                                        • Opcode ID: 2f069d425a14989955c91583bf1eee78d18cf75f4644af0e6fd4452b58d9bd04
                                                                        • Instruction ID: 42a0e90c8bf2b482c85e144861ec280134e9fb1dbd9e00a0d693b148f8e5f150
                                                                        • Opcode Fuzzy Hash: 2f069d425a14989955c91583bf1eee78d18cf75f4644af0e6fd4452b58d9bd04
                                                                        • Instruction Fuzzy Hash: E8B1BF752082009FD304DF29C884B6B77E5FF98318F14496EE98587362E779E885CB6B
                                                                        Function 004480F2 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00448182
                                                                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00448185
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 004481A7
                                                                        • _memset.LIBCMT ref: 004481BA
                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481CC
                                                                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 0044824E
                                                                        • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482A4
                                                                        • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482BE
                                                                        • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482E3
                                                                        • SendMessageW.USER32(?,0000101E,00000001,00000000), ref: 004482FC
                                                                        • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448317
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$LongWindow_memset
                                                                        • String ID:
                                                                        • API String ID: 830647256-0
                                                                        • Opcode ID: 45db6e2e50868ce621a7577b0335e91e45f99dc9c013701cc26792922a244152
                                                                        • Instruction ID: 69fd08a602074ed3d664547bad3ac5a94a9e6c02d61aa1d07dc3907ec7ad0976
                                                                        • Opcode Fuzzy Hash: 45db6e2e50868ce621a7577b0335e91e45f99dc9c013701cc26792922a244152
                                                                        • Instruction Fuzzy Hash: 41616F70208341AFE310DF54C881FABB7A4FF89704F14465EFA909B2D1DBB5A945CB56
                                                                        Function 0046EA7F Relevance: 16.7, APIs: 11, Instructions: 167windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0043343D: InvalidateRect.USER32(?,00000000,00000001), ref: 004334BE
                                                                        • DestroyAcceleratorTable.USER32(?), ref: 0046EA9F
                                                                        • ImageList_Destroy.COMCTL32(?), ref: 0046EB04
                                                                        • ImageList_Destroy.COMCTL32(?), ref: 0046EB18
                                                                        • ImageList_Destroy.COMCTL32(?), ref: 0046EB24
                                                                        • DeleteObject.GDI32(00000000), ref: 0046EB4F
                                                                        • DestroyIcon.USER32(017D00C0), ref: 0046EB67
                                                                        • DeleteObject.GDI32(6E1DE220), ref: 0046EB7F
                                                                        • DestroyWindow.USER32(00000043), ref: 0046EB97
                                                                        • DestroyIcon.USER32(?), ref: 0046EBBF
                                                                        • DestroyIcon.USER32(?), ref: 0046EBCD
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateRectTableWindow
                                                                        • String ID:
                                                                        • API String ID: 802431696-0
                                                                        • Opcode ID: 294737084f3018da842919bbfa865d3a976cdf3ad66c8c89ec2250206a47d952
                                                                        • Instruction ID: 42d633cefbe7d7192e7a113645d0a532909e6831d49db23f2259be933aabe8c6
                                                                        • Opcode Fuzzy Hash: 294737084f3018da842919bbfa865d3a976cdf3ad66c8c89ec2250206a47d952
                                                                        • Instruction Fuzzy Hash: 17513178600202DFDB14DF26D894E2A77E9FB4AB14B54446EE502CB361EB38EC41CB5E
                                                                        Function 00444D52 Relevance: 16.6, APIs: 11, Instructions: 132keyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetKeyboardState.USER32(?,?,?), ref: 00444D8A
                                                                        • GetAsyncKeyState.USER32(000000A0), ref: 00444E0F
                                                                        • GetKeyState.USER32(000000A0), ref: 00444E26
                                                                        • GetAsyncKeyState.USER32(000000A1), ref: 00444E40
                                                                        • GetKeyState.USER32(000000A1), ref: 00444E51
                                                                        • GetAsyncKeyState.USER32(00000011), ref: 00444E69
                                                                        • GetKeyState.USER32(00000011), ref: 00444E77
                                                                        • GetAsyncKeyState.USER32(00000012), ref: 00444E8F
                                                                        • GetKeyState.USER32(00000012), ref: 00444E9D
                                                                        • GetAsyncKeyState.USER32(0000005B), ref: 00444EB5
                                                                        • GetKeyState.USER32(0000005B), ref: 00444EC3
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: State$Async$Keyboard
                                                                        • String ID:
                                                                        • API String ID: 541375521-0
                                                                        • Opcode ID: d4a73a67db12bad31d9fb613c99c8778707defbe90317bf640d05d8e99de570f
                                                                        • Instruction ID: c605e69a62dfc64c618b97cb3a1930d242a0674024be490a091b983f03ece729
                                                                        • Opcode Fuzzy Hash: d4a73a67db12bad31d9fb613c99c8778707defbe90317bf640d05d8e99de570f
                                                                        • Instruction Fuzzy Hash: 6A41C3646087C52DFB31966484017E7FFD16FA2708F58844FD1C5067C2DBAEA9C8C7AA
                                                                        Function 00474335 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 308COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: HH
                                                                        • API String ID: 0-2761332787
                                                                        • Opcode ID: 42510643c9cdba6d1e7b7cb61b235febd1ff76eef9dce87624ca7f12cd0f3b2e
                                                                        • Instruction ID: 1932890218e454eaab518c2d08cf67ea4bcb6b95680f1d85a47b5a5cee1eebd3
                                                                        • Opcode Fuzzy Hash: 42510643c9cdba6d1e7b7cb61b235febd1ff76eef9dce87624ca7f12cd0f3b2e
                                                                        • Instruction Fuzzy Hash: 99A1A1726043009BD710EF65DC82B6BB3E9ABD4718F008E2EF558E7281D779E9448B5A
                                                                        Function 004507E7 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 146windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004508CB
                                                                        • SendMessageW.USER32(?,00001036,00000000,?), ref: 004508DB
                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,00001036,00000000,?,000000FF,?,SysListView32,004848E8,00000000), ref: 004508FC
                                                                        • _wcslen.LIBCMT ref: 00450944
                                                                        • _wcscat.LIBCMT ref: 00450955
                                                                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045096C
                                                                        • SendMessageW.USER32(?,00001061,?,?), ref: 0045099B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Window_wcscat_wcslen
                                                                        • String ID: -----$SysListView32
                                                                        • API String ID: 4008455318-3975388722
                                                                        • Opcode ID: 1aeeed20face43e167d1a5b6966347104c1855cbe0e780de9d31d79ee612f7fa
                                                                        • Instruction ID: 786a3889ee88f98d9b0e9b4b0e1dacf7018a6923f31dd28eeaa3c07ad082d1a6
                                                                        • Opcode Fuzzy Hash: 1aeeed20face43e167d1a5b6966347104c1855cbe0e780de9d31d79ee612f7fa
                                                                        • Instruction Fuzzy Hash: 17519470504340ABE330DB65C885FABB3E4AF84714F104E1EFA94972D3D6B99989CB65
                                                                        Function 00448602 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 00448625
                                                                        • CreateMenu.USER32 ref: 0044863C
                                                                        • SetMenu.USER32(?,00000000), ref: 0044864C
                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,004A83D8), ref: 004486D6
                                                                        • IsMenu.USER32(?), ref: 004486EB
                                                                        • CreatePopupMenu.USER32 ref: 004486F5
                                                                        • InsertMenuItemW.USER32(?,?,00000001,004A83D8), ref: 00448739
                                                                        • DrawMenuBar.USER32 ref: 00448742
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                        • String ID: 0
                                                                        • API String ID: 176399719-4108050209
                                                                        • Opcode ID: 4add02930eb798c2c2cb68413aedc402262f89096725e95a36bc963f45c6c407
                                                                        • Instruction ID: 98f94d81d6847d6484dd50bbdc77a0bd9f9f2d632c710d3394220f00cc789bef
                                                                        • Opcode Fuzzy Hash: 4add02930eb798c2c2cb68413aedc402262f89096725e95a36bc963f45c6c407
                                                                        • Instruction Fuzzy Hash: 86417675604201AFD700CF68D894A9BBBE4FF89314F14891EFA488B350DBB5A845CFA6
                                                                        Function 004691F4 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                        • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469277
                                                                        • GetDlgCtrlID.USER32(00000000), ref: 00469289
                                                                        • GetParent.USER32 ref: 004692A4
                                                                        • SendMessageW.USER32(00000000,?,00000111), ref: 004692A7
                                                                        • GetDlgCtrlID.USER32(00000000), ref: 004692AE
                                                                        • GetParent.USER32 ref: 004692C7
                                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 004692CA
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$CtrlParent$_wcslen
                                                                        • String ID: ComboBox$ListBox
                                                                        • API String ID: 2040099840-1403004172
                                                                        • Opcode ID: d7a46b5f720fef199203ad69d051b39deebb3b2451f9d950c399d088bcf038a9
                                                                        • Instruction ID: ef07326ddff4210f4741e87947fad3c2ec39ee11b6619cfdf8cc81125e1c6f8c
                                                                        • Opcode Fuzzy Hash: d7a46b5f720fef199203ad69d051b39deebb3b2451f9d950c399d088bcf038a9
                                                                        • Instruction Fuzzy Hash: BC21D6716002147BD600AB65CC45DBFB39CEB85324F044A1FF954A73D1DAB8EC0947B9
                                                                        Function 004693F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 87windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                        • SendMessageW.USER32(00000186,00000186,?,00000000), ref: 00469471
                                                                        • GetDlgCtrlID.USER32(00000000), ref: 00469483
                                                                        • GetParent.USER32 ref: 0046949E
                                                                        • SendMessageW.USER32(00000000,?,00000111), ref: 004694A1
                                                                        • GetDlgCtrlID.USER32(00000000), ref: 004694A8
                                                                        • GetParent.USER32 ref: 004694C1
                                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 004694C4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$CtrlParent$_wcslen
                                                                        • String ID: ComboBox$ListBox
                                                                        • API String ID: 2040099840-1403004172
                                                                        • Opcode ID: 2e10f5a1695edfae3743bbe69767f09e04e95ab32c83142982b04f1cb5eb07ed
                                                                        • Instruction ID: 434b10a17d45167e777e8ea6e726dd6ee4e01267e4a119798c8aa60e835c5cdc
                                                                        • Opcode Fuzzy Hash: 2e10f5a1695edfae3743bbe69767f09e04e95ab32c83142982b04f1cb5eb07ed
                                                                        • Instruction Fuzzy Hash: CA21D7756002147BD600BB29CC45EBFB39CEB85314F04492FF984A7291EABCEC0A4779
                                                                        Function 00448DAF Relevance: 15.2, APIs: 10, Instructions: 173windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004419ED: DeleteObject.GDI32(?), ref: 00441A53
                                                                        • SendMessageW.USER32(769523D0,00001001,00000000,00000000), ref: 00448E73
                                                                        • SendMessageW.USER32(769523D0,00001026,00000000,00000000), ref: 00448E7E
                                                                          • Part of subcall function 00441A7A: CreateSolidBrush.GDI32 ref: 00441ACB
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                                        • String ID:
                                                                        • API String ID: 3771399671-0
                                                                        • Opcode ID: 51f09a1d655476e15b4ab454a85655f186203ac899921849c361721d54d31972
                                                                        • Instruction ID: ebbecaf0548398ae771b9aa28ebf0b72f134f9ffbbfb28b2279bd799396bd9e3
                                                                        • Opcode Fuzzy Hash: 51f09a1d655476e15b4ab454a85655f186203ac899921849c361721d54d31972
                                                                        • Instruction Fuzzy Hash: F4510930208300AFE2209F25DD85F6F77EAEB85B14F14091EF994E72D0CBB9E9458769
                                                                        Function 0046ECBF Relevance: 15.1, APIs: 10, Instructions: 101COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: InitVariant$_malloc_wcscpy_wcslen
                                                                        • String ID:
                                                                        • API String ID: 3413494760-0
                                                                        • Opcode ID: 482f3b1f0bd705d72ebf0bcdddfb27694f63f3fe8f528a3bcd533af3ba5d9e97
                                                                        • Instruction ID: 77b59fa0745152fd1b6386ccdd9ca850b9b7f4abb66e551d88b584249de3d357
                                                                        • Opcode Fuzzy Hash: 482f3b1f0bd705d72ebf0bcdddfb27694f63f3fe8f528a3bcd533af3ba5d9e97
                                                                        • Instruction Fuzzy Hash: F83150B2600746AFC714DF7AC880996FBA8FF88310B44892EE64983641D735F554CBA5
                                                                        Function 004377B4 Relevance: 15.1, APIs: 10, Instructions: 97threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentThreadId.KERNEL32 ref: 004377D7
                                                                        • GetForegroundWindow.USER32(00000000,?,?,?,?,0045FDE0,?,?,00000001), ref: 004377EB
                                                                        • GetWindowThreadProcessId.USER32(00000000), ref: 004377F8
                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 00437809
                                                                        • GetWindowThreadProcessId.USER32(?,00000001), ref: 00437819
                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 0043782E
                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 0043783D
                                                                        • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 0043788D
                                                                        • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 004378A1
                                                                        • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 004378AC
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                        • String ID:
                                                                        • API String ID: 2156557900-0
                                                                        • Opcode ID: f5203a8e23f024bead7fa0256802a4b49a7a8dce25e7908e04b44143f6d1477f
                                                                        • Instruction ID: cf5237ead9178137421241ba4763476990ac919c12b5de4495d1c20f4e3090f4
                                                                        • Opcode Fuzzy Hash: f5203a8e23f024bead7fa0256802a4b49a7a8dce25e7908e04b44143f6d1477f
                                                                        • Instruction Fuzzy Hash: B0316FB1504341AFD768EF28DC88A7BB7A9EF9D310F14182EF44197250D7B89C44CB69
                                                                        Function 0045F776 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 446COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: __wcsicoll
                                                                        • String ID: 0%d$DOWN$OFF
                                                                        • API String ID: 3832890014-468733193
                                                                        • Opcode ID: b886d43e96c57de01ffb669c6ba173cdd7012b944398daffbb17888043fd80c7
                                                                        • Instruction ID: 3901981f80fa7430cd77b89167089bc3925961a07aad88d0cc2f25a35af8916b
                                                                        • Opcode Fuzzy Hash: b886d43e96c57de01ffb669c6ba173cdd7012b944398daffbb17888043fd80c7
                                                                        • Instruction Fuzzy Hash: B7F1D8614083856DEB21EB21C845BAF7BE85F95309F08092FF98212193D7BCD68DC76B
                                                                        Function 0045E912 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 353timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VariantInit.OLEAUT32(00000000), ref: 0045E959
                                                                        • VariantCopy.OLEAUT32(00000000), ref: 0045E963
                                                                        • VariantClear.OLEAUT32 ref: 0045E970
                                                                        • VariantTimeToSystemTime.OLEAUT32 ref: 0045EAEB
                                                                        • __swprintf.LIBCMT ref: 0045EB1F
                                                                        • VarR8FromDec.OLEAUT32(?,?), ref: 0045EB61
                                                                        • VariantInit.OLEAUT32(00000000), ref: 0045EBE7
                                                                        Strings
                                                                        • %4d%02d%02d%02d%02d%02d, xrefs: 0045EB19
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$InitTime$ClearCopyFromSystem__swprintf
                                                                        • String ID: %4d%02d%02d%02d%02d%02d
                                                                        • API String ID: 43541914-1568723262
                                                                        • Opcode ID: 14db4cabc5e1b0f67770c810f21e70b33e6c91423244c68acaef5aa9588cc2da
                                                                        • Instruction ID: db8708ae94f177a13b26e6bf0e0b18ed2eb17208bc27bd00c320e315e6f9d40a
                                                                        • Opcode Fuzzy Hash: 14db4cabc5e1b0f67770c810f21e70b33e6c91423244c68acaef5aa9588cc2da
                                                                        • Instruction Fuzzy Hash: ABC1F4BB1006019BC704AF06D480666F7A1FFD4322F14896FED984B341DB3AE95ED7A6
                                                                        Function 0042FE54 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 298sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InterlockedDecrement.KERNEL32(004A7CAC), ref: 0042FE66
                                                                        • Sleep.KERNEL32(0000000A), ref: 0042FE6E
                                                                        • InterlockedDecrement.KERNEL32(004A7CAC), ref: 0042FF5D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: DecrementInterlocked$Sleep
                                                                        • String ID: 0vH$0vH$4RH0vH$@COM_EVENTOBJ
                                                                        • API String ID: 2250217261-3412429629
                                                                        • Opcode ID: 259a8d3968bbabb0e43eb8f22aa2195a71f663abf8571a10d24c6569a0fcc496
                                                                        • Instruction ID: 990b5f35a06538e4ae7b6c94f393f4a5fafaaf51bfa382c75dcb300f2d234fa3
                                                                        • Opcode Fuzzy Hash: 259a8d3968bbabb0e43eb8f22aa2195a71f663abf8571a10d24c6569a0fcc496
                                                                        • Instruction Fuzzy Hash: E0B1C0715083009FC714EF54C990A5FB3E4AF98304F508A2FF495972A2DB78ED4ACB9A
                                                                        Function 004689FF Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 288COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                        • API String ID: 0-1603158881
                                                                        • Opcode ID: b68d94a9d6a5d87f13f0fb5a725928f8f142c37ef967d8f11e3e615729381ce2
                                                                        • Instruction ID: 1d39c91c6ba170ccd8bd44326015c92659356e06a413e753493f98454e3169a0
                                                                        • Opcode Fuzzy Hash: b68d94a9d6a5d87f13f0fb5a725928f8f142c37ef967d8f11e3e615729381ce2
                                                                        • Instruction Fuzzy Hash: 49A1D3B14043459BCB20EF50CC81BDE37A4AF94348F44891FF9896B182EF79A64DC76A
                                                                        Function 00479C97 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 274COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 00479D1F
                                                                        • VariantInit.OLEAUT32(?), ref: 00479F06
                                                                        • VariantClear.OLEAUT32(?), ref: 00479F11
                                                                        • VariantInit.OLEAUT32(?), ref: 00479DF7
                                                                          • Part of subcall function 00467626: VariantInit.OLEAUT32(00000000), ref: 00467666
                                                                          • Part of subcall function 00467626: VariantCopy.OLEAUT32(00000000,00479BD3), ref: 00467670
                                                                          • Part of subcall function 00467626: VariantClear.OLEAUT32 ref: 0046767D
                                                                        • VariantClear.OLEAUT32(?), ref: 00479F9C
                                                                          • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                                          • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                                          • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                                          • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$Copy$ClearInit$ErrorLast_memset
                                                                        • String ID: F$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                        • API String ID: 665237470-60002521
                                                                        • Opcode ID: d48da594d57f6aadbcc7a695fec4cf75dc39f6aec1ddb07572db38b207896a5c
                                                                        • Instruction ID: 799f1794578ead7d01377608c22e1fb401aa4fc5ffca8a64c02b8280356d09a3
                                                                        • Opcode Fuzzy Hash: d48da594d57f6aadbcc7a695fec4cf75dc39f6aec1ddb07572db38b207896a5c
                                                                        • Instruction Fuzzy Hash: 6091B272204341AFD720DF64D880EABB7E9EFC4314F50891EF28987291D7B9AD45C766
                                                                        Function 00401D10 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 235COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D5A
                                                                        • DestroyWindow.USER32(?), ref: 0042A751
                                                                        • UnregisterHotKey.USER32(?), ref: 0042A778
                                                                        • FreeLibrary.KERNEL32(?), ref: 0042A822
                                                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0042A854
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                                                                        • String ID: close all$#v
                                                                        • API String ID: 4174999648-3101823635
                                                                        • Opcode ID: ddf39f1eda455a1c63d5a7d3271f56cd3ed42d138f3b783cbb3ca1597947a384
                                                                        • Instruction ID: e23b5dd52123a376b0379481fe8be5d2f02d07e70979f80a1c72d587d5a24a2c
                                                                        • Opcode Fuzzy Hash: ddf39f1eda455a1c63d5a7d3271f56cd3ed42d138f3b783cbb3ca1597947a384
                                                                        • Instruction Fuzzy Hash: FFA17075A102248FCB20EF55CC85B9AB3B8BF44304F5044EEE90967291D779AE85CF9D
                                                                        Function 0046A75F Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 179registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046A84D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: ConnectRegistry_wcslen
                                                                        • String ID: HH
                                                                        • API String ID: 535477410-2761332787
                                                                        • Opcode ID: 95544a26956fe54eb2a8636236a3b10fc217bfdb2bff17811b2f45cb9df4731a
                                                                        • Instruction ID: 68d8ff7817732ac0dd8275009c421e29eb5870de2046e22f9b94a35ba54c9d9f
                                                                        • Opcode Fuzzy Hash: 95544a26956fe54eb2a8636236a3b10fc217bfdb2bff17811b2f45cb9df4731a
                                                                        • Instruction Fuzzy Hash: FE617FB56083009FD304EF65C981F6BB7E4AF88704F14891EF681A7291D678ED09CB97
                                                                        Function 0045F2C5 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 146windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 0045F317
                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045F367
                                                                        • IsMenu.USER32(?), ref: 0045F380
                                                                        • CreatePopupMenu.USER32 ref: 0045F3C5
                                                                        • GetMenuItemCount.USER32(?), ref: 0045F42F
                                                                        • InsertMenuItemW.USER32(?,?,00000001,?), ref: 0045F45B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                        • String ID: 0$2
                                                                        • API String ID: 3311875123-3793063076
                                                                        • Opcode ID: fbdd9a11e44187a4bf70f7de18f8631e861f84fad9f8f26dcc1fb12baf34abbc
                                                                        • Instruction ID: 6c7ab59355789d00cbd42ef361c1bd9312a1bc9220e92816940967e3bd29aecc
                                                                        • Opcode Fuzzy Hash: fbdd9a11e44187a4bf70f7de18f8631e861f84fad9f8f26dcc1fb12baf34abbc
                                                                        • Instruction Fuzzy Hash: E451CF702043409FD710CF69D888B6BBBE4AFA5319F104A3EFD9586292D378994DCB67
                                                                        Function 0043717F Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 46windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(00000000,004A8E80,00000100,00000100,?,C:\Users\user\Desktop\Pi648je050.exe), ref: 0043719E
                                                                        • LoadStringW.USER32(00000000), ref: 004371A7
                                                                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 004371BD
                                                                        • LoadStringW.USER32(00000000), ref: 004371C0
                                                                        • _printf.LIBCMT ref: 004371EC
                                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00437208
                                                                        Strings
                                                                        • C:\Users\user\Desktop\Pi648je050.exe, xrefs: 00437189
                                                                        • %s (%d) : ==> %s: %s %s, xrefs: 004371E7
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: HandleLoadModuleString$Message_printf
                                                                        • String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\Desktop\Pi648je050.exe
                                                                        • API String ID: 220974073-3280293636
                                                                        • Opcode ID: 94d1ddb87e9fdddd1f0eb85761e890ae026325719f266e56d7856026e6b64315
                                                                        • Instruction ID: cc9e6972dbc5209964c20f0f7d1f7455a13934f6c555fd98bc0bf92a0502fb90
                                                                        • Opcode Fuzzy Hash: 94d1ddb87e9fdddd1f0eb85761e890ae026325719f266e56d7856026e6b64315
                                                                        • Instruction Fuzzy Hash: F7014FB2A543447AE620EB549D06FFB365CABC4B01F444C1EB794A60C0AAF865548BBA
                                                                        Function 00456168 Relevance: 13.7, APIs: 9, Instructions: 181COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b00adbc1ea9d53563bb8a7982d93c3fa4b8356126e06b3aad1cc727703ca6f1a
                                                                        • Instruction ID: 20732dcab93056f759d0b04a6df1a57780e33876730225f1fefd21ccf2a16f59
                                                                        • Opcode Fuzzy Hash: b00adbc1ea9d53563bb8a7982d93c3fa4b8356126e06b3aad1cc727703ca6f1a
                                                                        • Instruction Fuzzy Hash: 36519070200301ABD320DF29CC85F5BB7E8EB48715F540A1EF995E7292D7B4E949CB29
                                                                        Function 004534EB Relevance: 13.6, APIs: 9, Instructions: 150filestringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\Pi648je050.exe,?,C:\Users\user\Desktop\Pi648je050.exe,004A8E80,C:\Users\user\Desktop\Pi648je050.exe,0040F3D2), ref: 0040FFCA
                                                                          • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 0045355E
                                                                        • MoveFileW.KERNEL32(?,?), ref: 0045358E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: File$AttributesFullMoveNamePathlstrcmpi
                                                                        • String ID:
                                                                        • API String ID: 978794511-0
                                                                        • Opcode ID: 905b41a6b5f1f1e7811aa1c06e555ad1605d40905c9a381d53b63ac73f12040d
                                                                        • Instruction ID: dcad70f49e32ae1adaf0c812d378eb0bba467e0a617048934f4a65f03e3a0b24
                                                                        • Opcode Fuzzy Hash: 905b41a6b5f1f1e7811aa1c06e555ad1605d40905c9a381d53b63ac73f12040d
                                                                        • Instruction Fuzzy Hash: 665162B25043406AC724EF61D885ADFB3E8AFC8305F44992EB94992151E73DD34DC767
                                                                        Function 004417BC Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2697ea5a26a9fc7488a3d070abad83f7d669ddccf749f4bfc66ff3ac1f4b4023
                                                                        • Instruction ID: b1e2397247e50d0c7000acf5a2db8631a214b417b603bec0598d849dd48054e0
                                                                        • Opcode Fuzzy Hash: 2697ea5a26a9fc7488a3d070abad83f7d669ddccf749f4bfc66ff3ac1f4b4023
                                                                        • Instruction Fuzzy Hash: E54128332402806BE320A75DB8C4ABBFB98E7A2362F50443FF18196520D76678C5D339
                                                                        Function 00445CF9 Relevance: 13.6, APIs: 9, Instructions: 69sleepkeyboardwindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0044593E: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 0044595D
                                                                          • Part of subcall function 0044593E: GetCurrentThreadId.KERNEL32 ref: 00445964
                                                                          • Part of subcall function 0044593E: AttachThreadInput.USER32(00000000,?,00000001,00478FA7), ref: 0044596B
                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D15
                                                                        • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00445D35
                                                                        • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00445D3F
                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D45
                                                                        • PostMessageW.USER32(00000000,00000100,00000027,00000000), ref: 00445D66
                                                                        • Sleep.KERNEL32(00000000), ref: 00445D70
                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D76
                                                                        • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00445D8B
                                                                        • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000), ref: 00445D8F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                        • String ID:
                                                                        • API String ID: 2014098862-0
                                                                        • Opcode ID: 621277f82d70151dd5f553487d646ea3797e8fa9e9e6e4ab5ab83039983e6254
                                                                        • Instruction ID: b085f3065cf9cd100f04f322da00d4b037e108fc79bf5967fdabce1cd6d2e74b
                                                                        • Opcode Fuzzy Hash: 621277f82d70151dd5f553487d646ea3797e8fa9e9e6e4ab5ab83039983e6254
                                                                        • Instruction Fuzzy Hash: 7B116971790704B7F620AB958C8AF5A7399EF88B11F20080DF790AB1C1C9F5E4418B7C
                                                                        Function 0045427D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 259libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc_malloc$_strcat_strlen
                                                                        • String ID: AU3_FreeVar
                                                                        • API String ID: 2184576858-771828931
                                                                        • Opcode ID: 111e65442873bd7cbffe48700b84114c079de58427b558a04ef4a5d95244f0f0
                                                                        • Instruction ID: c940ad03d776ce5ee908f8b881b33357b51647545ffc53e819ca791e1fdac2da
                                                                        • Opcode Fuzzy Hash: 111e65442873bd7cbffe48700b84114c079de58427b558a04ef4a5d95244f0f0
                                                                        • Instruction Fuzzy Hash: EDA18DB5604205DFC300DF59C480A2AB7E5FFC8319F1489AEE9554B362D739ED89CB8A
                                                                        Function 0044AA1F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 171networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AA5A
                                                                        • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AA8D
                                                                        • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0044AAF9
                                                                        • InternetSetOptionW.WININET(00000000,0000001F,?,00000004), ref: 0044AB11
                                                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB20
                                                                        • HttpQueryInfoW.WININET(00000000,00000005,?,00000000,00000000), ref: 0044AB61
                                                                          • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                                                                        • String ID:
                                                                        • API String ID: 1291720006-3916222277
                                                                        • Opcode ID: fd0d9a71f1b9f9aed2e07c44adb1cce69882d59a8a6dee97d1abd644e851efd9
                                                                        • Instruction ID: 782b6278bf246bef60821ca34847c3ce69a0d92f774604c9678bedd135ce19ea
                                                                        • Opcode Fuzzy Hash: fd0d9a71f1b9f9aed2e07c44adb1cce69882d59a8a6dee97d1abd644e851efd9
                                                                        • Instruction Fuzzy Hash: 9C51E6B12803016BF320EB65CD85FBBB7A8FB89704F00091EF74196181D7B9A548C76A
                                                                        Function 0046BB59 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 168networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLastselect
                                                                        • String ID: HH
                                                                        • API String ID: 215497628-2761332787
                                                                        • Opcode ID: 81123ba87c51c271d749794d4387e1d0575ba96382d8685f9443cecf8545e782
                                                                        • Instruction ID: a252b81ccbce03d1e7b1b0efababa2c0a0929072778302a7b1202b90a7697d70
                                                                        • Opcode Fuzzy Hash: 81123ba87c51c271d749794d4387e1d0575ba96382d8685f9443cecf8545e782
                                                                        • Instruction Fuzzy Hash: BF51E4726043005BD320EB65DC42F9BB399EB94324F044A2EF558E7281EB79E944C7AA
                                                                        Function 0047D2F8 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: __snwprintf__wcsicoll_wcscpy
                                                                        • String ID: , $$0vH$AUTOITCALLVARIABLE%d$CALLARGARRAY
                                                                        • API String ID: 1729044348-3708979750
                                                                        • Opcode ID: 19d8c814bf70bb05cadf871115a188aa6336bc7b5c41e4e48777219efcb9f973
                                                                        • Instruction ID: 823d0c4529048d9f890bbf28e75db1a658c609af9319d28fcdda535ef0d13f31
                                                                        • Opcode Fuzzy Hash: 19d8c814bf70bb05cadf871115a188aa6336bc7b5c41e4e48777219efcb9f973
                                                                        • Instruction Fuzzy Hash: E651A571514300ABD610EF65C882ADFB3A4EFC4348F048D2FF54967291D779E949CBAA
                                                                        Function 0044BBC9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100filestringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\Pi648je050.exe,?,C:\Users\user\Desktop\Pi648je050.exe,004A8E80,C:\Users\user\Desktop\Pi648je050.exe,0040F3D2), ref: 0040FFCA
                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 0044BC04
                                                                        • MoveFileW.KERNEL32(?,?), ref: 0044BC38
                                                                        • _wcscat.LIBCMT ref: 0044BCAA
                                                                        • _wcslen.LIBCMT ref: 0044BCB7
                                                                        • _wcslen.LIBCMT ref: 0044BCCB
                                                                        • SHFileOperationW.SHELL32 ref: 0044BD16
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                                                                        • String ID: \*.*
                                                                        • API String ID: 2326526234-1173974218
                                                                        • Opcode ID: 79917c867e5dc746cbfe3ebb0135d92afbab4952e7fca4f485a184e9ce72b521
                                                                        • Instruction ID: 9e4979448571685848097db6772507fbfe8bfb8d1337cd0032b1ea927bdad9db
                                                                        • Opcode Fuzzy Hash: 79917c867e5dc746cbfe3ebb0135d92afbab4952e7fca4f485a184e9ce72b521
                                                                        • Instruction Fuzzy Hash: 4B3183B14083019AD724EF21C5D5ADFB3E4EFC8304F444D6EB98993251EB39E608D7AA
                                                                        Function 004366BE Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00436328: _wcsncpy.LIBCMT ref: 0043633C
                                                                        • _wcslen.LIBCMT ref: 004366DD
                                                                        • GetFileAttributesW.KERNEL32(?), ref: 00436700
                                                                        • GetLastError.KERNEL32 ref: 0043670F
                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00436727
                                                                        • _wcsrchr.LIBCMT ref: 0043674C
                                                                          • Part of subcall function 004366BE: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000000), ref: 0043678F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                                                                        • String ID: \
                                                                        • API String ID: 321622961-2967466578
                                                                        • Opcode ID: 3d3187412736f1559758a6cd6e40f0a594bd5d43c4c9ea1cccac3023e941b0f8
                                                                        • Instruction ID: 68cadaa88695c7c006562ade17844284f7fc34f8e7e15af3b97584e331f528d6
                                                                        • Opcode Fuzzy Hash: 3d3187412736f1559758a6cd6e40f0a594bd5d43c4c9ea1cccac3023e941b0f8
                                                                        • Instruction Fuzzy Hash: 3C2148765003017ADB20A724EC47AFF33989F95764F90993EFD14D6281E779950882AE
                                                                        Function 0044C80C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: __wcsnicmp
                                                                        • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                        • API String ID: 1038674560-2734436370
                                                                        • Opcode ID: dc7e98e38d8725b7134af3b864f32bf76aed1b78794146943df9d66deb8fb3e7
                                                                        • Instruction ID: f72ce1d64a5a3b865947b719243e4701f1ba8c8209579f194a7ae3ad15c73224
                                                                        • Opcode Fuzzy Hash: dc7e98e38d8725b7134af3b864f32bf76aed1b78794146943df9d66deb8fb3e7
                                                                        • Instruction Fuzzy Hash: 1B21F87261161067E730B659DCC2BDB63985F65305F04406BF800AA247D6ADA98A83AA
                                                                        Function 00441561 Relevance: 12.1, APIs: 8, Instructions: 101windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DeleteObject.GDI32(?), ref: 0044157D
                                                                        • GetDC.USER32(00000000), ref: 00441585
                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00441590
                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 0044159B
                                                                        • CreateFontW.GDI32(?,00000000,00000000,00000000,?,000000FF,000000FF,000000FF,00000001,00000004,00000000,?,00000000,00000000), ref: 004415E9
                                                                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00441601
                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00441639
                                                                        • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00441659
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                        • String ID:
                                                                        • API String ID: 3864802216-0
                                                                        • Opcode ID: ea0a3e179a2db4f205f3d0bf310cedd64f619745dcd59731a2847991c922bb1b
                                                                        • Instruction ID: 4e191e68d33858d232da06d8f8bca50b2e2c885119a5133d865ec5329e905ca2
                                                                        • Opcode Fuzzy Hash: ea0a3e179a2db4f205f3d0bf310cedd64f619745dcd59731a2847991c922bb1b
                                                                        • Instruction Fuzzy Hash: 1531C172240344BBE7208B14CD49FAB77EDEB88B15F08450DFB44AA2D1DAB4ED808B64
                                                                        Function 004140DB Relevance: 12.0, APIs: 8, Instructions: 42threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ___set_flsgetvalue.LIBCMT ref: 004140E1
                                                                          • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                                          • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                                          • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                                        • ___fls_getvalue@4.LIBCMT ref: 004140EC
                                                                          • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                                        • ___fls_setvalue@8.LIBCMT ref: 004140FF
                                                                          • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                                        • GetLastError.KERNEL32(00000000,?,00000000), ref: 00414108
                                                                        • ExitThread.KERNEL32 ref: 0041410F
                                                                        • GetCurrentThreadId.KERNEL32 ref: 00414115
                                                                        • __freefls@4.LIBCMT ref: 00414135
                                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00414148
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                        • String ID:
                                                                        • API String ID: 1925773019-0
                                                                        • Opcode ID: 78c5a7e04feddb60afef3bdf2204f5ea6d2fca564e255d6fa6df859771c1ea47
                                                                        • Instruction ID: d0499dd1a11a7aa3f5f6b81cdb2be0183561266298d4129ec5ef95b8f2f1ff50
                                                                        • Opcode Fuzzy Hash: 78c5a7e04feddb60afef3bdf2204f5ea6d2fca564e255d6fa6df859771c1ea47
                                                                        • Instruction Fuzzy Hash: 12018430000200ABC704BFB2DD0D9DE7BA9AF95345722886EF90497212DA3CC9C28B5C
                                                                        Function 004357AD Relevance: 12.0, APIs: 8, Instructions: 36COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VariantClear.OLEAUT32(00000038), ref: 004357C3
                                                                        • VariantClear.OLEAUT32(00000058), ref: 004357C9
                                                                        • VariantClear.OLEAUT32(00000068), ref: 004357CF
                                                                        • VariantClear.OLEAUT32(00000078), ref: 004357D5
                                                                        • VariantClear.OLEAUT32(00000088), ref: 004357DE
                                                                        • VariantClear.OLEAUT32(00000048), ref: 004357E4
                                                                        • VariantClear.OLEAUT32(00000098), ref: 004357ED
                                                                        • VariantClear.OLEAUT32(000000A8), ref: 004357F6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: ClearVariant
                                                                        • String ID:
                                                                        • API String ID: 1473721057-0
                                                                        • Opcode ID: 108e33c2045b04221b4df3f02cd388125a51a7e0134505e60bdc817f2fb2f336
                                                                        • Instruction ID: 4669651a97e20320d925a323ac357da1b1419afffb7c9eb93274aad60c959a81
                                                                        • Opcode Fuzzy Hash: 108e33c2045b04221b4df3f02cd388125a51a7e0134505e60bdc817f2fb2f336
                                                                        • Instruction Fuzzy Hash: BDF03CB6400B446AC235EB79DC40BD7B7E86F89200F018E1DE58783514DA78F588CB64
                                                                        Function 00464A0E Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WSAStartup.WSOCK32(00000101,?,?), ref: 00464ADE
                                                                          • Part of subcall function 0045EFE7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0047D14B,?,?,?,?), ref: 0045F003
                                                                        • inet_addr.WSOCK32(?,00000000,?,?,00000101,?,?), ref: 00464B1F
                                                                        • gethostbyname.WSOCK32(?,?,00000000,?,?,00000101,?,?), ref: 00464B29
                                                                        • _memset.LIBCMT ref: 00464B92
                                                                        • GlobalAlloc.KERNEL32(00000040,00000040), ref: 00464B9E
                                                                        • GlobalFree.KERNEL32(00000000), ref: 00464CDE
                                                                        • WSACleanup.WSOCK32 ref: 00464CE4
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memsetgethostbynameinet_addr
                                                                        • String ID:
                                                                        • API String ID: 3424476444-0
                                                                        • Opcode ID: 3a9821fb802cba04523fcb9c1f83c74fd5b22343f7d4654d6e4056c4a41f6a01
                                                                        • Instruction ID: 8d90feaebe95447676150adcea4a136074f650e12d33839f26a9dde16614cdb7
                                                                        • Opcode Fuzzy Hash: 3a9821fb802cba04523fcb9c1f83c74fd5b22343f7d4654d6e4056c4a41f6a01
                                                                        • Instruction Fuzzy Hash: A3A17EB1504300AFD710EF65C982F9BB7E8AFC8714F54491EF64497381E778E9058B9A
                                                                        Function 00440B39 Relevance: 10.8, APIs: 7, Instructions: 261COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetSystemMetrics.USER32(0000000F), ref: 00440B7B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MetricsSystem
                                                                        • String ID:
                                                                        • API String ID: 4116985748-0
                                                                        • Opcode ID: eff4c90f3403bcfb76001cffaab33834930133fcb34fa8184a7caea4de8066d9
                                                                        • Instruction ID: 1e23dbab6d9439f1299be2c39bdf7de0481ead398f869a6d5eaf0ea33fa99bdf
                                                                        • Opcode Fuzzy Hash: eff4c90f3403bcfb76001cffaab33834930133fcb34fa8184a7caea4de8066d9
                                                                        • Instruction Fuzzy Hash: 8EA19C70608701DBE314CF68C984B6BBBE1FB88704F14491EFA8593251E778F965CB5A
                                                                        Function 0046AB70 Relevance: 10.8, APIs: 7, Instructions: 260registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AC62
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: ConnectRegistry_wcslen
                                                                        • String ID:
                                                                        • API String ID: 535477410-0
                                                                        • Opcode ID: 37987dacba266e2f7d681c7555595b89ca1c624194ad33880a6965c3691367fb
                                                                        • Instruction ID: 71109d01e6e71572d3d886d5d9f1e4ab699fb1be984f768d753da2f0a00da466
                                                                        • Opcode Fuzzy Hash: 37987dacba266e2f7d681c7555595b89ca1c624194ad33880a6965c3691367fb
                                                                        • Instruction Fuzzy Hash: BBA18EB1204300AFC710EF65C885B1BB7E4BF85704F14896EF685AB292D779E905CB9B
                                                                        Function 0045377F Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                          • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                        • _memset.LIBCMT ref: 004538C4
                                                                        • GetMenuItemInfoW.USER32(?,?), ref: 004538EF
                                                                        • _wcslen.LIBCMT ref: 00453960
                                                                        • SetMenuItemInfoW.USER32(00000011,?,00000000,?), ref: 004539C4
                                                                        • SetMenuDefaultItem.USER32(?,000000FF,00000000,?,?), ref: 004539E0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: ItemMenu$Info_wcslen$Default_memset_wcscpy
                                                                        • String ID: 0
                                                                        • API String ID: 3530711334-4108050209
                                                                        • Opcode ID: 95001eb6d8d06d897afce0aca893f4b7651020868193ca3a80220c39ecb6f9c3
                                                                        • Instruction ID: 97d09e0af2b4d046480d7fb626e7fa0667c22e7462995616ff61acde959b3bac
                                                                        • Opcode Fuzzy Hash: 95001eb6d8d06d897afce0aca893f4b7651020868193ca3a80220c39ecb6f9c3
                                                                        • Instruction Fuzzy Hash: 747118F15083015AD714DF65C881B6BB7E4EB98396F04491FFD8082292D7BCDA4CC7AA
                                                                        Function 0047395A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentProcessId.KERNEL32(?), ref: 00473A00
                                                                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00473A0E
                                                                        • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00473A34
                                                                        • CloseHandle.KERNEL32(00000000,00000000,?,00000028), ref: 00473C01
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Process$CloseCountersCurrentHandleOpen
                                                                        • String ID: HH
                                                                        • API String ID: 3488606520-2761332787
                                                                        • Opcode ID: 12402d889b8d2545f97f81e579d11a3e1d05628ef8a47b4e2ac7d1c45517ac81
                                                                        • Instruction ID: 2161edc7e7eefe464b48455ffcea7dd3157e2cbe85e131cccd8837112284b0a3
                                                                        • Opcode Fuzzy Hash: 12402d889b8d2545f97f81e579d11a3e1d05628ef8a47b4e2ac7d1c45517ac81
                                                                        • Instruction Fuzzy Hash: 3581BF71A043019FD320EF69C882B5BF7E4AF84744F108C2EF598AB392D675E945CB96
                                                                        Function 004472C8 Relevance: 10.7, APIs: 7, Instructions: 207COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                                          • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                                          • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                          • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                                          • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                        • Ellipse.GDI32(?,?,?,00000000), ref: 00447463
                                                                        • MoveToEx.GDI32(?,?,?,00000000), ref: 00447473
                                                                        • AngleArc.GDI32(?,?,?,?,?,?), ref: 004474B6
                                                                        • LineTo.GDI32(?,?), ref: 004474BF
                                                                        • CloseFigure.GDI32(?), ref: 004474C6
                                                                        • SetPixel.GDI32(?,?,?,?), ref: 004474D6
                                                                        • Rectangle.GDI32(?,?), ref: 004474F3
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                                        • String ID:
                                                                        • API String ID: 4082120231-0
                                                                        • Opcode ID: 3e823f4574af11f26be8c20bd8771cfecf2a7ea1363ae8038588c787c8c49515
                                                                        • Instruction ID: e2e17d079c8faeb919f1a119f9aa9df975eabc7d00289576b12f70c1741c819b
                                                                        • Opcode Fuzzy Hash: 3e823f4574af11f26be8c20bd8771cfecf2a7ea1363ae8038588c787c8c49515
                                                                        • Instruction Fuzzy Hash: BC713AB11083419FD300DF15C884E6BBBE9EFC9708F148A1EF99497351D778A906CBAA
                                                                        Function 00447303 Relevance: 10.7, APIs: 7, Instructions: 192COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                                          • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                                          • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                          • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                                          • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                        • Ellipse.GDI32(?,?,?,00000000), ref: 00447463
                                                                        • MoveToEx.GDI32(?,?,?,00000000), ref: 00447473
                                                                        • AngleArc.GDI32(?,?,?,?,?,?), ref: 004474B6
                                                                        • LineTo.GDI32(?,?), ref: 004474BF
                                                                        • CloseFigure.GDI32(?), ref: 004474C6
                                                                        • SetPixel.GDI32(?,?,?,?), ref: 004474D6
                                                                        • Rectangle.GDI32(?,?), ref: 004474F3
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                                        • String ID:
                                                                        • API String ID: 4082120231-0
                                                                        • Opcode ID: bd92991fb0a59d5160a547c0af993f50d26037df712543aebae1afc8709768cb
                                                                        • Instruction ID: 71053adf7dd607ae91079c2ca5de7ffea4483cc305881a9741cc2e8bc8d6f2cf
                                                                        • Opcode Fuzzy Hash: bd92991fb0a59d5160a547c0af993f50d26037df712543aebae1afc8709768cb
                                                                        • Instruction Fuzzy Hash: 55613BB51083419FD300DF55CC84E6BBBE9EBC9308F148A1EF99597351D738A906CB6A
                                                                        Function 0044733D Relevance: 10.7, APIs: 7, Instructions: 177COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: AngleCloseEllipseFigureLineMovePixelRectangle
                                                                        • String ID:
                                                                        • API String ID: 288456094-0
                                                                        • Opcode ID: d308d32173f93e4cd5527eec6d709d72f3e0fef6f2bd509874fda6c33d0c9603
                                                                        • Instruction ID: d3db7697bfba14f4a3ad6627a8a5faa1010559558ae5e3f89cc6b0bd66950af4
                                                                        • Opcode Fuzzy Hash: d308d32173f93e4cd5527eec6d709d72f3e0fef6f2bd509874fda6c33d0c9603
                                                                        • Instruction Fuzzy Hash: 90514BB51082419FD300DF15CC84E6BBBE9EFC9308F14891EF99497351D734A906CB6A
                                                                        Function 0044496C Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetParent.USER32(?), ref: 004449B0
                                                                        • GetKeyboardState.USER32(?), ref: 004449C3
                                                                        • SetKeyboardState.USER32(?), ref: 00444A0F
                                                                        • PostMessageW.USER32(?,00000101,00000010,?), ref: 00444A3F
                                                                        • PostMessageW.USER32(?,00000101,00000011,?), ref: 00444A60
                                                                        • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444AAC
                                                                        • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444AD1
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessagePost$KeyboardState$Parent
                                                                        • String ID:
                                                                        • API String ID: 87235514-0
                                                                        • Opcode ID: d47ceab968b999e6d4944081d81f2373d9ea27f049f07d95c13b51a59d3cc885
                                                                        • Instruction ID: 19c159416ad4887e81d4090d30fbb5c505c675cee05c330e2fd8e115592bd25d
                                                                        • Opcode Fuzzy Hash: d47ceab968b999e6d4944081d81f2373d9ea27f049f07d95c13b51a59d3cc885
                                                                        • Instruction Fuzzy Hash: B651C5A05487D139F7369234884ABA7BFD55F8A304F08CA4EF1E5156C3D2ECE984C769
                                                                        Function 00444B65 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetParent.USER32(?), ref: 00444BA9
                                                                        • GetKeyboardState.USER32(?), ref: 00444BBC
                                                                        • SetKeyboardState.USER32(?), ref: 00444C08
                                                                        • PostMessageW.USER32(?,00000100,00000010,?), ref: 00444C35
                                                                        • PostMessageW.USER32(?,00000100,00000011,?), ref: 00444C53
                                                                        • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444C9C
                                                                        • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444CBE
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessagePost$KeyboardState$Parent
                                                                        • String ID:
                                                                        • API String ID: 87235514-0
                                                                        • Opcode ID: de9aba9e896a2e755c79cba499ec14fd455f1b60db9a9f79a8626ad1a28ad6a0
                                                                        • Instruction ID: 4493abccadab05ae7d00f733e1fa63583af0c494729619d74f1516a50adc8d80
                                                                        • Opcode Fuzzy Hash: de9aba9e896a2e755c79cba499ec14fd455f1b60db9a9f79a8626ad1a28ad6a0
                                                                        • Instruction Fuzzy Hash: A951E4F05097D139F7369364884ABA7BFE46F8A304F088A4EF1D5065C2D2ACE984C769
                                                                        Function 004498BD Relevance: 10.7, APIs: 7, Instructions: 159COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2552f041a71837ba3affbc4ec308d2b7aa0755a9e2dfe05148a880b05b5b76bf
                                                                        • Instruction ID: b3b3da583a0ae8cfa3180eda0e634cae40a493ebdfd517dbec9d2fd4fbd82cb1
                                                                        • Opcode Fuzzy Hash: 2552f041a71837ba3affbc4ec308d2b7aa0755a9e2dfe05148a880b05b5b76bf
                                                                        • Instruction Fuzzy Hash: 1E513A315082909FE321CF14DC89FABBB64FB46320F18456FF895AB2D1D7649C06D7AA
                                                                        Function 0046A98D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 158registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AA77
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: ConnectRegistry_wcslen
                                                                        • String ID: HH
                                                                        • API String ID: 535477410-2761332787
                                                                        • Opcode ID: a31a44ff546351b1de52d8f34745bf25342c9426a619c9766caf2b0061db1f75
                                                                        • Instruction ID: 7b41397762752e7dec08e47bcdb2cb2f58790b6f4670524580eb9da3090621e6
                                                                        • Opcode Fuzzy Hash: a31a44ff546351b1de52d8f34745bf25342c9426a619c9766caf2b0061db1f75
                                                                        • Instruction Fuzzy Hash: A2516D71208301AFD304EF65C981F5BB7A9BFC4704F40892EF685A7291D678E905CB6B
                                                                        Function 00457C08 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 00457C34
                                                                        • _memset.LIBCMT ref: 00457CE8
                                                                        • ShellExecuteExW.SHELL32(?), ref: 00457D34
                                                                          • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                          • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                        • CloseHandle.KERNEL32(?), ref: 00457DDD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: _memset$CloseExecuteHandleShell_wcscpy_wcslen
                                                                        • String ID: <$@
                                                                        • API String ID: 1325244542-1426351568
                                                                        • Opcode ID: 669f3797eafbd6ea24f738bceaf78c3ad3f6bdf3b3f8ec2a74c9f7251b65f49f
                                                                        • Instruction ID: 09e461bdfc47c8bdd671eddb31188d347eda7c51057725e13e77015b5001baed
                                                                        • Opcode Fuzzy Hash: 669f3797eafbd6ea24f738bceaf78c3ad3f6bdf3b3f8ec2a74c9f7251b65f49f
                                                                        • Instruction Fuzzy Hash: EA510FB55083009FC710EF61D985A5BB7E4AF84709F00492EFD44AB392DB39ED48CB9A
                                                                        Function 0047375F Relevance: 10.6, APIs: 7, Instructions: 150processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateToolhelp32Snapshot.KERNEL32(?,?,?,?,?,?,?,?,?,00000002,00000000,00000014), ref: 0047379B
                                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 004737A8
                                                                        • __wsplitpath.LIBCMT ref: 004737E1
                                                                          • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                        • _wcscat.LIBCMT ref: 004737F6
                                                                        • __wcsicoll.LIBCMT ref: 00473818
                                                                        • Process32NextW.KERNEL32(00000000,?), ref: 00473844
                                                                        • CloseHandle.KERNEL32(00000000,00000000,?,?), ref: 00473852
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                                        • String ID:
                                                                        • API String ID: 2547909840-0
                                                                        • Opcode ID: 1dcf289f501924a5df592eae16a0ec0030d5246948486ec38c60cdc62178aa5b
                                                                        • Instruction ID: 8efa427203ffd7a45d167e3a64f6abf3f3640219bb0751621114887cb14f0fc1
                                                                        • Opcode Fuzzy Hash: 1dcf289f501924a5df592eae16a0ec0030d5246948486ec38c60cdc62178aa5b
                                                                        • Instruction Fuzzy Hash: 4751BB71544304A7D720EF61CC86FDBB3E8AF84748F00492EF58957182E775E645C7AA
                                                                        Function 00455297 Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,00001308,?,00000000), ref: 004552B7
                                                                        • ImageList_Remove.COMCTL32(?,?,?,?), ref: 004552EB
                                                                        • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004553D3
                                                                        • DeleteObject.GDI32(?), ref: 0045564E
                                                                        • DeleteObject.GDI32(?), ref: 0045565C
                                                                        • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                        • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                                                                        • String ID:
                                                                        • API String ID: 2354583917-0
                                                                        • Opcode ID: b44580b005306b3b7f9b1dbab51831616e075f248f5ed84087b7c105bb41b1f9
                                                                        • Instruction ID: 19c5dc8500d05a42ca126c51664c70dafe1d1a8ca3b523478e8997b137d6e309
                                                                        • Opcode Fuzzy Hash: b44580b005306b3b7f9b1dbab51831616e075f248f5ed84087b7c105bb41b1f9
                                                                        • Instruction Fuzzy Hash: 77519D30204A419FC714DF24C4A4B7A77E5FB49301F4486AEFD9ACB392DB78A849CB54
                                                                        Function 00463D7E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 141libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryW.KERNEL32(00000000), ref: 00463DD1
                                                                        • GetProcAddress.KERNEL32(?,?), ref: 00463E68
                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 00463E84
                                                                        • GetProcAddress.KERNEL32(?,?), ref: 00463ECE
                                                                        • FreeLibrary.KERNEL32(?,?,?,00000000,?), ref: 00463EF0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc$Library$FreeLoad
                                                                        • String ID: #v
                                                                        • API String ID: 2449869053-554117064
                                                                        • Opcode ID: fa0419033c450d646a7a4ef883371915f5dff59722895d189eba4af2447b2958
                                                                        • Instruction ID: 5a5949aabc30296464acd143044f95cbdcafad8a77d2d24e7d672d776762960f
                                                                        • Opcode Fuzzy Hash: fa0419033c450d646a7a4ef883371915f5dff59722895d189eba4af2447b2958
                                                                        • Instruction Fuzzy Hash: 9051C1752043409FC300EF25C881A5BB7A4FF89305F00456EF945A73A2DB79EE45CBAA
                                                                        Function 0047762A Relevance: 10.6, APIs: 7, Instructions: 140windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                                                                        • GetMenu.USER32 ref: 004776AA
                                                                        • GetMenuItemCount.USER32(00000000), ref: 004776CC
                                                                        • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004776FB
                                                                        • _wcslen.LIBCMT ref: 0047771A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Menu$CountItemStringWindow_wcslen
                                                                        • String ID:
                                                                        • API String ID: 1823500076-0
                                                                        • Opcode ID: 3c1e0179b5075f45df12b398ec391808b8d2f1e7a16a5d1bec5683dd9427006f
                                                                        • Instruction ID: 4b9e656becebfc5f52f27a1d7ad2c07a58398098864d75d3a5ce1c02cc274359
                                                                        • Opcode Fuzzy Hash: 3c1e0179b5075f45df12b398ec391808b8d2f1e7a16a5d1bec5683dd9427006f
                                                                        • Instruction Fuzzy Hash: 174117715083019FD320EF25CC45BABB3E8BF88314F10492EF55997252D7B8E9458BA9
                                                                        Function 00448877 Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0044890A
                                                                        • SendMessageW.USER32(?,00000469,?,00000000), ref: 00448920
                                                                        • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                                        • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                                        • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                                                        • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                                                        • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Enable$Show$MessageMoveSend
                                                                        • String ID:
                                                                        • API String ID: 896007046-0
                                                                        • Opcode ID: 440e8810410bf42a4c8e03fd117b8fd843bde7e89b0e2674ab81ad81c9f8ea0f
                                                                        • Instruction ID: 0809a8548e22334437b8974569d6adfa08582830463fbdb99c3481629354d751
                                                                        • Opcode Fuzzy Hash: 440e8810410bf42a4c8e03fd117b8fd843bde7e89b0e2674ab81ad81c9f8ea0f
                                                                        • Instruction Fuzzy Hash: 63419E746043419FF7248B24C884B6FB7A1FB99305F18886EF98197391DA78A845CB59
                                                                        Function 004413F0 Relevance: 10.6, APIs: 7, Instructions: 114windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044140E
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00441452
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00441493
                                                                        • SendMessageW.USER32(017D1C38,000000F1,00000000,00000000), ref: 004414C6
                                                                        • SendMessageW.USER32(017D1C38,000000F1,00000001,00000000), ref: 004414F1
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$LongWindow
                                                                        • String ID:
                                                                        • API String ID: 312131281-0
                                                                        • Opcode ID: ed470013e842d905752aa6f8daaa5f1d8e955df317e7b96a507e5c494099af20
                                                                        • Instruction ID: f6a862a32ccfd92e4f153a1965fa7dc80102ffdb8abe4b8a046001f82176c48d
                                                                        • Opcode Fuzzy Hash: ed470013e842d905752aa6f8daaa5f1d8e955df317e7b96a507e5c494099af20
                                                                        • Instruction Fuzzy Hash: 2F416A347442019FE720CF58DCC4F6A77A5FB8A754F24416AE5519B3B1CB75AC82CB48
                                                                        Function 0044849C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 106windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 004484C4
                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,004A83D8), ref: 00448562
                                                                        • IsMenu.USER32(?), ref: 0044857B
                                                                        • InsertMenuItemW.USER32(?,?,00000001,004A83D8), ref: 004485D0
                                                                        • DrawMenuBar.USER32 ref: 004485E4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Menu$Item$DrawInfoInsert_memset
                                                                        • String ID: 0
                                                                        • API String ID: 3866635326-4108050209
                                                                        • Opcode ID: 42a201a1e731261e29c9ff9b40de176b55a78da0b06957c9f64dc5096dc7767a
                                                                        • Instruction ID: c1b4c65bd9dbf201e14e83578cc8030a3c247867dd5f1e451e409e2153a24926
                                                                        • Opcode Fuzzy Hash: 42a201a1e731261e29c9ff9b40de176b55a78da0b06957c9f64dc5096dc7767a
                                                                        • Instruction Fuzzy Hash: 9F417F75604341AFE710CF45C984B6BB7E4FB89304F14881EFA554B391DBB4E849CB5A
                                                                        Function 0047244D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InterlockedIncrement.KERNEL32 ref: 0047247C
                                                                        • InterlockedDecrement.KERNEL32(004A7CAC), ref: 00472491
                                                                        • Sleep.KERNEL32(0000000A), ref: 00472499
                                                                        • InterlockedIncrement.KERNEL32(004A7CAC), ref: 004724A4
                                                                        • InterlockedDecrement.KERNEL32(004A7CAC), ref: 00472599
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Interlocked$DecrementIncrement$Sleep
                                                                        • String ID: 0vH
                                                                        • API String ID: 327565842-3662162768
                                                                        • Opcode ID: bfb173672284e31ba0a3017bb0c7d670cf276827bd066f711b3c3b49063f60eb
                                                                        • Instruction ID: 7246262c18bb701d5349304b0e2d21290bf7c9637501dd5a114e6955e8e78370
                                                                        • Opcode Fuzzy Hash: bfb173672284e31ba0a3017bb0c7d670cf276827bd066f711b3c3b49063f60eb
                                                                        • Instruction Fuzzy Hash: 9631D2329082259BD710DF28DD41A8A77A5EB95324F05483EFD08FB251DB78EC498BED
                                                                        Function 00448AFF Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448B16
                                                                        • GetFocus.USER32 ref: 00448B1C
                                                                        • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                                        • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                                        • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                                                        • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                                                        • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Enable$Show$FocusMessageSend
                                                                        • String ID:
                                                                        • API String ID: 3429747543-0
                                                                        • Opcode ID: f5aca3f6d68f8169105ace43209457086b036621b25274999c7621d4cb9b91fc
                                                                        • Instruction ID: 96ed947056310062a3fa6d2350adc65d304252fdbf70c479ab88671ed4e09c2c
                                                                        • Opcode Fuzzy Hash: f5aca3f6d68f8169105ace43209457086b036621b25274999c7621d4cb9b91fc
                                                                        • Instruction Fuzzy Hash: FC31B4706443819BF7248E14C8C4BAFB7D0EB95745F04492EF981A6291DBA89845C719
                                                                        Function 0045D321 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 81COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNEL32(00000001), ref: 0045D32F
                                                                        • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3B3
                                                                        • __swprintf.LIBCMT ref: 0045D3CC
                                                                        • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D416
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode$InformationVolume__swprintf
                                                                        • String ID: %lu$HH
                                                                        • API String ID: 3164766367-3924996404
                                                                        • Opcode ID: bd20e614eacc1ec6e7ce8a240dc663141bf9142d6fc10aee8c7bf862d4d2af0b
                                                                        • Instruction ID: e4de0c6df68350460ad5232616e5185c9d799459bd1b640414cfcbd8d86849a8
                                                                        • Opcode Fuzzy Hash: bd20e614eacc1ec6e7ce8a240dc663141bf9142d6fc10aee8c7bf862d4d2af0b
                                                                        • Instruction Fuzzy Hash: 85314A716083019BC310EF55D941A5BB7E4FF88704F40892EFA4597292D774EA09CB9A
                                                                        Function 00450DB4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450E24
                                                                        • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450E35
                                                                        • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450E43
                                                                        • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450E54
                                                                        • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450E62
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID: Msctls_Progress32
                                                                        • API String ID: 3850602802-3636473452
                                                                        • Opcode ID: 42656bfbb5a190feb894f1e63281698c22ff60bbec02a0e57f9bf8616b6fd2a5
                                                                        • Instruction ID: b51c377fab27852337593a8f268aff884918310fa347e0537580fa9f3b853d23
                                                                        • Opcode Fuzzy Hash: 42656bfbb5a190feb894f1e63281698c22ff60bbec02a0e57f9bf8616b6fd2a5
                                                                        • Instruction Fuzzy Hash: 2C2121712543007AE7209A65DC42F5BB3E9AFD8B24F214A0EF754B72D1C6B4F8418B58
                                                                        Function 00455449 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ImageList_Destroy.COMCTL32(?), ref: 00455451
                                                                        • ImageList_Destroy.COMCTL32(?), ref: 0045545F
                                                                        • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                                        • DeleteObject.GDI32(?), ref: 0045564E
                                                                        • DeleteObject.GDI32(?), ref: 0045565C
                                                                        • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                        • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
                                                                        • String ID:
                                                                        • API String ID: 3985565216-0
                                                                        • Opcode ID: dc022e11ae60a508d3fee16e2099accab07c71a042b18f60c16d9d094d7ead98
                                                                        • Instruction ID: 02eb1b45cc7e926b76574f27881fb1e8d9d372094f4d7b34cf8607babd6cb63d
                                                                        • Opcode Fuzzy Hash: dc022e11ae60a508d3fee16e2099accab07c71a042b18f60c16d9d094d7ead98
                                                                        • Instruction Fuzzy Hash: EA213270200A019FCB20DF65CAD4B2A77A9BF45312F50855EED45CB352DB39EC45CB69
                                                                        Function 00415702 Relevance: 10.6, APIs: 7, Instructions: 74threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ___set_flsgetvalue.LIBCMT ref: 00415737
                                                                        • __calloc_crt.LIBCMT ref: 00415743
                                                                        • __getptd.LIBCMT ref: 00415750
                                                                        • CreateThread.KERNEL32(00000000,?,0041568B,00000000,00000004,00000000), ref: 00415776
                                                                        • ResumeThread.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00415786
                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00415791
                                                                        • __dosmaperr.LIBCMT ref: 004157A9
                                                                          • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                                          • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
                                                                        • String ID:
                                                                        • API String ID: 1269668773-0
                                                                        • Opcode ID: bb8068f02d799d687f86b9c43e1e9df3108372b57b840b2ce394e22bf251b6d0
                                                                        • Instruction ID: 083f1b3d72dc2b4e3073d7627409da2efaae6cca9fbdfa2eb2c15b7cb2a145f7
                                                                        • Opcode Fuzzy Hash: bb8068f02d799d687f86b9c43e1e9df3108372b57b840b2ce394e22bf251b6d0
                                                                        • Instruction Fuzzy Hash: 4511E672501604EFC720AF76DC868DF7BA4EF80334F21412FF525922D1DB788981966D
                                                                        Function 00439102 Relevance: 10.5, APIs: 7, Instructions: 46threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00438FE4: GetProcessHeap.KERNEL32(00000008,0000000C,0043910A,00000000,00000000,00000000,0044646E,?,?,?), ref: 00438FE8
                                                                          • Part of subcall function 00438FE4: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00438FEF
                                                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,0044646E,?,?,?), ref: 00439119
                                                                        • GetCurrentProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439123
                                                                        • DuplicateHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0043912C
                                                                        • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00439138
                                                                        • GetCurrentProcess.KERNEL32(?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439142
                                                                        • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00439145
                                                                        • CreateThread.KERNEL32(00000000,00000000,004390C2,00000000,00000000,00000000), ref: 0043915E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                        • String ID:
                                                                        • API String ID: 1957940570-0
                                                                        • Opcode ID: ae016cd78919e3da0d3d218cc031d8d4f693afb8d34ff927aa47fd3b6f506194
                                                                        • Instruction ID: b388a4287fabc35bf2088fa38ebc9459a42e34e8a642192e1b63b89709cb9be3
                                                                        • Opcode Fuzzy Hash: ae016cd78919e3da0d3d218cc031d8d4f693afb8d34ff927aa47fd3b6f506194
                                                                        • Instruction Fuzzy Hash: 3BF0CD753413007BD220EB65DC86F5BB7A8EBC9B10F118919F6049B1D1C6B4A800CB65
                                                                        Function 0041568B Relevance: 10.5, APIs: 7, Instructions: 37threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ___set_flsgetvalue.LIBCMT ref: 00415690
                                                                          • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                                          • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                                          • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                                        • ___fls_getvalue@4.LIBCMT ref: 0041569B
                                                                          • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                                        • ___fls_setvalue@8.LIBCMT ref: 004156AD
                                                                          • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                                        • GetLastError.KERNEL32(00000000,?,00000000), ref: 004156B6
                                                                        • ExitThread.KERNEL32 ref: 004156BD
                                                                        • __freefls@4.LIBCMT ref: 004156D9
                                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 004156EC
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Value$__decode_pointer$CurrentErrorExitImageLastNonwritableThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                        • String ID:
                                                                        • API String ID: 4166825349-0
                                                                        • Opcode ID: 185d0aae8fe32bab84a079219336c355dd614541d1aff55515eff8c05f91681e
                                                                        • Instruction ID: 1015f584654e325efa3cacb901eba7c9ae2b5aefa54885f90b4e6d99173acdac
                                                                        • Opcode Fuzzy Hash: 185d0aae8fe32bab84a079219336c355dd614541d1aff55515eff8c05f91681e
                                                                        • Instruction Fuzzy Hash: 14F049745007009BD704BF72DD159DE7B69AF85345761C85FB80897222DA3DC9C1CB9C
                                                                        Function 00434124 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 15libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(advapi32.dll,p#D,0043415E,p#D,?,00442370,?), ref: 00434134
                                                                        • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00434146
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: RegDeleteKeyExW$advapi32.dll$p#D$p#D
                                                                        • API String ID: 2574300362-3261711971
                                                                        • Opcode ID: 3da92f374f37a9fa7395fa6ef73d3af1d379715eec5b41da1672ebd70bf57acc
                                                                        • Instruction ID: cb82693085896f9455b4638215a98dd7e3cb824177552166877179ce6000b7c2
                                                                        • Opcode Fuzzy Hash: 3da92f374f37a9fa7395fa6ef73d3af1d379715eec5b41da1672ebd70bf57acc
                                                                        • Instruction Fuzzy Hash: D8D05EB0400B039FCB105F24D8086AB76F4EB68700F208C2EF989A3750C7B8E8C0CB68
                                                                        Function 0047B1D0 Relevance: 9.5, APIs: 6, Instructions: 489COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c82efa3070467c2623ec738b5b2be2cd760763614a3dd1863134219050ad48d5
                                                                        • Instruction ID: be39947db1ffbcb7075193c31d102fc15fe4f6af8d23ce90efbce3d2b6a77a88
                                                                        • Opcode Fuzzy Hash: c82efa3070467c2623ec738b5b2be2cd760763614a3dd1863134219050ad48d5
                                                                        • Instruction Fuzzy Hash: 4BF16D71108740AFD210DB59C880EABB7F9EFCA744F10891EF69983261D735AC45CBAA
                                                                        Function 004336C7 Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetClientRect.USER32(?,?), ref: 00433724
                                                                        • GetWindowRect.USER32(00000000,?), ref: 00433757
                                                                        • GetClientRect.USER32(0000001D,?), ref: 004337AC
                                                                        • GetSystemMetrics.USER32(0000000F), ref: 00433800
                                                                        • GetWindowRect.USER32(?,?), ref: 00433814
                                                                        • ScreenToClient.USER32(?,?), ref: 00433842
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Rect$Client$Window$MetricsScreenSystem
                                                                        • String ID:
                                                                        • API String ID: 3220332590-0
                                                                        • Opcode ID: 3d0204db3781b081fd3de6a8efec2d06c6e501bf89adf1cf9fb69463b8de8f3e
                                                                        • Instruction ID: 40e56d112be44df416332e5c874318f33691c6b0c201ea6c9f9086adb5117cf0
                                                                        • Opcode Fuzzy Hash: 3d0204db3781b081fd3de6a8efec2d06c6e501bf89adf1cf9fb69463b8de8f3e
                                                                        • Instruction Fuzzy Hash: E9A126B42147028AC324CF68C5847ABBBF1FF98715F04991EE9D983360E775E908CB5A
                                                                        Function 00457838 Relevance: 9.2, APIs: 6, Instructions: 176COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: _malloc_wcslen$_strcat_wcscpy
                                                                        • String ID:
                                                                        • API String ID: 1612042205-0
                                                                        • Opcode ID: de2929fcda50375e6e5cb9f1075b8832783a078aa1feca3c1cc6154b42d84a61
                                                                        • Instruction ID: 39b6431fb86a1cae222df6ecce28f21653e085caad8de22f1e35678e4483a9b6
                                                                        • Opcode Fuzzy Hash: de2929fcda50375e6e5cb9f1075b8832783a078aa1feca3c1cc6154b42d84a61
                                                                        • Instruction Fuzzy Hash: CD613B70504202EFCB10EF29D58096AB3E5FF48305B50496EF8859B306D738EE59DB9A
                                                                        Function 0044C522 Relevance: 9.2, APIs: 6, Instructions: 155windowkeyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetKeyboardState.USER32(?,?,00000001,00000001,?,00000000), ref: 0044C588
                                                                        • SetKeyboardState.USER32(00000080), ref: 0044C59B
                                                                        • PostMessageW.USER32(?,00000104,?,?), ref: 0044C5EC
                                                                        • PostMessageW.USER32(?,00000100,?,?), ref: 0044C610
                                                                        • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C637
                                                                        • SendInput.USER32 ref: 0044C6E2
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessagePost$KeyboardState$InputSend
                                                                        • String ID:
                                                                        • API String ID: 2221674350-0
                                                                        • Opcode ID: 061e63fcf1402e721e52ee56d2f22f81c2cbe03cfd8f861d8ff00d299370d474
                                                                        • Instruction ID: 3a634557d1668dba9f4fbb3ffee1259adddcddb7f3fce46f2ce6721246940f3b
                                                                        • Opcode Fuzzy Hash: 061e63fcf1402e721e52ee56d2f22f81c2cbe03cfd8f861d8ff00d299370d474
                                                                        • Instruction Fuzzy Hash: A24148725053486AF760EF209C80BFFBB98EF95324F04151FFDC412281D66E984987BA
                                                                        Function 00445153 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: _wcscpy$_wcscat
                                                                        • String ID:
                                                                        • API String ID: 2037614760-0
                                                                        • Opcode ID: f99e136c889cacb8689bc9f00eee4ad51686cf745bff212a4790763dd87d00cb
                                                                        • Instruction ID: 871aa96d6b0d5f43eceffdadd72b032f7becd6ba50fbda5e2bca5dd503650597
                                                                        • Opcode Fuzzy Hash: f99e136c889cacb8689bc9f00eee4ad51686cf745bff212a4790763dd87d00cb
                                                                        • Instruction Fuzzy Hash: 7D41BD31901A256BDE317F55D880BBB7358DFA1314F84006FF98247313EA6E5892C6BE
                                                                        Function 00447B66 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • BeginPaint.USER32(00000000,?,004A83D8,?), ref: 00447B9D
                                                                        • GetWindowRect.USER32(?,?), ref: 00447C1B
                                                                        • ScreenToClient.USER32(?,?), ref: 00447C39
                                                                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C4C
                                                                        • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447C93
                                                                        • EndPaint.USER32(?,?), ref: 00447CD1
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                                                                        • String ID:
                                                                        • API String ID: 4189319755-0
                                                                        • Opcode ID: 37bca05dc5f282a43c1c57c3b808f61ec058395b4d713bcb6da44fc2610780a1
                                                                        • Instruction ID: de699fe3e67e71f806f86ee7feca1bcffcb0489daa19151882f3061068cc4b26
                                                                        • Opcode Fuzzy Hash: 37bca05dc5f282a43c1c57c3b808f61ec058395b4d713bcb6da44fc2610780a1
                                                                        • Instruction Fuzzy Hash: D14182705043019FE320DF15C8C8F7B7BA8EB89724F04466EF9548B391DB74A846CB69
                                                                        Function 0044B474 Relevance: 9.1, APIs: 6, Instructions: 113fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B490
                                                                          • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                        • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4C2
                                                                        • EnterCriticalSection.KERNEL32(00000000), ref: 0044B4E3
                                                                        • LeaveCriticalSection.KERNEL32(00000000), ref: 0044B5A0
                                                                        • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B5BB
                                                                          • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                          • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                          • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5D1
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                        • String ID:
                                                                        • API String ID: 1726766782-0
                                                                        • Opcode ID: 3a1f833abb26ce593740c71d471a220e6d34013d7717cf1b73c6152b0bb325a5
                                                                        • Instruction ID: bf52b5dc2e344941501510e432fc863898df75637e45487ca8cd05157db66b41
                                                                        • Opcode Fuzzy Hash: 3a1f833abb26ce593740c71d471a220e6d34013d7717cf1b73c6152b0bb325a5
                                                                        • Instruction Fuzzy Hash: 09415C75104701AFD320EF26D845EABB3F8EF88708F008E2DF59A92650D774E945CB6A
                                                                        Function 00441077 Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ShowWindow.USER32(?,00000000,?,?,?,?,00448962,004A83D8,?,?), ref: 004410F9
                                                                        • EnableWindow.USER32(?,00000000), ref: 0044111A
                                                                        • ShowWindow.USER32(?,00000000,?,?,?,?,00448962,004A83D8,?,?), ref: 00441183
                                                                        • ShowWindow.USER32(?,00000004,?,?,?,00448962,004A83D8,?,?), ref: 00441192
                                                                        • EnableWindow.USER32(?,00000001), ref: 004411B3
                                                                        • SendMessageW.USER32(?,0000130C,?,00000000), ref: 004411D5
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Show$Enable$MessageSend
                                                                        • String ID:
                                                                        • API String ID: 642888154-0
                                                                        • Opcode ID: c853c7407bbaf9010c68549c691492fdcd401e5b0cb22aeb5446aebbed6f20c9
                                                                        • Instruction ID: 824eeaafe1f931a994963cd163acc5b0ce47b26168a6fd4ee38d593e4569daee
                                                                        • Opcode Fuzzy Hash: c853c7407bbaf9010c68549c691492fdcd401e5b0cb22aeb5446aebbed6f20c9
                                                                        • Instruction Fuzzy Hash: 14417770604245DFE725CF14C984FA6B7E5BF89300F1886AEE6859B3B2CB74A881CB55
                                                                        Function 00449063 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000000,00001024,00000000,?), ref: 004490E3
                                                                        • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004490F8
                                                                        • SendMessageW.USER32(00000000,0000111E,00000000,?), ref: 0044910D
                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00449124
                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 0044912F
                                                                        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0044913C
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$LongWindow$InvalidateRect
                                                                        • String ID:
                                                                        • API String ID: 1976402638-0
                                                                        • Opcode ID: 2b574cf222373ea94a5f8b1e2da5d15417ee742d7ff148607d59a4e94613559a
                                                                        • Instruction ID: 8b80d2acd15126bdfc8b54909556444574c0e56a9806921f1e0b477f33817628
                                                                        • Opcode Fuzzy Hash: 2b574cf222373ea94a5f8b1e2da5d15417ee742d7ff148607d59a4e94613559a
                                                                        • Instruction Fuzzy Hash: F231B476244202AFF224DF04DC89FBBB7A9F785321F14492EF291973D0CA75AC469729
                                                                        Function 00442582 Relevance: 9.1, APIs: 6, Instructions: 104COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetForegroundWindow.USER32 ref: 00442597
                                                                          • Part of subcall function 004344B7: GetWindowRect.USER32(?,?), ref: 004344D3
                                                                        • GetDesktopWindow.USER32 ref: 004425BF
                                                                        • GetWindowRect.USER32(00000000), ref: 004425C6
                                                                        • mouse_event.USER32(00008001,?,?,?,?), ref: 004425F5
                                                                          • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                                        • GetCursorPos.USER32(?), ref: 00442624
                                                                        • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00442690
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                        • String ID:
                                                                        • API String ID: 4137160315-0
                                                                        • Opcode ID: 9bf1d5af4d3523281d87c855d40d0150606dc562a9e0308dc2a2f88b36285eae
                                                                        • Instruction ID: 1581b522c3ee05a339ffa1fd07f9e8cd23967deed6539873686ea33d82c69dd2
                                                                        • Opcode Fuzzy Hash: 9bf1d5af4d3523281d87c855d40d0150606dc562a9e0308dc2a2f88b36285eae
                                                                        • Instruction Fuzzy Hash: 7C31C1B2104306ABD310DF54CD85E6BB7E9FB98304F004A2EF94597281E675E9058BA6
                                                                        Function 00448851 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044886C
                                                                        • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                                        • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                                        • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                                                        • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                                                        • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Enable$Show$MessageSend
                                                                        • String ID:
                                                                        • API String ID: 1871949834-0
                                                                        • Opcode ID: 703f0702a5e3ae6889c0b2c4cbd553a5347372704319c0c884d711360b5070ea
                                                                        • Instruction ID: fbfed122d4da650e42f877d7e8bff2bfe9b33138fa51555fe8345b8bcc16d821
                                                                        • Opcode Fuzzy Hash: 703f0702a5e3ae6889c0b2c4cbd553a5347372704319c0c884d711360b5070ea
                                                                        • Instruction Fuzzy Hash: A731F3B07443819BF7248E14C8C4BAFB7D0AB95345F08482EF981A63D1DBAC9846872A
                                                                        Function 00449606 Relevance: 9.1, APIs: 6, Instructions: 91windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 0044961A
                                                                        • SendMessageW.USER32 ref: 0044964A
                                                                          • Part of subcall function 00433A98: _wcspbrk.LIBCMT ref: 00433AAC
                                                                        • SendMessageW.USER32(?,00001074,?,00000001), ref: 004496AC
                                                                        • _wcslen.LIBCMT ref: 004496BA
                                                                        • _wcslen.LIBCMT ref: 004496C7
                                                                        • SendMessageW.USER32(?,00001074,?,?), ref: 004496FD
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$_wcslen$_memset_wcspbrk
                                                                        • String ID:
                                                                        • API String ID: 1624073603-0
                                                                        • Opcode ID: 3158986b153f08837b9b71a8f77f3cc169978b1c24ba43a32ffefb24081b9654
                                                                        • Instruction ID: 7e49a266cf7116299f7bc8659d1ce07b00adedb8b3f1b428e1954e4b11147a1e
                                                                        • Opcode Fuzzy Hash: 3158986b153f08837b9b71a8f77f3cc169978b1c24ba43a32ffefb24081b9654
                                                                        • Instruction Fuzzy Hash: B631CA71508300AAE720DF15DC81BEBB7D4EBD4720F504A1FFA54862D0EBBAD945C7A6
                                                                        Function 004416D1 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8dc28afdcb3e23db499faf1906c1cec9916ddd90de084288035f36419de8ba35
                                                                        • Instruction ID: 0263b137e1f68684b0dae4bb7f633391a2f723f0f4072b7ce39308acd6c8c458
                                                                        • Opcode Fuzzy Hash: 8dc28afdcb3e23db499faf1906c1cec9916ddd90de084288035f36419de8ba35
                                                                        • Instruction Fuzzy Hash: 31219272245110ABE7108B68DCC4B6F7798EB96374F240A3AF512C61E1EA7998C1C769
                                                                        Function 0045552E Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004555AD
                                                                        • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                                        • DeleteObject.GDI32(?), ref: 0045564E
                                                                        • DeleteObject.GDI32(?), ref: 0045565C
                                                                        • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                        • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: DestroyWindow$DeleteObject$IconMove
                                                                        • String ID:
                                                                        • API String ID: 1640429340-0
                                                                        • Opcode ID: da39536b61dc90218e8938c0c8165bcff49a91d8f884d8405ba8ed69dafdd4fa
                                                                        • Instruction ID: 2ee25f48dcb0ad8048bc4d9c922f6cac320a9d705fdb810e808868a6102f62dc
                                                                        • Opcode Fuzzy Hash: da39536b61dc90218e8938c0c8165bcff49a91d8f884d8405ba8ed69dafdd4fa
                                                                        • Instruction Fuzzy Hash: 05312770200A419FD724DF24C998B3A73F9FB44312F4485AAE945CB266E778EC49CB69
                                                                        Function 00467E5E Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: __fileno__setmode$DebugOutputString_fprintf
                                                                        • String ID:
                                                                        • API String ID: 3354276064-0
                                                                        • Opcode ID: 44da5cbe136b9a97bfd5e2050e6700f1212f0f901edc4668462b95a159366457
                                                                        • Instruction ID: 1e9a75ed7ce68f0ee686932f25d41d1f14ae1a91d469003489e3a0780bce169f
                                                                        • Opcode Fuzzy Hash: 44da5cbe136b9a97bfd5e2050e6700f1212f0f901edc4668462b95a159366457
                                                                        • Instruction Fuzzy Hash: 6D11F3B2D0830136D500BA366C02AAF7A5C4A91B5CF44056EFD4563293EA2DAA4943FF
                                                                        Function 00455080 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Destroy$DeleteMenuObject$IconWindow
                                                                        • String ID:
                                                                        • API String ID: 752480666-0
                                                                        • Opcode ID: e2db828b4da75c1988a3618645d7ad87c2567147b1e4a2a373431826dce2281b
                                                                        • Instruction ID: bf467a0aa8f060071afd9cdae546a2eb92d9c059e8a57ac1e588bb5f3fc3a395
                                                                        • Opcode Fuzzy Hash: e2db828b4da75c1988a3618645d7ad87c2567147b1e4a2a373431826dce2281b
                                                                        • Instruction Fuzzy Hash: 26215E30200A019FC724DF24D5E8B7AB7A9FB44312F50855EED498B392CB39EC89CB59
                                                                        Function 00455212 Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DestroyWindow.USER32(00000000), ref: 0045527A
                                                                        • ImageList_Destroy.COMCTL32(?), ref: 0045528C
                                                                        • DeleteObject.GDI32(?), ref: 0045564E
                                                                        • DeleteObject.GDI32(?), ref: 0045565C
                                                                        • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                        • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                        • String ID:
                                                                        • API String ID: 3275902921-0
                                                                        • Opcode ID: 9ca718b8a23ef3076e20a4bf5a66fd8e296fb8dfd37af4e8726ba93a3cadf818
                                                                        • Instruction ID: c357af2a313eda44c34a26cb015c973203dd8f66e4d80e74dc1abfaeb9ce60f9
                                                                        • Opcode Fuzzy Hash: 9ca718b8a23ef3076e20a4bf5a66fd8e296fb8dfd37af4e8726ba93a3cadf818
                                                                        • Instruction Fuzzy Hash: 2D217E70604A019BC714DF79D99466AB7A5BF44311F40856EF919CB342DB38E849CF68
                                                                        Function 00439326 Relevance: 9.1, APIs: 6, Instructions: 72processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32(0000000A,?,?,?,?,?,00446540,?,?,?,?,?,?,?,?,?), ref: 0043935D
                                                                        • OpenProcessToken.ADVAPI32(00000000,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439364
                                                                        • CreateEnvironmentBlock.USERENV(?,?,00000001,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439376
                                                                        • CloseHandle.KERNEL32(?,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439383
                                                                        • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,?,?,?,?), ref: 004393C0
                                                                        • DestroyEnvironmentBlock.USERENV(?,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 004393D4
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                        • String ID:
                                                                        • API String ID: 1413079979-0
                                                                        • Opcode ID: 1d720b0393062126ad9b64f1bf0a3b497d62ac8a089cd0237a290436ac7c4432
                                                                        • Instruction ID: 8c652321442b38080740e7d333ba663a52d3460857ef2618669649d87ea194c0
                                                                        • Opcode Fuzzy Hash: 1d720b0393062126ad9b64f1bf0a3b497d62ac8a089cd0237a290436ac7c4432
                                                                        • Instruction Fuzzy Hash: 7B2150B2208300ABD314CB65D854EABB7EDEBCD754F084E1DF989A3250C7B4E901CB25
                                                                        Function 0041415E Relevance: 9.1, APIs: 6, Instructions: 71threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ___set_flsgetvalue.LIBCMT ref: 0041418F
                                                                        • __calloc_crt.LIBCMT ref: 0041419B
                                                                        • __getptd.LIBCMT ref: 004141A8
                                                                        • CreateThread.KERNEL32(?,?,004140DB,00000000,?,?), ref: 004141DF
                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 004141E9
                                                                        • __dosmaperr.LIBCMT ref: 00414201
                                                                          • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                                          • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
                                                                        • String ID:
                                                                        • API String ID: 1803633139-0
                                                                        • Opcode ID: 9093ead1b57094de5194e295d789e60ec266b8318c1e976fb280fb1b07ce6f9a
                                                                        • Instruction ID: ec3febacf030228bba34671a5a373aa86179f0c9a00f1e1343e4adce14cbcb36
                                                                        • Opcode Fuzzy Hash: 9093ead1b57094de5194e295d789e60ec266b8318c1e976fb280fb1b07ce6f9a
                                                                        • Instruction Fuzzy Hash: 1311DD72504209BFCB10AFA5DC828DF7BA8EF44368B20446EF50193151EB39C9C18A68
                                                                        Function 004555E0 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ImageList_Destroy.COMCTL32(?), ref: 004555E8
                                                                        • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                                        • DeleteObject.GDI32(?), ref: 0045564E
                                                                        • DeleteObject.GDI32(?), ref: 0045565C
                                                                        • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                        • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                        • String ID:
                                                                        • API String ID: 3275902921-0
                                                                        • Opcode ID: 9bb8e3ba902fb320eab333f0308ec6d2a7ed81620e332b79689394e938adb37d
                                                                        • Instruction ID: 9e206caaed87a4944845468030bda76e3f946505fe2e652cce1cc100bc4c7c20
                                                                        • Opcode Fuzzy Hash: 9bb8e3ba902fb320eab333f0308ec6d2a7ed81620e332b79689394e938adb37d
                                                                        • Instruction Fuzzy Hash: BE2141702006409FCB25DF25C994A2B77A9FF44312F80856EED49CB352DB39EC4ACB59
                                                                        Function 004554C0 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32 ref: 004554DF
                                                                        • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004554FA
                                                                        • DeleteObject.GDI32(?), ref: 0045564E
                                                                        • DeleteObject.GDI32(?), ref: 0045565C
                                                                        • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                        • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: DeleteDestroyMessageObjectSend$IconWindow
                                                                        • String ID:
                                                                        • API String ID: 3691411573-0
                                                                        • Opcode ID: ffc9a8f4f75f6e2ff6fdc7cc9300f0c908ecc9e004d580c3573be367ed75df53
                                                                        • Instruction ID: ead105b7aa3a144aa2df3f4c31681f961a0d6b706109639263d1a652a664e8ec
                                                                        • Opcode Fuzzy Hash: ffc9a8f4f75f6e2ff6fdc7cc9300f0c908ecc9e004d580c3573be367ed75df53
                                                                        • Instruction Fuzzy Hash: A5118F713046419BDB10DF68DD88A2A77A8FB58322F404A2AFE14DB2D1D775DC498B68
                                                                        Function 0043609C Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: _wcslen$_wcstok$ExtentPoint32Text
                                                                        • String ID:
                                                                        • API String ID: 1814673581-0
                                                                        • Opcode ID: cf50433860b5c5ee623566781d9083cc0ce59c581d7d4fe1355e753f7016059c
                                                                        • Instruction ID: 25d714350c6a951fb861184d208c8546153e966ae5ec0a2422e5c8358eb53325
                                                                        • Opcode Fuzzy Hash: cf50433860b5c5ee623566781d9083cc0ce59c581d7d4fe1355e753f7016059c
                                                                        • Instruction Fuzzy Hash: F60125B19053126BC6209F95DC42B5BB7E8EF45760F11842AFD04E3340D7F8E84483EA
                                                                        Function 00436272 Relevance: 9.1, APIs: 6, Instructions: 59sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362A7
                                                                        • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362B2
                                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362BA
                                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362C5
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                        • String ID:
                                                                        • API String ID: 2833360925-0
                                                                        • Opcode ID: ce9720f61a9ee9538873cf1403cb39b7711a51cb3deac7b7aa4b9b4cf2db8b86
                                                                        • Instruction ID: c21ea81f2c38402705b15ef58ab4919efdb6e4f3ef0ac894e378511a69de5cf2
                                                                        • Opcode Fuzzy Hash: ce9720f61a9ee9538873cf1403cb39b7711a51cb3deac7b7aa4b9b4cf2db8b86
                                                                        • Instruction Fuzzy Hash: C411D031909306ABC700EF19DA8499FB7E4FFCCB11F828D2DF98592210D734C9498B96
                                                                        Function 004471EC Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                                          • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                                          • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                          • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                                          • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                        • MoveToEx.GDI32(?,?,?,00000000), ref: 0044721F
                                                                        • LineTo.GDI32(?,?,?), ref: 00447227
                                                                        • MoveToEx.GDI32(?,?,?,00000000), ref: 00447235
                                                                        • LineTo.GDI32(?,?,?), ref: 0044723D
                                                                        • EndPath.GDI32(?), ref: 0044724E
                                                                        • StrokePath.GDI32(?), ref: 0044725C
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                                                        • String ID:
                                                                        • API String ID: 372113273-0
                                                                        • Opcode ID: 902a14e142be2de25a3bb197ce65ea465fb84dbb313772e519df98722d37df37
                                                                        • Instruction ID: cf4011081099dc8586e946db52605055ec0608de7db987eb6b7af15cf0be2a5d
                                                                        • Opcode Fuzzy Hash: 902a14e142be2de25a3bb197ce65ea465fb84dbb313772e519df98722d37df37
                                                                        • Instruction Fuzzy Hash: B7018F36105264BBE2119750EC4AF9FBBACEF8A710F14451DF70156191C7F42A0587BD
                                                                        Function 00410940 Relevance: 9.0, APIs: 6, Instructions: 49keyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0041098F
                                                                        • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410997
                                                                        • MapVirtualKeyW.USER32(000000A0,00000000), ref: 004109A2
                                                                        • MapVirtualKeyW.USER32(000000A1,00000000), ref: 004109AD
                                                                        • MapVirtualKeyW.USER32(00000011,00000000), ref: 004109B5
                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 004109BD
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Virtual
                                                                        • String ID:
                                                                        • API String ID: 4278518827-0
                                                                        • Opcode ID: 067efc0be0420d5e011611900d1cbcbd564411b72165316cb005851f0732894c
                                                                        • Instruction ID: 14dd698fb88c41d3cb2937c08abaa7ad6cdafd80764dd657d9f2199fb51feb0a
                                                                        • Opcode Fuzzy Hash: 067efc0be0420d5e011611900d1cbcbd564411b72165316cb005851f0732894c
                                                                        • Instruction Fuzzy Hash: 52112A6118ABC4ADD3329F694854A87FFE45FB6304F484A8ED1D607A43C195A60CCBBA
                                                                        Function 0044CBD3 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDC.USER32(00000000), ref: 0044CBEF
                                                                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC00
                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC09
                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 0044CC10
                                                                        • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CC29
                                                                        • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0044CC37
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CapsDevice$Release
                                                                        • String ID:
                                                                        • API String ID: 1035833867-0
                                                                        • Opcode ID: ae25b50e6df40ac1760f249dbc4ceec79d7598f555d49c24eefaf783d5b8ff63
                                                                        • Instruction ID: 50bf861fd692b93b916a63282857a41227f0dfa19545bc4f0a59f576ae553c11
                                                                        • Opcode Fuzzy Hash: ae25b50e6df40ac1760f249dbc4ceec79d7598f555d49c24eefaf783d5b8ff63
                                                                        • Instruction Fuzzy Hash: 560184B1641314BFF6009BA1DC4AF1BBB9CEF55755F01842EFF44A7241D6B098008BA9
                                                                        Function 0044B64F Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InterlockedExchange.KERNEL32(0042A369,057401F8), ref: 0044B66E
                                                                        • EnterCriticalSection.KERNEL32(0042A321), ref: 0044B67B
                                                                        • TerminateThread.KERNEL32(?,000001F6), ref: 0044B689
                                                                        • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B697
                                                                          • Part of subcall function 004356CD: CloseHandle.KERNEL32(00000000,0042A365,0044B6A3,0042A365,?,000003E8,?,000001F6), ref: 004356D9
                                                                        • InterlockedExchange.KERNEL32(0042A369,000001F6), ref: 0044B6AC
                                                                        • LeaveCriticalSection.KERNEL32(0042A321), ref: 0044B6AF
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                        • String ID:
                                                                        • API String ID: 3495660284-0
                                                                        • Opcode ID: 7ab0c325316775d38e8d9aa2ca09049d0c02a968ddf60f226b23d446a35990e5
                                                                        • Instruction ID: 3e278a896620ffa5fdfd5bcc44ba61fc9bc9ab212b345b13b81bb6ec37c91fca
                                                                        • Opcode Fuzzy Hash: 7ab0c325316775d38e8d9aa2ca09049d0c02a968ddf60f226b23d446a35990e5
                                                                        • Instruction Fuzzy Hash: E3F0F672141206BBD210AB24EE89DBFB37CFF44315F41096AF60142550CB75F811CBBA
                                                                        Function 00437118 Relevance: 9.0, APIs: 6, Instructions: 37windowtimethreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00437127
                                                                        • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00437140
                                                                        • GetWindowThreadProcessId.USER32(?,?), ref: 00437150
                                                                        • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 00437162
                                                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 0043716D
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00437174
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                        • String ID:
                                                                        • API String ID: 839392675-0
                                                                        • Opcode ID: 9671eea5464782d863345c1ba519a7d6af1158a8c6613e6f42f5b6706bbe0782
                                                                        • Instruction ID: 38550948ec006cf47bed7574f40cc63f5aae242ba43c895826076912260f23cd
                                                                        • Opcode Fuzzy Hash: 9671eea5464782d863345c1ba519a7d6af1158a8c6613e6f42f5b6706bbe0782
                                                                        • Instruction Fuzzy Hash: 37F054352813117BE6215B109E4EFEF37A8AF49F02F104828FB41B51D0E7E469458BAE
                                                                        Function 0043604B Relevance: 9.0, APIs: 6, Instructions: 33serviceCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000008,004A8E80,BC000000,00431B28,C:\Users\user\Desktop\Pi648je050.exe,00000004), ref: 00436055
                                                                        • LockServiceDatabase.ADVAPI32(00000000), ref: 00436062
                                                                        • UnlockServiceDatabase.ADVAPI32(00000000), ref: 0043606D
                                                                        • CloseServiceHandle.ADVAPI32(00000000), ref: 00436076
                                                                        • GetLastError.KERNEL32 ref: 00436081
                                                                        • CloseServiceHandle.ADVAPI32(00000000), ref: 00436091
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Service$CloseDatabaseHandle$ErrorLastLockManagerOpenUnlock
                                                                        • String ID:
                                                                        • API String ID: 1690418490-0
                                                                        • Opcode ID: 49e5e78db470eb3b31ed20f2670ed0ea18d225c835d46e40371f5509899a8be7
                                                                        • Instruction ID: 156e5f382d75df54ba3c5c30185d6bb62b1a9e6e0194ec4ef6b9e4a62dbea0b3
                                                                        • Opcode Fuzzy Hash: 49e5e78db470eb3b31ed20f2670ed0ea18d225c835d46e40371f5509899a8be7
                                                                        • Instruction Fuzzy Hash: 9BE0E5319821216BC6231B30AE4DBCF3B99DB1F311F041827F701D2250CB998404DBA8
                                                                        Function 00475ACA Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 237comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82
                                                                        • CoInitialize.OLE32(00000000), ref: 00475B71
                                                                        • CoCreateInstance.OLE32(00482A50,00000000,00000001,004828B0,?), ref: 00475B8A
                                                                        • CoUninitialize.OLE32 ref: 00475D71
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                        • String ID: .lnk$HH
                                                                        • API String ID: 886957087-3121654589
                                                                        • Opcode ID: 75a96ccae25093af7e6917375c938c281093df7f6cda4de25b1c017a61ab28fd
                                                                        • Instruction ID: f4d7caca580305710a2a5ca379fd8543151c5613ecc12b631d1ff665410dc3a0
                                                                        • Opcode Fuzzy Hash: 75a96ccae25093af7e6917375c938c281093df7f6cda4de25b1c017a61ab28fd
                                                                        • Instruction Fuzzy Hash: B0819D75604300AFD310EF65CC82F5AB3A9EF88704F50892DF658AF2D2D6B5E905CB99
                                                                        Function 0045F132 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Menu$Delete$InfoItem_memset
                                                                        • String ID: 0
                                                                        • API String ID: 1173514356-4108050209
                                                                        • Opcode ID: e31d5a25326cfad936127cde49464cb56a2d17833d4ec3f4ad79405d5b41ed43
                                                                        • Instruction ID: b3a4179b3c174fb1a3aa0d908437eb3f68f1f523a6631853a4ee88e897a1c7ed
                                                                        • Opcode Fuzzy Hash: e31d5a25326cfad936127cde49464cb56a2d17833d4ec3f4ad79405d5b41ed43
                                                                        • Instruction Fuzzy Hash: 31418CB55043019BD710CF19C884B5BBBE5AFC5324F148A6EFCA49B282C375E809CBA6
                                                                        Function 00437CA6 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 107libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(?), ref: 00437CB2
                                                                        • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00437D26
                                                                        • FreeLibrary.KERNEL32(?,?,AU3_GetPluginDetails), ref: 00437D3D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Library$AddressFreeLoadProc
                                                                        • String ID: AU3_GetPluginDetails$#v
                                                                        • API String ID: 145871493-3662034293
                                                                        • Opcode ID: e60d032cda8e07fae4321829b238a90b33a1110472f30aca6681d3aeba7a8f27
                                                                        • Instruction ID: 909018a8305b4cb0ce841e730e5bf8c258fddf5044228ae68d4d210ccee2088c
                                                                        • Opcode Fuzzy Hash: e60d032cda8e07fae4321829b238a90b33a1110472f30aca6681d3aeba7a8f27
                                                                        • Instruction Fuzzy Hash: 054147B96042019FC314DF68D8C4D5AF3E5FF8D304B20866EE9568B751DB35E802CB96
                                                                        Function 004692E4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                        • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469368
                                                                        • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00469379
                                                                        • SendMessageW.USER32(?,?,00000000,00000000), ref: 004693AB
                                                                          • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$_wcslen
                                                                        • String ID: ComboBox$ListBox
                                                                        • API String ID: 763830540-1403004172
                                                                        • Opcode ID: 169cb05da2f7371639be8c7bcea77e944b24e4bfad061a6cd0ac94a92c737455
                                                                        • Instruction ID: 8c71ebf423f389569590ff88e643f185c263fd61562863516bde62979c95be4e
                                                                        • Opcode Fuzzy Hash: 169cb05da2f7371639be8c7bcea77e944b24e4bfad061a6cd0ac94a92c737455
                                                                        • Instruction Fuzzy Hash: E0210C7160020067C210BB3A9C46FAF77989B85364F09052FF959AB3D1EA7CE94A436E
                                                                        Function 00443981 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetStdHandle.KERNEL32(?), ref: 004439B4
                                                                          • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(0000002C,00000000,00000000,00000002,76232EE0,00000000,004437E2,?,0000002C,00000000,?,?,?), ref: 004356BD
                                                                          • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(?,00000000,?,?,?), ref: 004356C1
                                                                          • Part of subcall function 0043569D: DuplicateHandle.KERNEL32(00000000,?,?,?), ref: 004356C4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CurrentHandleProcess$Duplicate
                                                                        • String ID: nul
                                                                        • API String ID: 2124370227-2873401336
                                                                        • Opcode ID: 1f0ba76bcec97c73efa3faab39b1dec00fe260a428cb25b20c1b65e4e3d5eb1c
                                                                        • Instruction ID: e5202fea31d744cc2812a948a395a4146b23d8233fafbd02014e3d546f800e0b
                                                                        • Opcode Fuzzy Hash: 1f0ba76bcec97c73efa3faab39b1dec00fe260a428cb25b20c1b65e4e3d5eb1c
                                                                        • Instruction Fuzzy Hash: 8921A070104301ABE320DF28D886B9B77E4AF94B24F504E1EF9D4972D1E3B5DA54CBA6
                                                                        Function 00443887 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetStdHandle.KERNEL32(000000F6), ref: 004438B7
                                                                          • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(0000002C,00000000,00000000,00000002,76232EE0,00000000,004437E2,?,0000002C,00000000,?,?,?), ref: 004356BD
                                                                          • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(?,00000000,?,?,?), ref: 004356C1
                                                                          • Part of subcall function 0043569D: DuplicateHandle.KERNEL32(00000000,?,?,?), ref: 004356C4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CurrentHandleProcess$Duplicate
                                                                        • String ID: nul
                                                                        • API String ID: 2124370227-2873401336
                                                                        • Opcode ID: 1c1504a6ed80816e8cc684f5e798812a6452e5ed6eae5ac994518d836d8835bd
                                                                        • Instruction ID: 183321404fa0000a7fb955016a75d3ae5bd0bbc3c7f5d4043dd6f74a8503dfc6
                                                                        • Opcode Fuzzy Hash: 1c1504a6ed80816e8cc684f5e798812a6452e5ed6eae5ac994518d836d8835bd
                                                                        • Instruction Fuzzy Hash: 4E2182701002019BE210DF28DC45F9BB7E4AF54B34F204A1EF9E4962D0E7759654CB56
                                                                        Function 004412AE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84windowlibraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00441333
                                                                        • LoadLibraryW.KERNEL32(?,?,?,?,0047B4D0,?,?,?,?,?,?,?,?,?,00000000), ref: 0044133A
                                                                        • SendMessageW.USER32(?,00000467,00000000,?), ref: 00441352
                                                                        • DestroyWindow.USER32(00000000,?,00000467,00000000,?,?,?,?,0047B4D0,?,?,?,?,?,?), ref: 0044135B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                        • String ID: SysAnimate32
                                                                        • API String ID: 3529120543-1011021900
                                                                        • Opcode ID: 7eb070968e116bc4f0d30e0eba70c7f8d943bdaa5f5f9b6b4db71aa758301bcd
                                                                        • Instruction ID: 28effd0bdeb99d0e0a50349a2d6ccdc4655b9339127a2247ff1827a793b197f6
                                                                        • Opcode Fuzzy Hash: 7eb070968e116bc4f0d30e0eba70c7f8d943bdaa5f5f9b6b4db71aa758301bcd
                                                                        • Instruction Fuzzy Hash: D0216271204301ABF7209AA5DC84F6B73ECEBD9724F104A1EF651D72E0D6B4DC818729
                                                                        Function 00443009 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PeekMessageW.USER32(00000000,00000000,00000000,00000000,00000001), ref: 0044304E
                                                                        • TranslateMessage.USER32(?), ref: 0044308B
                                                                        • DispatchMessageW.USER32(?), ref: 00443096
                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004430AD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Message$Peek$DispatchTranslate
                                                                        • String ID: *.*
                                                                        • API String ID: 1795658109-438819550
                                                                        • Opcode ID: a5394e60fa5dc12563cec3cf09e66162f870e5be06c650d2d1f2ad27f88770fd
                                                                        • Instruction ID: a39ada88e739a490af96418dc0f35d82e94fc94c1e76e22fe960a83301852fb1
                                                                        • Opcode Fuzzy Hash: a5394e60fa5dc12563cec3cf09e66162f870e5be06c650d2d1f2ad27f88770fd
                                                                        • Instruction Fuzzy Hash: 9F2138715183419EF720DF289C80FA3B7949B60B05F008ABFF66492191E6B99608C76E
                                                                        Function 004609BD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                          • Part of subcall function 004389A1: SendMessageTimeoutW.USER32(00000001,00000000,00000000,00000000,00000002,00001388,004848E8), ref: 004389C0
                                                                          • Part of subcall function 004389A1: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 004389D3
                                                                          • Part of subcall function 004389A1: GetCurrentThreadId.KERNEL32 ref: 004389DA
                                                                          • Part of subcall function 004389A1: AttachThreadInput.USER32(00000000), ref: 004389E1
                                                                        • GetFocus.USER32 ref: 004609EF
                                                                          • Part of subcall function 004389EB: GetParent.USER32(?), ref: 004389F7
                                                                          • Part of subcall function 004389EB: GetParent.USER32(?), ref: 00438A04
                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 00460A37
                                                                        • EnumChildWindows.USER32(?,00445A31,?), ref: 00460A60
                                                                        • __swprintf.LIBCMT ref: 00460A7A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_wcslen
                                                                        • String ID: %s%d
                                                                        • API String ID: 991886796-1110647743
                                                                        • Opcode ID: 4a64ff5b06e5e341b473abb9bc2bdd7182ed8da111ba9effa567358a3114916c
                                                                        • Instruction ID: 20a4aa43144560c0524e92d1094e5dcb4402c89d1d481f65a72662ac57dae138
                                                                        • Opcode Fuzzy Hash: 4a64ff5b06e5e341b473abb9bc2bdd7182ed8da111ba9effa567358a3114916c
                                                                        • Instruction Fuzzy Hash: 7521A4712403046BD610FB65DC8AFEFB7ACAF98704F00481FF559A7181EAB8A509877A
                                                                        Function 0040F790 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: _memset$_sprintf
                                                                        • String ID: %02X
                                                                        • API String ID: 891462717-436463671
                                                                        • Opcode ID: 3d61b25fa3990800e5a694d7793c27d494b4b6e65897825e99c1223689708875
                                                                        • Instruction ID: c3235ccac5cd273424cb9b73a8b9e0f10e05fa8943de770f4571b5c3e9b76774
                                                                        • Opcode Fuzzy Hash: 3d61b25fa3990800e5a694d7793c27d494b4b6e65897825e99c1223689708875
                                                                        • Instruction Fuzzy Hash: 5B11E97225021167D314FA698C93BEE724CAB45704F50453FF541A75C1EF6CB558839E
                                                                        Function 0040F3B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 0042CD00
                                                                        • GetOpenFileNameW.COMDLG32 ref: 0042CD51
                                                                          • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\Pi648je050.exe,?,C:\Users\user\Desktop\Pi648je050.exe,004A8E80,C:\Users\user\Desktop\Pi648je050.exe,0040F3D2), ref: 0040FFCA
                                                                          • Part of subcall function 00410130: SHGetMalloc.SHELL32(00000000), ref: 0041013A
                                                                          • Part of subcall function 00410130: SHGetDesktopFolder.SHELL32(?,004A8E80), ref: 00410150
                                                                          • Part of subcall function 00410130: _wcscpy.LIBCMT ref: 00410160
                                                                          • Part of subcall function 00410130: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410197
                                                                          • Part of subcall function 00410130: _wcscpy.LIBCMT ref: 004101AC
                                                                          • Part of subcall function 00410020: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 00410037
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: NamePath$Full_wcscpy$DesktopFileFolderFromListMallocOpen_memset
                                                                        • String ID: $OH$@OH$X
                                                                        • API String ID: 3491138722-1394974532
                                                                        • Opcode ID: b307b7495d9e484b77ad3edce91dc90ef7c994e26f1a80758083a935cdf7c966
                                                                        • Instruction ID: e3e81f3fa603e1d093c5df9e9287f390c0398a0e5563e0e16fb911f44c5f658a
                                                                        • Opcode Fuzzy Hash: b307b7495d9e484b77ad3edce91dc90ef7c994e26f1a80758083a935cdf7c966
                                                                        • Instruction Fuzzy Hash: 2111C2B02043405BC311EF19984175FBBE9AFD5308F14882EF68497292D7FD854DCB9A
                                                                        Function 0044C379 Relevance: 7.6, APIs: 5, Instructions: 137windowkeyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetKeyboardState.USER32(?,?,00000001,00000001,?,00000000), ref: 0044C3DA
                                                                        • SetKeyboardState.USER32(00000080), ref: 0044C3ED
                                                                        • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C441
                                                                        • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C465
                                                                        • SendInput.USER32 ref: 0044C509
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: KeyboardMessagePostState$InputSend
                                                                        • String ID:
                                                                        • API String ID: 3031425849-0
                                                                        • Opcode ID: b49b686b41cf8e4dc8898cf8a112ca1a8544ab09a95107e5a7613c5accf95fc9
                                                                        • Instruction ID: f46f63d78903415e516a46676784f6fcea1caa301ceb581e17347d916cd8316d
                                                                        • Opcode Fuzzy Hash: b49b686b41cf8e4dc8898cf8a112ca1a8544ab09a95107e5a7613c5accf95fc9
                                                                        • Instruction Fuzzy Hash: DB413B715462446FF760AB24D944BBFBB94AF99324F04061FF9D4122C2D37D9908C77A
                                                                        Function 004422B9 Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegEnumKeyExW.ADVAPI32 ref: 004422F0
                                                                        • RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 0044232B
                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 0044234E
                                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00442390
                                                                        • RegEnumKeyExW.ADVAPI32(?,00000000), ref: 004423C0
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Enum$CloseDeleteOpen
                                                                        • String ID:
                                                                        • API String ID: 2095303065-0
                                                                        • Opcode ID: 367b6e42355be36f427f5e4c5f923650598af64a8eac08207e4f2af605b886a1
                                                                        • Instruction ID: 24d8057b763805d248a02a33893b377b1579bd56aab3fff97e90bb3d062a49ad
                                                                        • Opcode Fuzzy Hash: 367b6e42355be36f427f5e4c5f923650598af64a8eac08207e4f2af605b886a1
                                                                        • Instruction Fuzzy Hash: 0C3150721043056EE210DF94DD84FBF73ECEBC9314F44492EBA9596141D7B8E9098B6A
                                                                        Function 0045C277 Relevance: 7.6, APIs: 5, Instructions: 105COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C2F4
                                                                        • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C31B
                                                                        • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C363
                                                                        • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C385
                                                                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C392
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: PrivateProfile$SectionWrite$String
                                                                        • String ID:
                                                                        • API String ID: 2832842796-0
                                                                        • Opcode ID: c76cc1094b5fb1fc43fcb7877a7661b5ae667b5fa7796de5023eb6f45200691f
                                                                        • Instruction ID: eb365ed5c03c4bb3a44f9ddbc5128f2f56e5f8affd5b6ace934fe40af23b551f
                                                                        • Opcode Fuzzy Hash: c76cc1094b5fb1fc43fcb7877a7661b5ae667b5fa7796de5023eb6f45200691f
                                                                        • Instruction Fuzzy Hash: 00318675240305ABD610DFA1DC85F9BB3A8AF84705F00891DF94497292D7B9E889CB94
                                                                        Function 0044796B Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetClientRect.USER32(?,?), ref: 00447997
                                                                        • GetCursorPos.USER32(?), ref: 004479A2
                                                                        • ScreenToClient.USER32(?,?), ref: 004479BE
                                                                        • WindowFromPoint.USER32(?,?), ref: 004479FF
                                                                        • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447A78
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Client$CursorFromPointProcRectScreenWindow
                                                                        • String ID:
                                                                        • API String ID: 1822080540-0
                                                                        • Opcode ID: c356f0f93048ebf3c0a873f2be17aa192b5fb9472fb724aa4a6a449873fe30ba
                                                                        • Instruction ID: e9c1e18ea4fcc9a2ad4b32cd349e8b57ec7287094a91df3c43d19f1875151664
                                                                        • Opcode Fuzzy Hash: c356f0f93048ebf3c0a873f2be17aa192b5fb9472fb724aa4a6a449873fe30ba
                                                                        • Instruction Fuzzy Hash: DE3188742082029BD710CF19D88596FB7A9EBC8714F144A1EF88097291D778EA57CBAA
                                                                        Function 00447BAF Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetWindowRect.USER32(?,?), ref: 00447C1B
                                                                        • ScreenToClient.USER32(?,?), ref: 00447C39
                                                                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C4C
                                                                        • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447C93
                                                                        • EndPaint.USER32(?,?), ref: 00447CD1
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: ClientPaintRectRectangleScreenViewportWindow
                                                                        • String ID:
                                                                        • API String ID: 659298297-0
                                                                        • Opcode ID: a6d698a2242c6caf7091173c4181dadfabb51550506680b35635a03376f271bc
                                                                        • Instruction ID: 653bb342b0117225c29b14224c0e663a7b864e912777eddc33bb147bcfad3e12
                                                                        • Opcode Fuzzy Hash: a6d698a2242c6caf7091173c4181dadfabb51550506680b35635a03376f271bc
                                                                        • Instruction Fuzzy Hash: 8A3150706043019FE320CF15D9C8F7B7BE8EB89724F044A6EF994873A1D774A8468B69
                                                                        Function 00447870 Relevance: 7.6, APIs: 5, Instructions: 94windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCursorPos.USER32(?), ref: 004478A7
                                                                        • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478C3
                                                                        • DefDlgProcW.USER32(?,0000007B,?,?,004A83D8,?,004A83D8,?), ref: 004478E7
                                                                        • GetCursorPos.USER32(?), ref: 00447935
                                                                        • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 0044795B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CursorMenuPopupTrack$Proc
                                                                        • String ID:
                                                                        • API String ID: 1300944170-0
                                                                        • Opcode ID: 00aabaf84d80e4f8c92fc7d2a6c816b999107077810d41e1d32a7af9c3da8c6b
                                                                        • Instruction ID: 600148c7f6f0e64f7aba5c2d0a58757112576a5c49d56a392ea253be37485a5b
                                                                        • Opcode Fuzzy Hash: 00aabaf84d80e4f8c92fc7d2a6c816b999107077810d41e1d32a7af9c3da8c6b
                                                                        • Instruction Fuzzy Hash: 2B31E475244204ABE214DB48DC48FABB7A5FBC9711F14491EF64483390D7B96C4BC779
                                                                        Function 00448837 Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                                        • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                                        • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                                                        • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                                                        • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                                          • Part of subcall function 004413F0: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044140E
                                                                          • Part of subcall function 004413F0: GetWindowLongW.USER32(?,000000F0), ref: 00441452
                                                                          • Part of subcall function 004413F0: GetWindowLongW.USER32(?,000000F0), ref: 00441493
                                                                          • Part of subcall function 004413F0: SendMessageW.USER32(017D1C38,000000F1,00000000,00000000), ref: 004414C6
                                                                          • Part of subcall function 004413F0: SendMessageW.USER32(017D1C38,000000F1,00000001,00000000), ref: 004414F1
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Window$EnableMessageSend$LongShow
                                                                        • String ID:
                                                                        • API String ID: 142311417-0
                                                                        • Opcode ID: 63a7105258867651d9446b65671e60b54e1f680e017c4d0f27b0fbeeb6060130
                                                                        • Instruction ID: 53ead31d82dc60d0a1ec6489c26700cf05fac79e8a5bf65a12bf69c5108a1aee
                                                                        • Opcode Fuzzy Hash: 63a7105258867651d9446b65671e60b54e1f680e017c4d0f27b0fbeeb6060130
                                                                        • Instruction Fuzzy Hash: 942105B07053809BF7148E28C8C47AFB7D0FB95345F08482EF981A6391DBAC9845C72E
                                                                        Function 00449549 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 0044955A
                                                                          • Part of subcall function 00433A98: _wcspbrk.LIBCMT ref: 00433AAC
                                                                        • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 004495B3
                                                                        • _wcslen.LIBCMT ref: 004495C1
                                                                        • _wcslen.LIBCMT ref: 004495CE
                                                                        • SendMessageW.USER32(?,00001060,00000000,?), ref: 004495FF
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend_wcslen$_memset_wcspbrk
                                                                        • String ID:
                                                                        • API String ID: 1843234404-0
                                                                        • Opcode ID: b21334e59b332bdcefcacb45badc01962a29afe58654cc2f886ab9dc01dd4065
                                                                        • Instruction ID: 2eba0e6ca7bf2f01d6f4dc0284c8cedbdf4c7ea0b5caad0642d64795040b3bc6
                                                                        • Opcode Fuzzy Hash: b21334e59b332bdcefcacb45badc01962a29afe58654cc2f886ab9dc01dd4065
                                                                        • Instruction Fuzzy Hash: 1821F87260430556E630EB15AC81BFBB3D8EBD0761F10483FEE4081280E67E9959D3AA
                                                                        Function 00455014 Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 43986f9d4d7e017d9aea9f4dce7e52c9963f71054abe4abd36fa420e2ae722de
                                                                        • Instruction ID: 4734ce3ce40af5b77ad59fd8baedf6a3e56741e39cc50bb30d89ac3ca2d3bd52
                                                                        • Opcode Fuzzy Hash: 43986f9d4d7e017d9aea9f4dce7e52c9963f71054abe4abd36fa420e2ae722de
                                                                        • Instruction Fuzzy Hash: 1321E0712006409BCB10EF29D994D6B73A8EF45321B40466EFE5597382DB34EC08CBA9
                                                                        Function 00445719 Relevance: 7.6, APIs: 5, Instructions: 76windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsWindowVisible.USER32(?), ref: 00445721
                                                                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0044573C
                                                                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00445773
                                                                        • _wcslen.LIBCMT ref: 004457A3
                                                                        • CharUpperBuffW.USER32(00000000,00000000), ref: 004457AD
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                                                                        • String ID:
                                                                        • API String ID: 3087257052-0
                                                                        • Opcode ID: b8615011704e714012d326b35a72e373024cdcb02b0b49a0115346f3c93ca327
                                                                        • Instruction ID: 00e09c3d40749c53521e9302b0eb92bb7bfe2d7d521d01ead8474e6f611d5aec
                                                                        • Opcode Fuzzy Hash: b8615011704e714012d326b35a72e373024cdcb02b0b49a0115346f3c93ca327
                                                                        • Instruction Fuzzy Hash: FA11E972601741BBF7105B35DC46F5B77CDAF65320F04443AF40AE6281FB69E84583AA
                                                                        Function 00459DCF Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsWindow.USER32(00000000), ref: 00459DEF
                                                                        • GetForegroundWindow.USER32 ref: 00459E07
                                                                        • GetDC.USER32(00000000), ref: 00459E44
                                                                        • GetPixel.GDI32(00000000,?,00000000), ref: 00459E4F
                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 00459E8B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Window$ForegroundPixelRelease
                                                                        • String ID:
                                                                        • API String ID: 4156661090-0
                                                                        • Opcode ID: c25ec76bf159445cc401153d518622b926736981535c7bd42fe0b2b106eefd61
                                                                        • Instruction ID: f25aa70a507d7fb142791e963b89e5313ab4350e7ab13503248c443e15a863bf
                                                                        • Opcode Fuzzy Hash: c25ec76bf159445cc401153d518622b926736981535c7bd42fe0b2b106eefd61
                                                                        • Instruction Fuzzy Hash: 76219D76600202ABD700EFA5CD49A5AB7E9FF84315F19483DF90597642DB78FC04CBA9
                                                                        Function 00464950 Relevance: 7.6, APIs: 5, Instructions: 68networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004647A2: inet_addr.WSOCK32(?), ref: 004647C7
                                                                        • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 00464985
                                                                        • WSAGetLastError.WSOCK32(00000000,00000002,00000001,00000006,00000000), ref: 00464993
                                                                        • connect.WSOCK32(00000000,00000000,00000010,00000002,00000001,00000006,00000000), ref: 004649CD
                                                                        • WSAGetLastError.WSOCK32(00000000,00000000,00000000,00000010,00000002,00000001,00000006,00000000), ref: 004649F4
                                                                        • closesocket.WSOCK32(00000000,00000000,00000000,00000000,00000000,00000010,00000002,00000001,00000006,00000000), ref: 00464A07
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$closesocketconnectinet_addrsocket
                                                                        • String ID:
                                                                        • API String ID: 245547762-0
                                                                        • Opcode ID: aaa03f654d2c2080970664bbc2635e6406c59b0d093f7dcd590a1c65d79e0220
                                                                        • Instruction ID: b27d5ee258410aac5bd3077dd9c53ce90635b59006b610d0ec7ee295a05cd03d
                                                                        • Opcode Fuzzy Hash: aaa03f654d2c2080970664bbc2635e6406c59b0d093f7dcd590a1c65d79e0220
                                                                        • Instruction Fuzzy Hash: 3211DA712002109BD310FB2AC842F9BB3D8AF85728F04895FF594A72D2D7B9A885875A
                                                                        Function 0044710F Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DeleteObject.GDI32(00000000), ref: 00447151
                                                                        • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                                        • SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                        • BeginPath.GDI32(?), ref: 004471B7
                                                                        • SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Object$Select$BeginCreateDeletePath
                                                                        • String ID:
                                                                        • API String ID: 2338827641-0
                                                                        • Opcode ID: f19e52de08adcd67550c2e9faff4417be3cdd69e9125f029607893bae639c511
                                                                        • Instruction ID: ab30216038401830d00444c504d41f25dcbf82a6e2307e0a418987ed8484b610
                                                                        • Opcode Fuzzy Hash: f19e52de08adcd67550c2e9faff4417be3cdd69e9125f029607893bae639c511
                                                                        • Instruction Fuzzy Hash: 7E2171B18083019FD320CF29AD44A1B7FACF74A724F14052FF654933A1EB789849CB69
                                                                        Function 0043770A Relevance: 7.6, APIs: 5, Instructions: 56sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNEL32(00000000,00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043771E
                                                                        • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043773C
                                                                        • Sleep.KERNEL32(00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043775C
                                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,004448B6,0000000F,?), ref: 00437767
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CounterPerformanceQuerySleep
                                                                        • String ID:
                                                                        • API String ID: 2875609808-0
                                                                        • Opcode ID: 901ea73111326f2a8af3d8a1217edfde6b6dff748f8bb26d3b0ac17b2ce0a9c5
                                                                        • Instruction ID: fd8a8a83491f03de43ea78fbc63302b75a2fa5438857304713168bbc83ca9150
                                                                        • Opcode Fuzzy Hash: 901ea73111326f2a8af3d8a1217edfde6b6dff748f8bb26d3b0ac17b2ce0a9c5
                                                                        • Instruction Fuzzy Hash: EA11A3B64093119BC210EF1ADA88A8FB7F4FFD8765F004D2EF9C462250DB34D5598B9A
                                                                        Function 0046FCC6 Relevance: 7.5, APIs: 5, Instructions: 49windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32 ref: 0046FD00
                                                                        • SendMessageW.USER32(?,0000104C,00000000,?), ref: 0046FD2E
                                                                        • SendMessageW.USER32(?,00001015,?,?), ref: 0046FD4B
                                                                        • DestroyIcon.USER32(?), ref: 0046FD58
                                                                        • DestroyIcon.USER32(?), ref: 0046FD5F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$DestroyIcon
                                                                        • String ID:
                                                                        • API String ID: 3419509030-0
                                                                        • Opcode ID: a24bc400bf7eaff3d1708451a80103ed5292b50ec6011cebb58ec712c1110a53
                                                                        • Instruction ID: ba7c1cc62690e465ab1dcb48fa3e0f79152c3dc78d34179caeeeb49ed344ab69
                                                                        • Opcode Fuzzy Hash: a24bc400bf7eaff3d1708451a80103ed5292b50ec6011cebb58ec712c1110a53
                                                                        • Instruction Fuzzy Hash: 5F1182B15043449BE730DF14DC46BABB7E8FBC5714F00492EE6C857291D6B8A84A8B67
                                                                        Function 004175A2 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __getptd.LIBCMT ref: 004175AE
                                                                          • Part of subcall function 00416C72: __getptd_noexit.LIBCMT ref: 00416C75
                                                                          • Part of subcall function 00416C72: __amsg_exit.LIBCMT ref: 00416C82
                                                                        • __amsg_exit.LIBCMT ref: 004175CE
                                                                        • __lock.LIBCMT ref: 004175DE
                                                                        • InterlockedDecrement.KERNEL32(?), ref: 004175FB
                                                                        • InterlockedIncrement.KERNEL32(017D2D90), ref: 00417626
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                                        • String ID:
                                                                        • API String ID: 4271482742-0
                                                                        • Opcode ID: 9041076209036267701916e3e7e7a5ecd924b858c75713c79b1599e88ef874d9
                                                                        • Instruction ID: de548182bd5f57d4f8c9f8a4c79293bfa6802d75d0085d2526eaa3c6a777046b
                                                                        • Opcode Fuzzy Hash: 9041076209036267701916e3e7e7a5ecd924b858c75713c79b1599e88ef874d9
                                                                        • Instruction Fuzzy Hash: 9401AD31944A11AFC710ABA998497CE7BB0BB11724F0540ABE80063791CB3CA9C1CFEE
                                                                        Function 004555B8 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                                        • DeleteObject.GDI32(?), ref: 0045564E
                                                                        • DeleteObject.GDI32(?), ref: 0045565C
                                                                        • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                        • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Destroy$DeleteObjectWindow$Icon
                                                                        • String ID:
                                                                        • API String ID: 4023252218-0
                                                                        • Opcode ID: 187bd120907745c88baacffad0920a9106e1cca1ea6db424662e0a83cd01c53e
                                                                        • Instruction ID: d1816f9fa450f538fb043821254e2bd2cfb9ade9207d957631f6d0e9d50691b6
                                                                        • Opcode Fuzzy Hash: 187bd120907745c88baacffad0920a9106e1cca1ea6db424662e0a83cd01c53e
                                                                        • Instruction Fuzzy Hash: 05015E70300605ABCB20DF65D9D4B2B77A8BF14712B50452AFD04D7346EB38EC48CB69
                                                                        Function 0046032B Relevance: 7.5, APIs: 5, Instructions: 43windowtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00460342
                                                                        • GetWindowTextW.USER32(00000000,00000100,00000100), ref: 00460357
                                                                        • MessageBeep.USER32(00000000), ref: 0046036D
                                                                        • KillTimer.USER32(?,0000040A), ref: 00460392
                                                                        • EndDialog.USER32(?,00000001), ref: 004603AB
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                        • String ID:
                                                                        • API String ID: 3741023627-0
                                                                        • Opcode ID: 5e0545b8da8baa7cb8324f4116d33f6edaa60507eab9176a587cebaf75a8c25b
                                                                        • Instruction ID: 48c257e0c270193328064fa19c5b46d6a870d8092b70dfec968bdaebd9a60f08
                                                                        • Opcode Fuzzy Hash: 5e0545b8da8baa7cb8324f4116d33f6edaa60507eab9176a587cebaf75a8c25b
                                                                        • Instruction Fuzzy Hash: BE018831500300A7E7209B54DE5DBDB77A8BF44B05F00492EB681A25D0E7F8A584CB55
                                                                        Function 00455505 Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,00001101,00000000,?), ref: 00455514
                                                                        • DeleteObject.GDI32(?), ref: 0045564E
                                                                        • DeleteObject.GDI32(?), ref: 0045565C
                                                                        • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                        • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: DeleteDestroyObject$IconMessageSendWindow
                                                                        • String ID:
                                                                        • API String ID: 1489400265-0
                                                                        • Opcode ID: fb8346e1cf28bbdc4ad062342734fe1bacbf25b41774fd01ae6266dc65fad9d1
                                                                        • Instruction ID: 68d82c845863845e83b9d92669df32d5d1b96a6c2c0272d07869f65424c05900
                                                                        • Opcode Fuzzy Hash: fb8346e1cf28bbdc4ad062342734fe1bacbf25b41774fd01ae6266dc65fad9d1
                                                                        • Instruction Fuzzy Hash: D9014F703006419BDB10EF65DED8A2A73A9FB44712B40455AFE05DB286DB78EC49CB68
                                                                        Function 0045551F Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0043343D: InvalidateRect.USER32(?,00000000,00000001), ref: 004334BE
                                                                        • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                                        • DeleteObject.GDI32(?), ref: 0045564E
                                                                        • DeleteObject.GDI32(?), ref: 0045565C
                                                                        • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                        • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                                                                        • String ID:
                                                                        • API String ID: 1042038666-0
                                                                        • Opcode ID: 920ee65d6839c6288c76afce6441748d32e1b72318fe83d584ccefe2da360159
                                                                        • Instruction ID: 707d1f3050e1f0ff98422ce5efa9f9a4d3559fdafbc0a23101ed238e91bf2869
                                                                        • Opcode Fuzzy Hash: 920ee65d6839c6288c76afce6441748d32e1b72318fe83d584ccefe2da360159
                                                                        • Instruction Fuzzy Hash: B2014B702006419BCB10AF65D9C8A2A33ACAF19322780456AFD05D7242DB28EC498B79
                                                                        Function 0043315E Relevance: 7.5, APIs: 5, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                        • String ID:
                                                                        • API String ID: 2625713937-0
                                                                        • Opcode ID: a89ec47609df172868659220a46891f09f78d761c189f4b7bb4a315096e7830c
                                                                        • Instruction ID: 1b0d13c7bbaa275692c81ef4a4760df4fcf6218f807946f7e03cce85d1463269
                                                                        • Opcode Fuzzy Hash: a89ec47609df172868659220a46891f09f78d761c189f4b7bb4a315096e7830c
                                                                        • Instruction Fuzzy Hash: F7F0A4751052019BD7508F18EC0C70E7FA8FB4F325F04462EEA19932E0DB781546CBAD
                                                                        Function 004140CF Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00411A35: _doexit.LIBCMT ref: 00411A41
                                                                        • ___set_flsgetvalue.LIBCMT ref: 004140E1
                                                                          • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                                          • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                                          • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                                        • ___fls_getvalue@4.LIBCMT ref: 004140EC
                                                                          • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                                        • ___fls_setvalue@8.LIBCMT ref: 004140FF
                                                                          • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                                        • GetLastError.KERNEL32(00000000,?,00000000), ref: 00414108
                                                                        • ExitThread.KERNEL32 ref: 0041410F
                                                                        • GetCurrentThreadId.KERNEL32 ref: 00414115
                                                                        • __freefls@4.LIBCMT ref: 00414135
                                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00414148
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                        • String ID:
                                                                        • API String ID: 132634196-0
                                                                        • Opcode ID: dbe0df41a3d89f03eebcd77cedb8c7fbd95cde8327ee68e759feca9a6a87dff2
                                                                        • Instruction ID: c6f54ac6c47f72d6c6be617d0ab0d95393642b3a08ca47198428750b18cc63fb
                                                                        • Opcode Fuzzy Hash: dbe0df41a3d89f03eebcd77cedb8c7fbd95cde8327ee68e759feca9a6a87dff2
                                                                        • Instruction Fuzzy Hash: EFE0B6318012096B8F0177F28E2A8DF3A2DAD56799B12842EBF10A3112DA6DD9D147AD
                                                                        Function 00415601 Relevance: 7.5, APIs: 5, Instructions: 23threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00415610
                                                                          • Part of subcall function 00418540: __FindPESection.LIBCMT ref: 0041859B
                                                                        • __getptd_noexit.LIBCMT ref: 00415620
                                                                        • CloseHandle.KERNEL32(?,?,0041566B), ref: 00415634
                                                                        • __freeptd.LIBCMT ref: 0041563B
                                                                        • ExitThread.KERNEL32 ref: 00415643
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CloseCurrentExitFindHandleImageNonwritableSectionThread__freeptd__getptd_noexit
                                                                        • String ID:
                                                                        • API String ID: 3798957060-0
                                                                        • Opcode ID: d3b08fe511e09ca6ea2d918a54b62a74066439bca0a0e456eaad9824bd7e2a02
                                                                        • Instruction ID: 5ad9b57b40d8b41da6f03c32f2a15b2799e0bbfe2e5ad1689210a27a588f1b2a
                                                                        • Opcode Fuzzy Hash: d3b08fe511e09ca6ea2d918a54b62a74066439bca0a0e456eaad9824bd7e2a02
                                                                        • Instruction Fuzzy Hash: 29E01A31501A1197C2212BB9AC097DE3255AF01F36F944A6EF81A952A0DB6CD98147AD
                                                                        Function 0041567F Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00411A35: _doexit.LIBCMT ref: 00411A41
                                                                        • ___set_flsgetvalue.LIBCMT ref: 00415690
                                                                          • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                                          • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                                          • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                                        • ___fls_getvalue@4.LIBCMT ref: 0041569B
                                                                          • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                                        • ___fls_setvalue@8.LIBCMT ref: 004156AD
                                                                          • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                                        • GetLastError.KERNEL32(00000000,?,00000000), ref: 004156B6
                                                                        • ExitThread.KERNEL32 ref: 004156BD
                                                                        • __freefls@4.LIBCMT ref: 004156D9
                                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 004156EC
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Value$__decode_pointer$CurrentErrorExitImageLastNonwritableThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                        • String ID:
                                                                        • API String ID: 1537469427-0
                                                                        • Opcode ID: 99715b5f8e2ff19c7b8f3a2e2e0a417857e73ed83bc070766e6b29f9400adc7a
                                                                        • Instruction ID: 6f4b581ce684dac4bce1a6396b1ab204a3b2196504341234b7a244e47b3a25b0
                                                                        • Opcode Fuzzy Hash: 99715b5f8e2ff19c7b8f3a2e2e0a417857e73ed83bc070766e6b29f9400adc7a
                                                                        • Instruction Fuzzy Hash: 83E0E6308003096BCF0037F29E1A9DF392DAD41389B52841E7E14B2122DE6DD9D1466D
                                                                        Function 0040AB16 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 423COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: _malloc
                                                                        • String ID: Default$|k
                                                                        • API String ID: 1579825452-2254895183
                                                                        • Opcode ID: becd5b91230c6b3cce4541e76e7ed3885ca0e1da08972e6e30288734a84e99a9
                                                                        • Instruction ID: 39a525bc613f0e7e9485e4ea944b13d532e73913c0a35fc25f8fa2b96209a7b9
                                                                        • Opcode Fuzzy Hash: becd5b91230c6b3cce4541e76e7ed3885ca0e1da08972e6e30288734a84e99a9
                                                                        • Instruction Fuzzy Hash: 51F19F706083018BD714DF25C484A6BB7E5AF85314F64886FF885AB392D738EC55CB9B
                                                                        Function 0044F0B1 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 377COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: _memcmp
                                                                        • String ID: '$[$h
                                                                        • API String ID: 2931989736-1224472061
                                                                        • Opcode ID: b65a2ba19e68ffe8a11284d2d069350b2f2ae6a9059e42b54d6f98484e49560c
                                                                        • Instruction ID: c2eec353cbd26a418970a1643da97c958d9efd09d44d369c5aec2a2e92b02032
                                                                        • Opcode Fuzzy Hash: b65a2ba19e68ffe8a11284d2d069350b2f2ae6a9059e42b54d6f98484e49560c
                                                                        • Instruction Fuzzy Hash: EBE1B3756083858FE725CF28C8807ABBBE1FFC9304F18896EE89587341D7799849CB56
                                                                        Function 0044F1F5 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 358COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: _strncmp
                                                                        • String ID: >$R$U
                                                                        • API String ID: 909875538-1924298640
                                                                        • Opcode ID: f9ebc198af2ab7ab0819517e001d9756788144751dce64bc403378e3fae079f3
                                                                        • Instruction ID: f6794502b7c89560a677b30a08de70cb8bc1b17d125f16f135907c58c8460d8d
                                                                        • Opcode Fuzzy Hash: f9ebc198af2ab7ab0819517e001d9756788144751dce64bc403378e3fae079f3
                                                                        • Instruction Fuzzy Hash: 46E19C745083818FEB25CF29C49076BBBE1EFD9304F28496EE89587381D378E849CB56
                                                                        Function 0046CDA0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82
                                                                        • CoInitialize.OLE32(00000000), ref: 0046CE18
                                                                        • CoCreateInstance.OLE32(00482A50,00000000,00000001,004828B0,?), ref: 0046CE31
                                                                        • CoUninitialize.OLE32 ref: 0046CE50
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                        • String ID: .lnk
                                                                        • API String ID: 886957087-24824748
                                                                        • Opcode ID: cf95cfa125c39178dc1728bd48ca6ee468afe444b27fb378bb5b47a8cf5920ff
                                                                        • Instruction ID: 09ec1e36491b9dee8eccbfa157b0fc1a83632a56aae6c10d58f94140378ad3aa
                                                                        • Opcode Fuzzy Hash: cf95cfa125c39178dc1728bd48ca6ee468afe444b27fb378bb5b47a8cf5920ff
                                                                        • Instruction Fuzzy Hash: D3A1ABB5A042019FC704EF64C980E6BB7E9EF88714F14895EF8849B392D735EC45CBA6
                                                                        Function 00469BED Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 219COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00469C37
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: _wcslen
                                                                        • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                        • API String ID: 176396367-557222456
                                                                        • Opcode ID: 6ed3ee7040cf52f7c8cf58c24b37417f7719ae2cfab6dfb5b0d2deafceea8a2b
                                                                        • Instruction ID: 5ec49088f7a0f5eff408c40ec761cfb1cab3d77d8e9f1d748350f88cc39ab646
                                                                        • Opcode Fuzzy Hash: 6ed3ee7040cf52f7c8cf58c24b37417f7719ae2cfab6dfb5b0d2deafceea8a2b
                                                                        • Instruction Fuzzy Hash: 2C818F715183009FC310EF65C88186BB7E8AF85714F408A2FF5959B2A2E778ED45CB9B
                                                                        Function 0042D2CC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 204COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                        • VariantInit.OLEAUT32(00000000), ref: 0042D2E0
                                                                        • VariantCopy.OLEAUT32(?,?), ref: 0042D2EE
                                                                        • VariantClear.OLEAUT32(00000000), ref: 0042D2FF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$ClearCopyInit_malloc
                                                                        • String ID: 4RH
                                                                        • API String ID: 2981388473-749298218
                                                                        • Opcode ID: 33330a00173044044b3d4ba47678e2926b365edad981b8cf660d8c4061008482
                                                                        • Instruction ID: 2430bd0654d197d786bc988f6f01769df72c779a088326c60667d263ff95ce9f
                                                                        • Opcode Fuzzy Hash: 33330a00173044044b3d4ba47678e2926b365edad981b8cf660d8c4061008482
                                                                        • Instruction Fuzzy Hash: CC913874A083519FC720CF29D480A1AB7E1FF89304F64892EE999DB351D774EC85CB96
                                                                        Function 004667A7 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 170shareCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                          • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                        • __wcsnicmp.LIBCMT ref: 0046681A
                                                                        • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 004668B9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Connection__wcsnicmp_wcscpy_wcslen
                                                                        • String ID: LPT$HH
                                                                        • API String ID: 3035604524-2728063697
                                                                        • Opcode ID: 4168d29b7d0848dc605f9ce781fdb6688c60699af114ee795911c582be7b9077
                                                                        • Instruction ID: 32c7950bcbaa764ae6d62266904c1b9f72d26d84b6ae022b5f72856ccecd4d84
                                                                        • Opcode Fuzzy Hash: 4168d29b7d0848dc605f9ce781fdb6688c60699af114ee795911c582be7b9077
                                                                        • Instruction Fuzzy Hash: 2151D5B16043009FC720EF65C881B1BB7E5AF85704F11491EFA859B382E779ED49C79A
                                                                        Function 00438A5D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004374AF: WriteProcessMemory.KERNEL32(?,?,00000000,00000000,00000000,?,00461142,?), ref: 004374E2
                                                                        • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00438AB8
                                                                          • Part of subcall function 00437472: ReadProcessMemory.KERNEL32(?,00000000,00000000,?,00000000,00000000,00460C33,?,00000000,?,00000202), ref: 004374A5
                                                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00438B2F
                                                                        • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 00438BAF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$MemoryProcess$ReadWrite
                                                                        • String ID: @
                                                                        • API String ID: 4055202900-2766056989
                                                                        • Opcode ID: 95f302c56ad406a71ba46a757bfca5032ac46bd5be6e99a0861c43b96ce9d769
                                                                        • Instruction ID: 682097a2b5231093ce935cfc9f6f49684b756042c0be5430c67da702d62f7190
                                                                        • Opcode Fuzzy Hash: 95f302c56ad406a71ba46a757bfca5032ac46bd5be6e99a0861c43b96ce9d769
                                                                        • Instruction Fuzzy Hash: E6518FB2208304ABD310DB64CC81FEFB7A9EFC9714F04591EFA8597181D678F9498B66
                                                                        Function 00465D41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CrackInternet_memset_wcslen
                                                                        • String ID: |
                                                                        • API String ID: 915713708-2343686810
                                                                        • Opcode ID: 49a329c21d3e2b60aa9c34259f3774bde857317d5b4f329263fe64f76368b085
                                                                        • Instruction ID: 59fb16093b155e5aebf0565036b17e76eaaa1a90c891d08183ce313382d628e9
                                                                        • Opcode Fuzzy Hash: 49a329c21d3e2b60aa9c34259f3774bde857317d5b4f329263fe64f76368b085
                                                                        • Instruction Fuzzy Hash: AE417EB2754301ABD204EF69DC81B9BF7E8FB88714F00052EF64593290DB75E909CBA6
                                                                        Function 0044A7DC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A7FE
                                                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A851
                                                                        • HttpQueryInfoW.WININET ref: 0044A892
                                                                          • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                                                                        • String ID:
                                                                        • API String ID: 3705125965-3916222277
                                                                        • Opcode ID: 978b0a3adb57e12b693652f0a59e9f67067917ae502be6042813f4078819ed5c
                                                                        • Instruction ID: e2ea4e726a01332d61d4ddbc0b4be6fd5f15ca60b5c099a75bcf819f780d651a
                                                                        • Opcode Fuzzy Hash: 978b0a3adb57e12b693652f0a59e9f67067917ae502be6042813f4078819ed5c
                                                                        • Instruction Fuzzy Hash: F431C6B56813416BE320EB16DC42F9FB7E8EFD9714F00091FF65057281D7A8A50D876A
                                                                        Function 004509D1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00450A84
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00450AA2
                                                                        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00450AB3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Long
                                                                        • String ID: SysTreeView32
                                                                        • API String ID: 847901565-1698111956
                                                                        • Opcode ID: 8beaa76caf08e9d8622144d4cb1fe8de975b1c4a0fa94bb7914df260c0b4a9df
                                                                        • Instruction ID: 1ec52148e0427fd314aa46f8515fbaae5756f8dde681787cc4d1a4a364837cef
                                                                        • Opcode Fuzzy Hash: 8beaa76caf08e9d8622144d4cb1fe8de975b1c4a0fa94bb7914df260c0b4a9df
                                                                        • Instruction Fuzzy Hash: 9831E670244301AFE710DB64CC84B6BB3E8EF98325F104A1EF9A5932D1D7B8AD85CB25
                                                                        Function 00450C09 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DestroyWindow.USER32(00000000,004A83D8,00000000,?,?), ref: 00450C60
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: DestroyWindow
                                                                        • String ID: msctls_updown32
                                                                        • API String ID: 3375834691-2298589950
                                                                        • Opcode ID: 2a2b7300f3f0896f723b2acc27284ae87319393b418436251cb0663837fc8f9c
                                                                        • Instruction ID: 6a1e1189e42626fde14bc74b9d87f1f450c181bb0fe7a510af516aef360d3f61
                                                                        • Opcode Fuzzy Hash: 2a2b7300f3f0896f723b2acc27284ae87319393b418436251cb0663837fc8f9c
                                                                        • Instruction Fuzzy Hash: CE31A279300201AFD624DF54DC81F5B73A9EB9A714F20451EF640AB382C7B4AC4ACB6A
                                                                        Function 00451191 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 0045122A
                                                                        • SendMessageW.USER32(00000000,00000186,00000000,00000000), ref: 00451238
                                                                        • MoveWindow.USER32(?,?,00000000,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 0045125D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$MoveWindow
                                                                        • String ID: Listbox
                                                                        • API String ID: 3315199576-2633736733
                                                                        • Opcode ID: ec94c338bdc408a6213732be15a93177a4dce0f95fa1299e59073e0341a0244e
                                                                        • Instruction ID: bfe1e9b3800f224edd0053b2d0d87a77da448e7bf5b17050dc61905274d7532a
                                                                        • Opcode Fuzzy Hash: ec94c338bdc408a6213732be15a93177a4dce0f95fa1299e59073e0341a0244e
                                                                        • Instruction Fuzzy Hash: E421D3712043047BE6209A65DC81F6BB3E8EBCD735F104B1EFA60A72D1C675EC458729
                                                                        Function 0045D235 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNEL32(00000001), ref: 0045D243
                                                                        • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D2C7
                                                                        • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D30C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode$InformationVolume
                                                                        • String ID: HH
                                                                        • API String ID: 2507767853-2761332787
                                                                        • Opcode ID: 10a78899cac0a24ca5bd241ff5c46140465ea67f957306f93882c0fc43b3d187
                                                                        • Instruction ID: 4a708fd112bc3492f79fb502a293ca5b83a6a9b53d4ab80d782c21126568c1ab
                                                                        • Opcode Fuzzy Hash: 10a78899cac0a24ca5bd241ff5c46140465ea67f957306f93882c0fc43b3d187
                                                                        • Instruction Fuzzy Hash: 622148756083019FC310EF55D944A6BB7E4FF88704F40882EFA45972A2D774E909CB5A
                                                                        Function 0045D42B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNEL32(00000001), ref: 0045D44A
                                                                        • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CE
                                                                        • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D502
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode$InformationVolume
                                                                        • String ID: HH
                                                                        • API String ID: 2507767853-2761332787
                                                                        • Opcode ID: a403ffe69dae12f4374470e721856d745e9457d8bcd1b2c0f65575075c8e6c3b
                                                                        • Instruction ID: 8e4373afe1f51974a95c06a3ae407364d3098df30383bdf5f9e51316f0e0b5c8
                                                                        • Opcode Fuzzy Hash: a403ffe69dae12f4374470e721856d745e9457d8bcd1b2c0f65575075c8e6c3b
                                                                        • Instruction Fuzzy Hash: 902137756083019FC314EF55D944A5AB7E8FF88710F40882EFA49972A2D778E909CB9A
                                                                        Function 00450D00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450D74
                                                                        • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450D8A
                                                                        • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450D98
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID: msctls_trackbar32
                                                                        • API String ID: 3850602802-1010561917
                                                                        • Opcode ID: e14717e3cb06623c4553287ca90ea840a6fcf4d017620d4062bb11778db8dfcd
                                                                        • Instruction ID: c83169f0c5ec68c29a3e9aa847b4a28030a04f73c00385235601d1c9d4ce90e2
                                                                        • Opcode Fuzzy Hash: e14717e3cb06623c4553287ca90ea840a6fcf4d017620d4062bb11778db8dfcd
                                                                        • Instruction Fuzzy Hash: 4F1193717403117BE610CAA8DC81F5B73E8AB98B25F204A1AFA50A72C1D2B4FC458B68
                                                                        Function 0046BD4D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0045EFE7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0047D14B,?,?,?,?), ref: 0045F003
                                                                        • gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046BD78
                                                                        • WSAGetLastError.WSOCK32(00000000,?,?,00000000,?,?), ref: 0046BD83
                                                                        • inet_ntoa.WSOCK32(00000000,?), ref: 0046BDCD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharErrorLastMultiWidegethostbynameinet_ntoa
                                                                        • String ID: HH
                                                                        • API String ID: 1515696956-2761332787
                                                                        • Opcode ID: 9fa1cc3982deb19834a74a1ffc0ee15940528313d09b960f7f62ca7fb5990435
                                                                        • Instruction ID: 2fad99cf3c45da3a785a9a513efbde0c8943f1fdc9598a344110207fd9df59bd
                                                                        • Opcode Fuzzy Hash: 9fa1cc3982deb19834a74a1ffc0ee15940528313d09b960f7f62ca7fb5990435
                                                                        • Instruction Fuzzy Hash: E21142765043006BC744FB66D885D9FB3A8AFC4318F448C2EF945A7242DA39E949876A
                                                                        Function 004497A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                        • GetMenuItemInfoW.USER32 ref: 004497EA
                                                                        • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00449817
                                                                        • DrawMenuBar.USER32 ref: 00449828
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Menu$InfoItem$Draw_malloc
                                                                        • String ID: 0
                                                                        • API String ID: 772068139-4108050209
                                                                        • Opcode ID: c8976dca06d6b4a67e3115e3fbda4fe950bcb9b91ddbb3afb2d21d0cb6793a10
                                                                        • Instruction ID: 895394c4ac3d8cdb9511dba433443d5742fa96e32f07ab63668b9f5a94eb31d1
                                                                        • Opcode Fuzzy Hash: c8976dca06d6b4a67e3115e3fbda4fe950bcb9b91ddbb3afb2d21d0cb6793a10
                                                                        • Instruction Fuzzy Hash: 941182B16042009BF730EB55EC96FABB7A8FB91714F00452EE648CA281DB7A9445CB76
                                                                        Function 004342A8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: AllocTask_wcslen
                                                                        • String ID: hkG
                                                                        • API String ID: 2651040394-3610518997
                                                                        • Opcode ID: 13332cee77e5ed885d7d4fc6bfcacd5b22b96a16ce8d99b05f9432ebd764b12e
                                                                        • Instruction ID: 372044899b15e8c53ead78f1c779643819f92c4817f04f111663958edd7e2adf
                                                                        • Opcode Fuzzy Hash: 13332cee77e5ed885d7d4fc6bfcacd5b22b96a16ce8d99b05f9432ebd764b12e
                                                                        • Instruction Fuzzy Hash: DCE065736442225B97506A79AC045CBA7D8AFB0370B15482BF880E7310E278E89643E5
                                                                        Function 0043416A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(kernel32.dll), ref: 0043417A
                                                                        • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0043418C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                        • API String ID: 2574300362-1816364905
                                                                        • Opcode ID: 58df7aafb5ba6d6c6a2aff3317d08040102bec91f6a73b36e13bbbd5fede489a
                                                                        • Instruction ID: 1a9860a365f0c849ce8c10f1c40c5c80f9dda93506fd3415c38c98a37cde1a5a
                                                                        • Opcode Fuzzy Hash: 58df7aafb5ba6d6c6a2aff3317d08040102bec91f6a73b36e13bbbd5fede489a
                                                                        • Instruction Fuzzy Hash: F9D05EB1440B039FCB109FA0D80C64BB6E4AB64301F148C2EF885B2654D7B8E8C0CBA8
                                                                        Function 004343CE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(ICMP.DLL,?,00434466,?,?,00464B68,?,?,?,?,?,00000000,?,?,00000101,?), ref: 004343DE
                                                                        • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004343F0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: ICMP.DLL$IcmpSendEcho
                                                                        • API String ID: 2574300362-58917771
                                                                        • Opcode ID: 4b46215cfc07257f28131f0af9bcf44c57d27cd5d24dcd7dc697cbf0f45d51b4
                                                                        • Instruction ID: bde82dd314f67bb94adb8237e566b22d9cd50c1f3059090bebd97951f1ce1dc3
                                                                        • Opcode Fuzzy Hash: 4b46215cfc07257f28131f0af9bcf44c57d27cd5d24dcd7dc697cbf0f45d51b4
                                                                        • Instruction Fuzzy Hash: C9D017B45043039BD7105B21D80874A76E4AF58310F118C2FF881E2250CBBCE8808B79
                                                                        Function 004343FD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(ICMP.DLL,?,0043447D,?,?,00464B56,?,?,?,?,00000000,?,?,00000101,?,?), ref: 0043440D
                                                                        • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 0043441F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: ICMP.DLL$IcmpCloseHandle
                                                                        • API String ID: 2574300362-3530519716
                                                                        • Opcode ID: 42f9b5773da98e9266fb1162e4ae0909fe6bfc7ac22b46aa183d999fe3c035a4
                                                                        • Instruction ID: 815a2f2ef77883dfca24b23846b24e776c3b140ddfaf16f0983d17b56328066b
                                                                        • Opcode Fuzzy Hash: 42f9b5773da98e9266fb1162e4ae0909fe6bfc7ac22b46aa183d999fe3c035a4
                                                                        • Instruction Fuzzy Hash: 9FD017B04443129AD7106B64D80874A76E4AB68302F129C3FF881A2660C7BCA8808B39
                                                                        Function 0043442C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(ICMP.DLL,?,00434494,?,?,00464A94,?), ref: 0043443C
                                                                        • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 0043444E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: ICMP.DLL$IcmpCreateFile
                                                                        • API String ID: 2574300362-275556492
                                                                        • Opcode ID: aa837af65d1bad252c0530eb36f48db089182c3e5c3795977f5f1506c5c05052
                                                                        • Instruction ID: c247b13c068300da1972229949477068df6ba5342f41feac8fae2a533bc96115
                                                                        • Opcode Fuzzy Hash: aa837af65d1bad252c0530eb36f48db089182c3e5c3795977f5f1506c5c05052
                                                                        • Instruction Fuzzy Hash: 97D017B04043029ADB105B60D90875A77E4AB68300F118C7FF9A1A2250C7BCA8808B29
                                                                        Function 0040EE70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,0040E551,?), ref: 0040EE7B
                                                                        • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0040EE8D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: IsWow64Process$kernel32.dll
                                                                        • API String ID: 2574300362-3024904723
                                                                        • Opcode ID: 16a412f97595c511ed2c9e877c1bae7dd0f808d0cf5b3a9fdd28adcf59ee176d
                                                                        • Instruction ID: 75875fa2f3f8b89ed4c8cde0d061cde3839b728dd3838c322d7dfd2ddbff31fa
                                                                        • Opcode Fuzzy Hash: 16a412f97595c511ed2c9e877c1bae7dd0f808d0cf5b3a9fdd28adcf59ee176d
                                                                        • Instruction Fuzzy Hash: 51D0C9B0940707DAC7301F72C91871B7AE4AB40342F204C3EB995A1290DBBCC0408B28
                                                                        Function 0040ACA0 Relevance: 6.4, APIs: 4, Instructions: 368COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: ClearVariant
                                                                        • String ID:
                                                                        • API String ID: 1473721057-0
                                                                        • Opcode ID: d2d12c55b876e5fa1efbcf51686f09b2c55b87fd727dd21d929d390e382c4fef
                                                                        • Instruction ID: 4e1e522645e86f73b8885f2d86dba7d443b77ce6b8f7ad4508257b27d10f8221
                                                                        • Opcode Fuzzy Hash: d2d12c55b876e5fa1efbcf51686f09b2c55b87fd727dd21d929d390e382c4fef
                                                                        • Instruction Fuzzy Hash: 3DD18D746003018FD724DF25D484A26B7E1EF49704F64887EE9899B3A1D739EC92CB9A
                                                                        Function 0041456C Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __flush.LIBCMT ref: 00414630
                                                                        • __fileno.LIBCMT ref: 00414650
                                                                        • __locking.LIBCMT ref: 00414657
                                                                        • __flsbuf.LIBCMT ref: 00414682
                                                                          • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                                          • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
                                                                        • String ID:
                                                                        • API String ID: 3240763771-0
                                                                        • Opcode ID: da881668a639e25d03d88a6d97948a76b4f19f87a827f6f9fc91a47de182ffa5
                                                                        • Instruction ID: ec1a4dff6c5341ad57a53ba98b0f539b864df2cc4a0ba96fecd891c5d8a4160d
                                                                        • Opcode Fuzzy Hash: da881668a639e25d03d88a6d97948a76b4f19f87a827f6f9fc91a47de182ffa5
                                                                        • Instruction Fuzzy Hash: 4841A571A00605ABDB249FA5C9445DFB7B6EFC1328F28852FE41997280D77CDEC18B48
                                                                        Function 004781AE Relevance: 6.1, APIs: 4, Instructions: 135COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                                        • VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                                        • VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                                        • VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CopyVariant$ErrorLast
                                                                        • String ID:
                                                                        • API String ID: 2286883814-0
                                                                        • Opcode ID: 5518b7b53ef3ca50261af568c513a59c65815d8cf0fffae25230fe941ba47538
                                                                        • Instruction ID: 2d87100fc18953c9afe9b7e879878e48daa4ef19e0256d9a4550ae3fa38499cf
                                                                        • Opcode Fuzzy Hash: 5518b7b53ef3ca50261af568c513a59c65815d8cf0fffae25230fe941ba47538
                                                                        • Instruction Fuzzy Hash: 5F517C751543409FC310DF69C880A9BBBE4FF88314F448A6EF9499B352DB39E909CB99
                                                                        Function 0047404B Relevance: 6.1, APIs: 4, Instructions: 133networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • socket.WSOCK32(00000002,00000002,00000011), ref: 00474068
                                                                        • WSAGetLastError.WSOCK32(00000000,00000002,00000002,00000011), ref: 00474076
                                                                        • #21.WSOCK32 ref: 004740E0
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 004740EB
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$socket
                                                                        • String ID:
                                                                        • API String ID: 1881357543-0
                                                                        • Opcode ID: 49e735c62c31738b54d4bbc911449ab864d290153f15be7477df25c465b7d9f8
                                                                        • Instruction ID: ff1742a21ceaee7448286ece46cbaad1fa76dded649dcd1b12ff87c083dae87e
                                                                        • Opcode Fuzzy Hash: 49e735c62c31738b54d4bbc911449ab864d290153f15be7477df25c465b7d9f8
                                                                        • Instruction Fuzzy Hash: 7641D9717403006AE720BF6ADC47F5672C89B54B18F14496EF648BF2C3D6FAA881869C
                                                                        Function 00441CB4 Relevance: 6.1, APIs: 4, Instructions: 112windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ClientToScreen.USER32(00000000,?), ref: 00441CDE
                                                                        • GetWindowRect.USER32(?,?), ref: 00441D5A
                                                                        • PtInRect.USER32(?,?,?), ref: 00441D6F
                                                                        • MessageBeep.USER32(00000000), ref: 00441DF2
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Rect$BeepClientMessageScreenWindow
                                                                        • String ID:
                                                                        • API String ID: 1352109105-0
                                                                        • Opcode ID: f335056d542ece3fcaf1afd85692f97af485635a3f9ffa8235448c3f06d12885
                                                                        • Instruction ID: 11ad13a84751b34e4f8a983c71a6a29643224e7bbeba0240db3aabd8edeb2108
                                                                        • Opcode Fuzzy Hash: f335056d542ece3fcaf1afd85692f97af485635a3f9ffa8235448c3f06d12885
                                                                        • Instruction Fuzzy Hash: E64192B5A042418FE710DF18D884AABB7E5FFC9311F18866FE8518B360D734AC85CBA5
                                                                        Function 0042384A Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0042387E
                                                                        • __isleadbyte_l.LIBCMT ref: 004238B2
                                                                        • MultiByteToWideChar.KERNEL32(?,00000009,00000002,?,00000000,00000000,?,?,?,00000000,00000002,00000000), ref: 004238E3
                                                                        • MultiByteToWideChar.KERNEL32(?,00000009,00000002,00000001,00000000,00000000,?,?,?,00000000,00000002,00000000), ref: 00423951
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                        • String ID:
                                                                        • API String ID: 3058430110-0
                                                                        • Opcode ID: f131ee11c0d220cb2dc6b3da44158834730645c68ebbd2a61d5b0c3ed448205f
                                                                        • Instruction ID: 550681b3841f0f34ee613cb5364b25607849a03987ccfca5eaaec14299199b49
                                                                        • Opcode Fuzzy Hash: f131ee11c0d220cb2dc6b3da44158834730645c68ebbd2a61d5b0c3ed448205f
                                                                        • Instruction Fuzzy Hash: A931C270B00265EFDB20EF64D8849AA7BF5EF01312B9445AAF0A09F291D338CE81CB55
                                                                        Function 0045D070 Relevance: 6.1, APIs: 4, Instructions: 100fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D10A
                                                                        • GetLastError.KERNEL32(?,00000000), ref: 0045D12B
                                                                        • DeleteFileW.KERNEL32(00000000,?), ref: 0045D14C
                                                                        • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0045D16A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CreateHardLink$DeleteErrorFileLast
                                                                        • String ID:
                                                                        • API String ID: 3321077145-0
                                                                        • Opcode ID: 7cd5f2a63614e36a101d3a24e32b13d83311d412b7f68151a30e37c1c693f1dc
                                                                        • Instruction ID: 240381fd0e223f31e6bb83dc4f900fe278965bce5f9bbaa9f824fb1079ab41c9
                                                                        • Opcode Fuzzy Hash: 7cd5f2a63614e36a101d3a24e32b13d83311d412b7f68151a30e37c1c693f1dc
                                                                        • Instruction Fuzzy Hash: 393180B5900301ABCB10AF71C985A1BF7E8AF84755F10891EF85497392C739FC45CB68
                                                                        Function 0045058D Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetParent.USER32(?), ref: 004505BF
                                                                        • DefDlgProcW.USER32(?,00000138,?,?,004A83D8,?,004A83D8,?), ref: 00450610
                                                                        • DefDlgProcW.USER32(?,00000133,?,?,004A83D8,?,004A83D8,?), ref: 0045065A
                                                                        • DefDlgProcW.USER32(?,00000134,?,?,004A83D8,?,004A83D8,?), ref: 00450688
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Proc$Parent
                                                                        • String ID:
                                                                        • API String ID: 2351499541-0
                                                                        • Opcode ID: 93bb19dea30658450b5dada9832e261aba4ffbe4fc891123e7e77a8d6405a749
                                                                        • Instruction ID: e3e31f905615dd8bfbe674c7a91f48f64006a8638b4dc9b760805e547d05c650
                                                                        • Opcode Fuzzy Hash: 93bb19dea30658450b5dada9832e261aba4ffbe4fc891123e7e77a8d6405a749
                                                                        • Instruction Fuzzy Hash: 8C3128362411006BC2209B299C58DBB7B58EBC7336F14465BFA54832D3CB769826C768
                                                                        Function 004613E0 Relevance: 6.1, APIs: 4, Instructions: 90windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00438C85: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00438C95
                                                                          • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                        • SendMessageW.USER32(00000000,0000102C,00000000,00000002), ref: 00461420
                                                                        • SendMessageW.USER32(00000000,0000102C,00000000,00000002), ref: 0046144F
                                                                        • __itow.LIBCMT ref: 00461461
                                                                        • __itow.LIBCMT ref: 004614AB
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$__itow$_wcslen
                                                                        • String ID:
                                                                        • API String ID: 2875217250-0
                                                                        • Opcode ID: 347b44770508ca88cf5981266e998b528a2978f718c0dd2978777487f2c1d3f7
                                                                        • Instruction ID: b65c482f8247f617b799fd724a7506577ebf884cdb52d0d4602b18db992df379
                                                                        • Opcode Fuzzy Hash: 347b44770508ca88cf5981266e998b528a2978f718c0dd2978777487f2c1d3f7
                                                                        • Instruction Fuzzy Hash: 3A213D7670031067D210BA169C86FAFB794EB94714F08443FFF44AB241EE69E94687EB
                                                                        Function 004727F8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetForegroundWindow.USER32 ref: 00472806
                                                                          • Part of subcall function 00443EEF: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 00443F11
                                                                          • Part of subcall function 00443EEF: GetCurrentThreadId.KERNEL32 ref: 00443F18
                                                                          • Part of subcall function 00443EEF: AttachThreadInput.USER32(00000000), ref: 00443F1F
                                                                        • GetCaretPos.USER32(?), ref: 0047281A
                                                                        • ClientToScreen.USER32(00000000,?), ref: 00472856
                                                                        • GetForegroundWindow.USER32 ref: 0047285C
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                        • String ID:
                                                                        • API String ID: 2759813231-0
                                                                        • Opcode ID: f08c9821fa495b0e17bd1c697e1e5286648ea95901ecf1a9ceb1535147bec3ee
                                                                        • Instruction ID: 38f02bd9b1f6bed34cfa7ce2d7f69328ba3456287a0ba45db7850a86b8391dd2
                                                                        • Opcode Fuzzy Hash: f08c9821fa495b0e17bd1c697e1e5286648ea95901ecf1a9ceb1535147bec3ee
                                                                        • Instruction Fuzzy Hash: FF2195716403056FE310EF65CC42F5BB7E8AF84708F144D2EF544AB282D6FAB9858795
                                                                        Function 0047721A Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 0047728E
                                                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 004772A9
                                                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 004772C0
                                                                        • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001,?,?), ref: 004772D0
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Long$AttributesLayered
                                                                        • String ID:
                                                                        • API String ID: 2169480361-0
                                                                        • Opcode ID: cf64f2ba38e7b8586118add57273b6dbf74680437e58013ae8f64db123384f26
                                                                        • Instruction ID: faea1ea985e506ac999786301d765d91882fdca708237d94abe4bce3661c65f1
                                                                        • Opcode Fuzzy Hash: cf64f2ba38e7b8586118add57273b6dbf74680437e58013ae8f64db123384f26
                                                                        • Instruction Fuzzy Hash: 5F11B431205510ABD310FB29DD45F9BB798FF91720F10862EF455E72E2C7A8AC45C7A8
                                                                        Function 00448C8B Relevance: 6.1, APIs: 4, Instructions: 73windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32 ref: 00448CB8
                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 00448CE0
                                                                        • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448D19
                                                                        • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D62
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$LongWindow
                                                                        • String ID:
                                                                        • API String ID: 312131281-0
                                                                        • Opcode ID: 75ae646de43e531ea10203f5aba75cb55710deee3f48b72b110124c921b55059
                                                                        • Instruction ID: 9d6bf2a2f0cb0d5184a29e15ea511504db1ac53b4253ca88fa0f688086887250
                                                                        • Opcode Fuzzy Hash: 75ae646de43e531ea10203f5aba75cb55710deee3f48b72b110124c921b55059
                                                                        • Instruction Fuzzy Hash: B12174715053019BF3208F18D98879FB7E4FBD5325F140B2EF594962D0DBB58449C796
                                                                        Function 004588B0 Relevance: 6.1, APIs: 4, Instructions: 67networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • select.WSOCK32 ref: 0045890A
                                                                        • __WSAFDIsSet.WSOCK32(00000000,00000000), ref: 00458919
                                                                        • accept.WSOCK32(00000000,00000000,00000000,00000000,00000000), ref: 00458927
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00458952
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLastacceptselect
                                                                        • String ID:
                                                                        • API String ID: 385091864-0
                                                                        • Opcode ID: abc1db9f2e63247cad6e2e0496bedee0f0acb9a353b4738024f17ecaf3b799d2
                                                                        • Instruction ID: 93f38c3b8a65fd8a68e5265ae944391143789c71a4918893f245a539b4228a7d
                                                                        • Opcode Fuzzy Hash: abc1db9f2e63247cad6e2e0496bedee0f0acb9a353b4738024f17ecaf3b799d2
                                                                        • Instruction Fuzzy Hash: 1F2166712043019BD314EF29C842BABB7E5AFC4714F144A2EF994DB2C1DBB4A985CB99
                                                                        Function 00438D4E Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00438D6F
                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438D82
                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438D9A
                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438DB4
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID:
                                                                        • API String ID: 3850602802-0
                                                                        • Opcode ID: 265964968b448329a9940c71d90cafee1d95b27ec759889be900fe0a368f8aeb
                                                                        • Instruction ID: 707762f1bc06eebb59e9357f9c77b20c0e090dcf7cedc03b298b4f863176c0ea
                                                                        • Opcode Fuzzy Hash: 265964968b448329a9940c71d90cafee1d95b27ec759889be900fe0a368f8aeb
                                                                        • Instruction Fuzzy Hash: 77113AB6204305AFD210EF58DC84F6BF7E8EBE8750F20491EF580D7290D6B1A8468BA1
                                                                        Function 0043362D Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateWindowExW.USER32(?,?,?,FFFFFFFF,?,?,?,?,?,?,00400000,00000000), ref: 0043367E
                                                                        • GetStockObject.GDI32(00000011), ref: 00433695
                                                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 0043369F
                                                                        • ShowWindow.USER32(00000000,00000000), ref: 004336BA
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Window$CreateMessageObjectSendShowStock
                                                                        • String ID:
                                                                        • API String ID: 1358664141-0
                                                                        • Opcode ID: a78582cd8c915fd270119012ff4eddf0033f410814d91724adacf9cac7d73a6b
                                                                        • Instruction ID: 5bb77caae3378c1c36de35f78993aeb7f53e4fc0e9047450929301c31466c70f
                                                                        • Opcode Fuzzy Hash: a78582cd8c915fd270119012ff4eddf0033f410814d91724adacf9cac7d73a6b
                                                                        • Instruction Fuzzy Hash: 60114F72204A00BFD254DF55CC49F5BB3F9AFCCB01F20950DB254922A0D7B4E9418BA9
                                                                        Function 0044419B Relevance: 6.1, APIs: 4, Instructions: 53synchronizationthreadwindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentThreadId.KERNEL32 ref: 004441B8
                                                                        • MessageBoxW.USER32(?,?,?,?), ref: 004441F6
                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0044420C
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00444213
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                        • String ID:
                                                                        • API String ID: 2880819207-0
                                                                        • Opcode ID: 146d2f4ba151d14deb3aa3acfdd6de045567f86e28c98b22242e1e1489ea4094
                                                                        • Instruction ID: a177bb78e812b0c83f085b16f259857c8a511f23e32e5024349264f8b0df3d09
                                                                        • Opcode Fuzzy Hash: 146d2f4ba151d14deb3aa3acfdd6de045567f86e28c98b22242e1e1489ea4094
                                                                        • Instruction Fuzzy Hash: C401E5364183105BD300DB28ED08A9BBBD8BFD9721F18067EF89893351E6B48948C7B6
                                                                        Function 0043401C Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetWindowRect.USER32(?,?), ref: 00434037
                                                                        • ScreenToClient.USER32(?,?), ref: 0043405B
                                                                        • ScreenToClient.USER32(?,?), ref: 00434085
                                                                        • InvalidateRect.USER32(?,?,?), ref: 004340A4
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: ClientRectScreen$InvalidateWindow
                                                                        • String ID:
                                                                        • API String ID: 357397906-0
                                                                        • Opcode ID: 751e48bbdad3fa965b56aea51b9fa4e55de6b4169d4940aca7a3583b508516de
                                                                        • Instruction ID: 02545dd0d615a745195cb6f618e51c1f9c2552a202a2369b8695847d2ce6fb2f
                                                                        • Opcode Fuzzy Hash: 751e48bbdad3fa965b56aea51b9fa4e55de6b4169d4940aca7a3583b508516de
                                                                        • Instruction Fuzzy Hash: 24117EB9608302AFC304DF18D98095BBBE9FFD8650F10891EF88993350D770E9498BA2
                                                                        Function 00436A1D Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __wsplitpath.LIBCMT ref: 00436A45
                                                                          • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                        • __wsplitpath.LIBCMT ref: 00436A6C
                                                                        • __wcsicoll.LIBCMT ref: 00436A93
                                                                        • __wcsicoll.LIBCMT ref: 00436AB0
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                                                                        • String ID:
                                                                        • API String ID: 1187119602-0
                                                                        • Opcode ID: 5b78189461bd351535feab14c2aa3b28919a840a222a6c91b90152b853837e7b
                                                                        • Instruction ID: cc447ddabc085245cf6c6bda96777749177fc915bba42f20b5b260b799017f3a
                                                                        • Opcode Fuzzy Hash: 5b78189461bd351535feab14c2aa3b28919a840a222a6c91b90152b853837e7b
                                                                        • Instruction Fuzzy Hash: 690165B64043416BD724EB50D881EEBB3ED7BD8304F04C91EB5C982041FB38D24C87A6
                                                                        Function 00437AFE Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: _wcslen$_malloc_wcscat_wcscpy
                                                                        • String ID:
                                                                        • API String ID: 1597257046-0
                                                                        • Opcode ID: a0a60491a2b11ab92cb2618fcf1664bc73e22867390c023d5d6986141a6dc3e0
                                                                        • Instruction ID: 9df5ee2dcc5f1a759a9cde70f7b42babd8a8bdcc369222b22224423102f690bd
                                                                        • Opcode Fuzzy Hash: a0a60491a2b11ab92cb2618fcf1664bc73e22867390c023d5d6986141a6dc3e0
                                                                        • Instruction Fuzzy Hash: BFF06D32200200AFC314EB66C885E6BB3EAEBC5324F04852EF556C7791DB39F841C764
                                                                        Function 004555D6 Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DeleteObject.GDI32(?), ref: 0045564E
                                                                        • DeleteObject.GDI32(?), ref: 0045565C
                                                                        • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                        • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: DeleteDestroyObject$IconWindow
                                                                        • String ID:
                                                                        • API String ID: 3349847261-0
                                                                        • Opcode ID: 3ca9d014447a04aedc0dfd8276f5a6e9fbff97cfd7386ed498fa31ba53dce0fe
                                                                        • Instruction ID: 3a9029eb8e47786e7dec82746d504bb216afab776d143f23dce7b1a7602128e4
                                                                        • Opcode Fuzzy Hash: 3ca9d014447a04aedc0dfd8276f5a6e9fbff97cfd7386ed498fa31ba53dce0fe
                                                                        • Instruction Fuzzy Hash: 06F03C702006419BDB20AF65DDD8A2B77ACEF45322740456AFD04D7242DB28DC498B7D
                                                                        Function 0044B600 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • EnterCriticalSection.KERNEL32(?), ref: 0044B60B
                                                                        • InterlockedExchange.KERNEL32(?,?), ref: 0044B619
                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 0044B630
                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 0044B641
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                                        • String ID:
                                                                        • API String ID: 2223660684-0
                                                                        • Opcode ID: ff66e887f7cbb15f4500d5b6eb7e85b0bae77af45fe5867796c74117f3ed7197
                                                                        • Instruction ID: 8f2921e390180aa9c6083979f061463a0462abb68b72a76a452ff5fd2bc04521
                                                                        • Opcode Fuzzy Hash: ff66e887f7cbb15f4500d5b6eb7e85b0bae77af45fe5867796c74117f3ed7197
                                                                        • Instruction Fuzzy Hash: 35F08C362422019F82249B59EA488DBB3FDEBE97213009C2FE142C32108BB5F806CB75
                                                                        Function 00447268 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                                          • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                                          • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                          • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                                          • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                        • MoveToEx.GDI32(?,?,00000000,00000000), ref: 0044728F
                                                                        • LineTo.GDI32(?,00000000,00000002), ref: 004472A0
                                                                        • EndPath.GDI32(?), ref: 004472B0
                                                                        • StrokePath.GDI32(?), ref: 004472BE
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                                                        • String ID:
                                                                        • API String ID: 2783949968-0
                                                                        • Opcode ID: 09270453bc364e96d12f6c3f9be453f1264e71f62e0889bc66601f12e66ee767
                                                                        • Instruction ID: 15f667079dd022c0076d5117e5ffb33549464faf874781034dcdd6a9c0a79bb3
                                                                        • Opcode Fuzzy Hash: 09270453bc364e96d12f6c3f9be453f1264e71f62e0889bc66601f12e66ee767
                                                                        • Instruction Fuzzy Hash: 46F09030109361BFE211DB10DC0AF9F3B98AB46310F10490CF641622D2C7B46845C7BA
                                                                        Function 00417D0E Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __getptd.LIBCMT ref: 00417D1A
                                                                          • Part of subcall function 00416C72: __getptd_noexit.LIBCMT ref: 00416C75
                                                                          • Part of subcall function 00416C72: __amsg_exit.LIBCMT ref: 00416C82
                                                                        • __getptd.LIBCMT ref: 00417D31
                                                                        • __amsg_exit.LIBCMT ref: 00417D3F
                                                                        • __lock.LIBCMT ref: 00417D4F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                                        • String ID:
                                                                        • API String ID: 3521780317-0
                                                                        • Opcode ID: 6e88b35b2b81098ca19d257f076875e832caf49443e3c23eeee739354b537ff9
                                                                        • Instruction ID: 784cd6646040312d8c3929352b57c791f513dbd9ce30c249d09a92555f0e5bc7
                                                                        • Opcode Fuzzy Hash: 6e88b35b2b81098ca19d257f076875e832caf49443e3c23eeee739354b537ff9
                                                                        • Instruction Fuzzy Hash: D4F06D319447089AD720FB66E4067EA32B0AF01728F11856FA4415B7D2DB3C99C08B9E
                                                                        Function 00471144 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDesktopWindow.USER32 ref: 00471144
                                                                        • GetDC.USER32(00000000), ref: 0047114D
                                                                        • GetDeviceCaps.GDI32(00000000,00000074), ref: 0047115A
                                                                        • ReleaseDC.USER32(00000000,?), ref: 0047117B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CapsDesktopDeviceReleaseWindow
                                                                        • String ID:
                                                                        • API String ID: 2889604237-0
                                                                        • Opcode ID: 949280357db84fa49407f8095e759b2e277f1c53a9819964645a6bf04a6d26c7
                                                                        • Instruction ID: a1da8b046b56c0024f4e51319ca7c868ce9b42ab557c4db2e47d6af70bf9fcef
                                                                        • Opcode Fuzzy Hash: 949280357db84fa49407f8095e759b2e277f1c53a9819964645a6bf04a6d26c7
                                                                        • Instruction Fuzzy Hash: 75F05E759042009FC310DF65DC4856EBBA4FB94351F108C3EFD05D2251DB7889059B99
                                                                        Function 00471102 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDesktopWindow.USER32 ref: 00471102
                                                                        • GetDC.USER32(00000000), ref: 0047110B
                                                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00471118
                                                                        • ReleaseDC.USER32(00000000,?), ref: 00471139
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CapsDesktopDeviceReleaseWindow
                                                                        • String ID:
                                                                        • API String ID: 2889604237-0
                                                                        • Opcode ID: 179ddf2500a9669b2282ba4880ad99879b6dd87bde84ab61e923a9eee80713d7
                                                                        • Instruction ID: 5204c471e266b2ed5cdb435334cd6f206910ee07043e0bb223494c3f632f6575
                                                                        • Opcode Fuzzy Hash: 179ddf2500a9669b2282ba4880ad99879b6dd87bde84ab61e923a9eee80713d7
                                                                        • Instruction Fuzzy Hash: 78F05E759042009FD310EF65DC5896EBBA4FB94351F104C3EFC05D2251DB7489059B99
                                                                        Function 004389A1 Relevance: 6.0, APIs: 4, Instructions: 27threadwindowtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageTimeoutW.USER32(00000001,00000000,00000000,00000000,00000002,00001388,004848E8), ref: 004389C0
                                                                        • GetWindowThreadProcessId.USER32(00000001,00000000), ref: 004389D3
                                                                        • GetCurrentThreadId.KERNEL32 ref: 004389DA
                                                                        • AttachThreadInput.USER32(00000000), ref: 004389E1
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                        • String ID:
                                                                        • API String ID: 2710830443-0
                                                                        • Opcode ID: fc668e8f88677791c9032932ff1b39d21009c78d2dca35edbf1b20bb29ea35ff
                                                                        • Instruction ID: 438da6915ae72ab6a15f098678a9856147cbf2dc0a85cf0a700465948addd5b0
                                                                        • Opcode Fuzzy Hash: fc668e8f88677791c9032932ff1b39d21009c78d2dca35edbf1b20bb29ea35ff
                                                                        • Instruction Fuzzy Hash: 14E012712853107BE72157509D0EFAF7B98AF18B11F14481EB241B50D0DAF8A941876E
                                                                        Function 004390C2 Relevance: 6.0, APIs: 4, Instructions: 26synchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004390CD
                                                                        • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 004390DB
                                                                        • CloseHandle.KERNEL32(?,?,000000FF), ref: 004390EB
                                                                        • CloseHandle.KERNEL32(?,?,000000FF), ref: 004390F0
                                                                          • Part of subcall function 00438FB6: GetProcessHeap.KERNEL32(00000000,?,00439504,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00438FC1
                                                                          • Part of subcall function 00438FB6: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00438FC8
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                        • String ID:
                                                                        • API String ID: 146765662-0
                                                                        • Opcode ID: 7cdfdd2e005e28f5438e9d3b399fcd684928161159dd652c77b09849c549b5d2
                                                                        • Instruction ID: e19b07cb6d87eea3d85dfea562759309df1919ba68b29a0146d7a5ec0ea3c710
                                                                        • Opcode Fuzzy Hash: 7cdfdd2e005e28f5438e9d3b399fcd684928161159dd652c77b09849c549b5d2
                                                                        • Instruction Fuzzy Hash: 5DE0C976504311ABC620EB65DC48C4BB7E9EF883303114E1DF89693260CA74E881CB65
                                                                        Function 0041405D Relevance: 6.0, APIs: 4, Instructions: 19threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00414070
                                                                          • Part of subcall function 00418540: __FindPESection.LIBCMT ref: 0041859B
                                                                        • __getptd_noexit.LIBCMT ref: 00414080
                                                                        • __freeptd.LIBCMT ref: 0041408A
                                                                        • ExitThread.KERNEL32 ref: 00414093
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CurrentExitFindImageNonwritableSectionThread__freeptd__getptd_noexit
                                                                        • String ID:
                                                                        • API String ID: 3182216644-0
                                                                        • Opcode ID: 18f79961a183a005566c851b5a75566c8a37b9a59448809cc1b4ea10e33ea091
                                                                        • Instruction ID: 8c1b811a677bc0208766d104aadce1409d27245c16b3af4a320e27a455eae914
                                                                        • Opcode Fuzzy Hash: 18f79961a183a005566c851b5a75566c8a37b9a59448809cc1b4ea10e33ea091
                                                                        • Instruction Fuzzy Hash: F8D0EC7051024256D6207BA7ED097AA3A589B44B26B15446EA905801B1DF68D9C1862D
                                                                        Function 0046EDC6 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 383COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharLower
                                                                        • String ID: $8'I
                                                                        • API String ID: 2358735015-3608026889
                                                                        • Opcode ID: d6f66c2f2361e76d4402681cdd51d930a97151c2fdd89a539067bc835b5788b1
                                                                        • Instruction ID: 1bf34105e022c250dd7240f1ea7ec4803edb57b208c13e69c3fb06210d7c4844
                                                                        • Opcode Fuzzy Hash: d6f66c2f2361e76d4402681cdd51d930a97151c2fdd89a539067bc835b5788b1
                                                                        • Instruction Fuzzy Hash: 9FE1AE745043018BCB24EF16D88166BB7E4BF94348F40482FF88597292EB79DD89CB9B
                                                                        Function 00478373 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OleSetContainedObject.OLE32(00000000,00000001), ref: 0047857A
                                                                          • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                          • Part of subcall function 00445513: OleSetContainedObject.OLE32(?,00000000), ref: 00445593
                                                                          • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                                          • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                                          • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                                          • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: CopyVariant$ContainedObject$ErrorLast_malloc
                                                                        • String ID: AutoIt3GUI$Container
                                                                        • API String ID: 3380330463-3941886329
                                                                        • Opcode ID: 167728f1ef0b290fa0ab537cd1f49c444f99f24bf3b7fe0b60cc3227d219d98d
                                                                        • Instruction ID: 8a51a4197b359b89da059ec4b883cd23719ad159cb4f439b8c2c8f5fea4c1b32
                                                                        • Opcode Fuzzy Hash: 167728f1ef0b290fa0ab537cd1f49c444f99f24bf3b7fe0b60cc3227d219d98d
                                                                        • Instruction Fuzzy Hash: FEA16A71240601AFC760EF69C880A6BB7E9FB88304F10892EF649CB361EB75E945CB55
                                                                        Function 004099A8 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 228COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _wcslen.LIBCMT ref: 00409A61
                                                                          • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                          • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                          • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                          • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                        • CharUpperBuffW.USER32(?,?), ref: 00409AF5
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharException@8ThrowUpper_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                        • String ID: 0vH
                                                                        • API String ID: 1143807570-3662162768
                                                                        • Opcode ID: bf773a96792e7386fbbaa0db16cdf7f70de857e2ea7db1c9c90ef838773f5a19
                                                                        • Instruction ID: 5e67718e4417cbef977f4cc7974cb0b4b39b480e5382bb1977b3cac956c07efc
                                                                        • Opcode Fuzzy Hash: bf773a96792e7386fbbaa0db16cdf7f70de857e2ea7db1c9c90ef838773f5a19
                                                                        • Instruction Fuzzy Hash: 53515BB1A083009FC718CF18C48065BB7E1FF88314F54856EF9999B391D779E942CB96
                                                                        Function 00466587 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: HH$HH
                                                                        • API String ID: 0-1787419579
                                                                        • Opcode ID: fed4e066af51e45fc8c5976399addcc25001bc25a5639efd16b547c1275b717f
                                                                        • Instruction ID: b2aab3850ea6996be17d3b26b1a0d96f4757dd5de2ef7d298d9c2790e2b3b10f
                                                                        • Opcode Fuzzy Hash: fed4e066af51e45fc8c5976399addcc25001bc25a5639efd16b547c1275b717f
                                                                        • Instruction Fuzzy Hash: 1241BF367042009FC310EF69E881F5AF3A1EF99314F548A6EFA589B381D776E811CB95
                                                                        Function 00444652 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: InfoItemMenu_memset
                                                                        • String ID: 0
                                                                        • API String ID: 2223754486-4108050209
                                                                        • Opcode ID: 60781951bb834b78e0167a3e9afe01c70176745dc522d898366d6ad0e6242f51
                                                                        • Instruction ID: 143d79469fb3e570aa9bb1e7a79db7ad77638f8ab3c2e89d41e08a42c99b444e
                                                                        • Opcode Fuzzy Hash: 60781951bb834b78e0167a3e9afe01c70176745dc522d898366d6ad0e6242f51
                                                                        • Instruction Fuzzy Hash: CB3101721043009BF3249F18DC85BABBBE4EBC6310F14081FFA90C62A0E379D949C75A
                                                                        Function 00448358 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 0044846C
                                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044847E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID: '
                                                                        • API String ID: 3850602802-1997036262
                                                                        • Opcode ID: 40c115dbe3bb232f42185e8835a3c48b8da925c0788aed463fb6e16a301179a8
                                                                        • Instruction ID: cecdca06d5aa7ecc7109d5e1ff25192cbd540bafe2d1ef24ff7c1b98f096cb5f
                                                                        • Opcode Fuzzy Hash: 40c115dbe3bb232f42185e8835a3c48b8da925c0788aed463fb6e16a301179a8
                                                                        • Instruction Fuzzy Hash: 984179706083459FE710CF18C880BABB7E1FB89700F54882EF9888B351DB75A841CF5A
                                                                        Function 00444571 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 0
                                                                        • API String ID: 0-4108050209
                                                                        • Opcode ID: b6c602b1dd263d2c99a5ec9127bd928e029cd45f71d746a48c0c49a5726287e2
                                                                        • Instruction ID: 268d240ecd79f719a1425e83c09d650ed443e1bf0ac8ef4f8d51517adc50c1d2
                                                                        • Opcode Fuzzy Hash: b6c602b1dd263d2c99a5ec9127bd928e029cd45f71d746a48c0c49a5726287e2
                                                                        • Instruction Fuzzy Hash: B6210D765042206BEB15DF08D844B97B7A4FBDA310F44492BEE9897250D379E848C7AA
                                                                        Function 0045126C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00451305
                                                                        • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00451313
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID: Combobox
                                                                        • API String ID: 3850602802-2096851135
                                                                        • Opcode ID: 0499e5d8541f4f9e55005c4c3969ca7e279e19a534152943b96dd4c6f47caa3c
                                                                        • Instruction ID: f266216a818347eeb58d59163185d0479ace604409515c443b0f4894c7ad90f2
                                                                        • Opcode Fuzzy Hash: 0499e5d8541f4f9e55005c4c3969ca7e279e19a534152943b96dd4c6f47caa3c
                                                                        • Instruction Fuzzy Hash: D9110A72A0430067E6109AA4DC80F5BB3D8EB99735F10071BFA24E72E1D774FC448768
                                                                        Function 004515AB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetWindowTextLengthW.USER32(00000000), ref: 004515DA
                                                                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004515EA
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: LengthMessageSendTextWindow
                                                                        • String ID: edit
                                                                        • API String ID: 2978978980-2167791130
                                                                        • Opcode ID: 255065f22875c24af3de74cb0bd99753dbe1335258aa39c92c973eb9156a9169
                                                                        • Instruction ID: b80de1f22085cd2d24dcce0fe83431d10f7d2aff66e66183492c5b70af3c9e13
                                                                        • Opcode Fuzzy Hash: 255065f22875c24af3de74cb0bd99753dbe1335258aa39c92c973eb9156a9169
                                                                        • Instruction Fuzzy Hash: 2011E4716003006BD6109A64D884F6BB3DCEBD8335F104B1EFA61D32E1D779EC458729
                                                                        Function 00474827 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNEL32(00000000), ref: 00474833
                                                                        • GlobalMemoryStatusEx.KERNEL32 ref: 00474846
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: GlobalMemorySleepStatus
                                                                        • String ID: @
                                                                        • API String ID: 2783356886-2766056989
                                                                        • Opcode ID: 6b539aa5d60aaa410447b6e5f9627e9a7b549f395ce9a021d490b3e8c5b2361e
                                                                        • Instruction ID: 41c327e25453105c4ca6c880754d33c67e761007402a238c65fd2e715fefe222
                                                                        • Opcode Fuzzy Hash: 6b539aa5d60aaa410447b6e5f9627e9a7b549f395ce9a021d490b3e8c5b2361e
                                                                        • Instruction Fuzzy Hash: 4421C230929A14B7C2107F6ABD4BB5E7BB8AF44716F008C5DF5C562094DF785268836F
                                                                        Function 004647A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: htonsinet_addr
                                                                        • String ID: 255.255.255.255
                                                                        • API String ID: 3832099526-2422070025
                                                                        • Opcode ID: 8f81358a7508e033a1ccca041802c5cf6ea433113977ffec7d790c03bda6a3ba
                                                                        • Instruction ID: e3b5e028fda38c0aed97ec3d425ece65e45bc088e5f3683a6f0e3ee8de0e9224
                                                                        • Opcode Fuzzy Hash: 8f81358a7508e033a1ccca041802c5cf6ea433113977ffec7d790c03bda6a3ba
                                                                        • Instruction Fuzzy Hash: 6F11253620030057DA10EB69C882F9BB394EFC4728F00896BFA105B283D679F45A832E
                                                                        Function 004694DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                        • SendMessageW.USER32(00000000,000001A2,000000FF,00000000), ref: 00469547
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend_wcslen
                                                                        • String ID: ComboBox$ListBox
                                                                        • API String ID: 455545452-1403004172
                                                                        • Opcode ID: 19b239a33d6ccea3c1be09f9a3ff48f3ef4fb117e78275193105084191351ab7
                                                                        • Instruction ID: d7878a024921556205560296ec06e6abf53b779169672b4943ab7ad66f70e2c7
                                                                        • Opcode Fuzzy Hash: 19b239a33d6ccea3c1be09f9a3ff48f3ef4fb117e78275193105084191351ab7
                                                                        • Instruction Fuzzy Hash: 2601D6327011106B8600BB299C019AFB39DDBC2370F544A2FF965573D1EA39AC0E476A
                                                                        Function 00442AFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00442B8C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: InternetOpen
                                                                        • String ID: <local>
                                                                        • API String ID: 2038078732-4266983199
                                                                        • Opcode ID: 6ab628e9b643b7f337e7eb9a1eb164a667740d16f62f34970bb7649561c47b18
                                                                        • Instruction ID: 525aca290fb55aeb65c4bf55ca0deee88c9418ef2a1db54778758d1eb2e06c8a
                                                                        • Opcode Fuzzy Hash: 6ab628e9b643b7f337e7eb9a1eb164a667740d16f62f34970bb7649561c47b18
                                                                        • Instruction Fuzzy Hash: 9011A934144751AAF621DF108D86FB77794FB50B01F50480FF9866B2C0D6F4B848C766
                                                                        Function 004695F7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                        • SendMessageW.USER32(00000000,00000180,00000000,00000000), ref: 00469660
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend_wcslen
                                                                        • String ID: ComboBox$ListBox
                                                                        • API String ID: 455545452-1403004172
                                                                        • Opcode ID: 9c387d355752c609e3ec3b71bdfa1ce54c6356e755a59a855018ee08606d8eab
                                                                        • Instruction ID: 486d2595d5a7427da4a9c048e684990a8dc9cac685a8154682435d05c4426571
                                                                        • Opcode Fuzzy Hash: 9c387d355752c609e3ec3b71bdfa1ce54c6356e755a59a855018ee08606d8eab
                                                                        • Instruction Fuzzy Hash: A101D87274121027C600BA259C01AEBB39CEB96354F04443BF94597291EA6DED0E43AA
                                                                        Function 0046956F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                        • SendMessageW.USER32(00000182,00000182,?,00000000), ref: 004695D6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend_wcslen
                                                                        • String ID: ComboBox$ListBox
                                                                        • API String ID: 455545452-1403004172
                                                                        • Opcode ID: ebc0188a5584a95c85a0cdadc4297c14a5cc600b4744d97cee4f9a5f6612b8f9
                                                                        • Instruction ID: 72d13aeac174e9c1a3a177398698555a642000804846b33da1492f44d6438514
                                                                        • Opcode Fuzzy Hash: ebc0188a5584a95c85a0cdadc4297c14a5cc600b4744d97cee4f9a5f6612b8f9
                                                                        • Instruction Fuzzy Hash: 4D01A77374111067C610BA6A9C01AEB739CABD2364F44443BF94597292EA7DED0E43AA
                                                                        Function 00461774 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: _strncmp
                                                                        • String ID: ,$UTF8)
                                                                        • API String ID: 909875538-2632631837
                                                                        • Opcode ID: 727c7c5760fb27673dbb24875b26f121239a8201232c39922ad2fa80f7f85d54
                                                                        • Instruction ID: 35c0b5e4e6bd282640ba12729024cfd3588da47ca1ed1c49f01331a057b7ec9b
                                                                        • Opcode Fuzzy Hash: 727c7c5760fb27673dbb24875b26f121239a8201232c39922ad2fa80f7f85d54
                                                                        • Instruction Fuzzy Hash: 7601B575A083805BE720DE20CC85BA773A1AB81319F58492ED8D5872A1F73DD449C75B
                                                                        Function 00461772 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: _strncmp
                                                                        • String ID: ,$UTF8)
                                                                        • API String ID: 909875538-2632631837
                                                                        • Opcode ID: abd9c85c193eb76a615b38e8260140970f327620044c052ec7ea970ca86f7e2a
                                                                        • Instruction ID: b3c6803870d1b21283bf32431af321d4190ac902c568a1d8b2e557ddf245ca97
                                                                        • Opcode Fuzzy Hash: abd9c85c193eb76a615b38e8260140970f327620044c052ec7ea970ca86f7e2a
                                                                        • Instruction Fuzzy Hash: 1E01D875A043805BE720DE20CC85B6773A19B4131AF68492FD8D6872A1F73DD449C75B
                                                                        Function 004560AD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560BA
                                                                          • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                        • wsprintfW.USER32 ref: 004560E9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend_mallocwsprintf
                                                                        • String ID: %d/%02d/%02d
                                                                        • API String ID: 1262938277-328681919
                                                                        • Opcode ID: 5e9390f3fa6d631e890f8db483ee3f325bf10843f83bb080d9b0d170336394c6
                                                                        • Instruction ID: 2a73c44ac592e0fe880a68d863bd42ca8887a008949f121bccc13d44bcf2ebb3
                                                                        • Opcode Fuzzy Hash: 5e9390f3fa6d631e890f8db483ee3f325bf10843f83bb080d9b0d170336394c6
                                                                        • Instruction Fuzzy Hash: 13F08272744220A7E2105BA5AC01BBFB3D4EB84762F10443BFE44D12C0E66E8455D7BA
                                                                        Function 00442262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0044226C
                                                                        • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0044227F
                                                                          • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: FindMessagePostSleepWindow
                                                                        • String ID: Shell_TrayWnd
                                                                        • API String ID: 529655941-2988720461
                                                                        • Opcode ID: 62d1e1a02585172d548c808ed695c1d9d3028cc69dace886715b1b3d1423c17e
                                                                        • Instruction ID: f0ed9326d30a696a9ade51716a531e8bd1705000bbe21894ac7a57cb5589152b
                                                                        • Opcode Fuzzy Hash: 62d1e1a02585172d548c808ed695c1d9d3028cc69dace886715b1b3d1423c17e
                                                                        • Instruction Fuzzy Hash: 71D0A772F8130177E92077706D0FFCB26246F14710F010C3AB305AA1C0D4E8D440C358
                                                                        Function 0044222A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00442240
                                                                        • PostMessageW.USER32(00000000), ref: 00442247
                                                                          • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: FindMessagePostSleepWindow
                                                                        • String ID: Shell_TrayWnd
                                                                        • API String ID: 529655941-2988720461
                                                                        • Opcode ID: d3682f88803cb2a3efb7847c83fab5a73234bf1983908037f6894d5424c159e3
                                                                        • Instruction ID: d1e5b9be119239975405e397b0c0efdc35250005003305bf123d4268f2ecb06f
                                                                        • Opcode Fuzzy Hash: d3682f88803cb2a3efb7847c83fab5a73234bf1983908037f6894d5424c159e3
                                                                        • Instruction Fuzzy Hash: 4DD05E72B813013BE92076706D0FF8B26246B14710F010C2AB205AA1C0D4E8A4408358
                                                                        Function 00439514 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00439522
                                                                          • Part of subcall function 00411A1F: _doexit.LIBCMT ref: 00411A2B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2143064456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2143048311.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143101476.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143116465.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2143145573.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Pi648je050.jbxd
                                                                        Similarity
                                                                        • API ID: Message_doexit
                                                                        • String ID: AutoIt$Error allocating memory.
                                                                        • API String ID: 1993061046-4017498283
                                                                        • Opcode ID: 98c4a6cf209f69c689245cd57ea7e643062e7ce984d6ae84015e6f4dd77dfbd0
                                                                        • Instruction ID: 5d68346425d2699d55792fe39b85c2381918ba1f955abba655776c5540820644
                                                                        • Opcode Fuzzy Hash: 98c4a6cf209f69c689245cd57ea7e643062e7ce984d6ae84015e6f4dd77dfbd0
                                                                        • Instruction Fuzzy Hash: 82B092343C038627E20437A01C0BF8C28049B64F42F220C2AB308384D259D90080231E